In secure mode, Ozone issues tokens to authorize each block (and container) access. Each token is signed by Ozone (OM or SCM) using its RSA private keys and verified by datanodes using a public key and certificate. With the RSA private key size of 2048, the sign operation is very costly and contributes more than 80% to the latency of read/write operations in Ozone Manager.
This feature branch contains the implementation to replace RSA token signing with symmetric keys and thus greatly boosts OM performance.
Epic Jira:
1. builds/intermittent test failures
The feature branch has introduced no additional flaky tests.
2. documentation
The documentation for this change is added by
.3. design, attached the docs
Design document can be found here (can be found in the epic JIRA).
4. s3 compatibility
This feature branch doesn't break any S3 feature.
5. docker-compose / acceptance tests
Block/container tokens are already tested well by the existing acceptance tests.
6. support of containers / Kubernetes:
No addition yet.
7. coverage/code quality:
Master and HDDS-7733-Symmetric-Tokens
8. build time
To be added.
9. possible incompatible changes/used feature flag:
There is no incompatible changes introduced with this feature.
10. third party dependencies/licence changes:
No new dependency is added.
11. performance
Performance improvements are documented by
12. security considerations
To be added.