hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13864) KMS should not require truststore password
Date Tue, 06 Dec 2016 01:38:58 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13864?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Xiao Chen updated HADOOP-13864:
-------------------------------
       Resolution: Fixed
     Hadoop Flags: Reviewed
    Fix Version/s: 3.0.0-alpha2
           Status: Resolved  (was: Patch Available)

Committed to trunk. Thanks [~yoderme] for the contribution, and [~andrew.wang] for offline
reviews!

> KMS should not require truststore password
> ------------------------------------------
>
>                 Key: HADOOP-13864
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13864
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms, security
>            Reporter: Mike Yoder
>            Assignee: Mike Yoder
>             Fix For: 3.0.0-alpha2
>
>         Attachments: HADOOP-13864.000.patch
>
>
> Trust store passwords are actually not required for read operations. They're only needed
for writing to the trust store; in reads they serve as an integrity check. Normal hadoop sslclient.xml
files don't require the truststore password, but when the KMS is used it's required. 
> If I don't specify a hadoop trust store password I get:
> {noformat}
> Failed to start namenode.
> java.io.IOException: java.security.GeneralSecurityException: The property 'ssl.client.truststore.password'
has not been set in the ssl configuration file.
> 	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:428)
> 	at org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:333)
> 	at org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:324)
> 	at org.apache.hadoop.crypto.key.KeyProviderFactory.get(KeyProviderFactory.java:95)
> 	at org.apache.hadoop.util.KMSUtil.createKeyProvider(KMSUtil.java:65)
> 	at org.apache.hadoop.hdfs.DFSUtil.createKeyProvider(DFSUtil.java:1920)
> 	at org.apache.hadoop.hdfs.DFSUtil.createKeyProviderCryptoExtension(DFSUtil.java:1934)
> 	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.<init>(FSNamesystem.java:811)
> 	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.loadFromDisk(FSNamesystem.java:770)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.loadNamesystem(NameNode.java:614)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:676)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:844)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:823)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1548)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1616)
> Caused by: java.security.GeneralSecurityException: The property 'ssl.client.truststore.password'
has not been set in the ssl configuration file.
> 	at org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:199)
> 	at org.apache.hadoop.security.ssl.SSLFactory.init(SSLFactory.java:131)
> 	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:426)
> 	... 14 more
> {noformat}
> Note that this _does not_ happen to the namenode when the kms isn't in use.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message