hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ewan Higgs (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-15445) TestCryptoAdminCLI test failure when upgrading to JDK8 patch 171.
Date Thu, 03 May 2018 08:11:00 GMT
Ewan Higgs created HADOOP-15445:
-----------------------------------

             Summary: TestCryptoAdminCLI test failure when upgrading to JDK8 patch 171.
                 Key: HADOOP-15445
                 URL: https://issues.apache.org/jira/browse/HADOOP-15445
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Ewan Higgs


JDK8 patch 171 introduces a new feature:
{quote}
h3. New Features
security-libs/javax.crypto*[!https://www.oracle.com/webfolder/s/dm/st/images/lp-external-link-arrow.png!|http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html#JDK-8189997] Enhanced
KeyStore Mechanisms*
A new security property named {{jceks.key.serialFilter}} has been introduced. If this filter
is configured, the JCEKS KeyStore uses it during the deserialization of the encrypted Key
object stored inside a SecretKeyEntry. If it is not configured or if the filter result is
UNDECIDED (for example, none of the patterns match), then the filter configured by {{jdk.serialFilter}}
is consulted.

If the system property {{jceks.key.serialFilter}} is also supplied, it supersedes the security
property value defined here.

The filter pattern uses the same format as {{jdk.serialFilter}}. The default pattern allows
{{java.lang.Enum}}, {{java.security.KeyRep}}, {{java.security.KeyRep$Type}}, and {{javax.crypto.spec.SecretKeySpec}}
but rejects all the others.

Customers storing a SecretKey that does not serialize to the above types must modify the filter
to make the key extractable.
{quote}
We believe this causes some test failures:

 
{quote}{{{color:#333333}java.io.IOException: Can't recover key for myKey from keystore file:/{color}{color:#333333}home/{color}{color:#333333}jenkins/{color}{color:#333333}workspace/{color}{color:#333333}hadoopFullBuild/{color}{color:#333333}hadoop-hdfs-project/{color}{color:#333333}hadoop-hdfs/{color}{color:#333333}target/{color}{color:#333333}test/{color}{color:#333333}data/{color}{color:#333333}53406117-0132-401e-a67d-6672f1b6a14a/{color}{color:#333333}test.jks
at org.apache.hadoop.crypto.key.JavaKeyStoreProvider.getMetadata(JavaKeyStoreProvider.java:424)
at org.apache.hadoop.crypto.key.KeyProviderExtension.getMetadata(KeyProviderExtension.java:100)
at org.apache.hadoop.hdfs.server.namenode.FSDirEncryptionZoneOp.ensureKeyIsInitialized(FSDirEncryptionZoneOp.java:124)
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.createEncryptionZone(FSNamesystem.java:7227)
at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.createEncryptionZone(NameNodeRpcServer.java:2082)
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.createEncryptionZone(ClientNamenodeProtocolServerSideTranslatorPB.java:1524)
at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:523)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:991) at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:869)
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:815) at java.security.AccessController.doPrivileged(Native
Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1965)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2675) Caused by: java.security.UnrecoverableKeyException:
Rejected by the jceks.key.serialFilter or jdk.serialFilter property at com.sun.crypto.provider.KeyProtector.unseal(KeyProtector.java:352)
at com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:136) at java.security.KeyStore.getKey(KeyStore.java:1023){color}}}
{quote}
 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message