hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antony Jay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14104) Client should always ask namenode for kms provider path.
Date Mon, 02 Jul 2018 03:00:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16529346#comment-16529346
] 

Antony Jay commented on HADOOP-14104:
-------------------------------------

Great work !
Sharing an issue we have which is likely an unintended side-effect of this change..
We do a hdfs distcp of ./reserved/raw from source cluster to destination cluster. The source
cluster don't have access to destination KMS and it doesn't need that access since it is a
copy of raw bytes with xatrributes.
However after uptaking this change, during copy, source cluster finds that there's a kms configured
at the destination cluster from destination cluster namenode and tries to contact the remote
KMS to get delegation token, generating encrypted key etc. In our case contact to KMS fails
and distcp fails.

> Client should always ask namenode for kms provider path.
> --------------------------------------------------------
>
>                 Key: HADOOP-14104
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14104
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Rushabh S Shah
>            Assignee: Rushabh S Shah
>            Priority: Major
>             Fix For: 2.9.0, 3.0.0-alpha4, 2.8.2
>
>         Attachments: HADOOP-14104-branch-2.8.patch, HADOOP-14104-branch-2.patch, HADOOP-14104-trunk-v1.patch,
HADOOP-14104-trunk-v2.patch, HADOOP-14104-trunk-v3.patch, HADOOP-14104-trunk-v4.patch, HADOOP-14104-trunk-v5.patch,
HADOOP-14104-trunk.patch
>
>
> According to current implementation of kms provider in client conf, there can only be
one kms.
> In multi-cluster environment, if a client is reading encrypted data from multiple clusters
it will only get kms token for local cluster.
> Not sure whether the target version is correct or not.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message