hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yi Liu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7256) Encryption Key created in Java Key Store after Namenode start unavailable for EZ Creation
Date Fri, 17 Oct 2014 07:20:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174804#comment-14174804
] 

Yi Liu commented on HDFS-7256:
------------------------------

Thanks [~xyao].  
*For your question 1:*
Please don't specify {{hadoop.security.crypto.jce.provider}}, it's a jce provider used for
jce cryptocodec.  Not for key provider uri. 
So please configure in hdfs-site.xml
{code}
<property>
    <name>dfs.encryption.key.provider.uri</name>
    <value>kms://http@localhost:16000/kms</value>
</property>
{code}
And in kms-site.xml
{code}
<property>
    <name>hadoop.kms.key.provider.uri</name>
    <value>jceks://file@/home/hadoop/kms.keystore</value>
  </property>
{code}

When you use hadoop key shell, please specify 
{code}
-provider kms://http@localhost:16000/kms
{code}
If you don't want specify {{-provider}} every time, please configure in core-site.xml
{code}

<property>
    <name>hadoop.security.key.provider.path</name>
    <value>kms://http@localhost:16000/kms</value>
  </property>
{code}

*For your question 2:*
For the warning, you see it from kms log?
If so, It's a warning and doesn't affect functionality, if kerberos is *not* enabled, the
request sent to kms is without an user for the first time, but it will fail and trigger authenticatation
again with the user name, then it successes. 
There was ever a bug (HADOOP-11151) to let request having an user name for the first time
in non-secured mode, let me check in latest trunk whether it's fixed, if not, I can fix that.

> Encryption Key created in Java Key Store after Namenode start unavailable for EZ Creation

> ------------------------------------------------------------------------------------------
>
>                 Key: HDFS-7256
>                 URL: https://issues.apache.org/jira/browse/HDFS-7256
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: encryption, security
>    Affects Versions: 2.6.0
>            Reporter: Xiaoyu Yao
>
> Hit an error on "RemoteException: Key ezkey1 doesn't exist." when creating EZ with a
Key created after NN starts.
> Briefly check the code and found that the KeyProivder is loaded by FSN only at the NN
start. My work around is to restart the NN which triggers the reload of Key Provider. Is this
expected?
> Repro Steps:
> Create a new Key after NN and KMS starts
> hadoop/bin/hadoop key create ezkey1 -size 256 -provider jceks://file/home/hadoop/kms.keystore
> List Keys
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hadoop key list -provider jceks://file/home/hadoop/kms.keystore
-metadata
> Listing keys for KeyProvider: jceks://file/home/hadoop/kms.keystore
> ezkey1 : cipher: AES/CTR/NoPadding, length: 256, description: null, created: Thu Oct
16 18:51:30 EDT 2014, version: 1, attributes: null
> key2 : cipher: AES/CTR/NoPadding, length: 128, description: null, created: Tue Oct 14
19:44:09 EDT 2014, version: 1, attributes: null
> key1 : cipher: AES/CTR/NoPadding, length: 128, description: null, created: Tue Oct 14
17:52:36 EDT 2014, version: 1, attributes: null
> Create Encryption Zone
> hadoop/bin/hdfs dfs -mkdir /Ez1
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hdfs crypto -createZone -keyName ezkey1 -path /Ez1
> RemoteException: Key ezkey1 doesn't exist.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message