hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaoyu Yao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7256) Encryption Key created in Java Key Store after Namenode start unavailable for EZ Creation
Date Fri, 17 Oct 2014 09:45:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174896#comment-14174896
] 

Xiaoyu Yao commented on HDFS-7256:
----------------------------------

Thanks [~hitliuyi] again for the clarification. Three more follow up questions:
1. KMS and Hadoop Key Shell allows creating keys of length > 128. But HDFS seems to have
a hard limitation of AES-CTS 128 only. Is this expected?

hadoop@hadoopdev:~/deploy$ hadoop/bin/hadoop key list -metadata

Listing keys for KeyProvider: KMSClientProvider[http://localhost:16000/kms/v1/]
key2 : cipher: AES/CTR/NoPadding, length: 256, description: null, created: Thu Oct 16 22:42:20
PDT 2014, version: 1, attributes: [key.acl.name=key2]
key1 : cipher: AES/CTR/NoPadding, length: 128, description: null, created: Thu Oct 16 14:28:53
PDT 2014, version: 1, attributes: null

hadoop@hadoopdev:~/deploy$ hadoop/bin/hdfs crypto -createZone -path /ez2 -keyName key2
RemoteException: java.util.concurrent.ExecutionException: java.io.IOException: java.io.IOException:
java.util.concurrent.ExecutionException: java.io.IOException: java.security.InvalidKeyException:
Illegal key size 

2. Thanks for pointing me the 'hadoop.security.key.provider.path'. That's exactly what I'm
looking for. However, I did not find it as it is hard coded in KeyProviderFactory.java, which
is different from other security configuration keys in CommonConfigurationKeysPublic.java.
If this key is targeted for public usage, I would suggest to put it in CommonConfigurationKeysPublic.java
and also include in the hadoop key shell help message.

3. The document mentioned that copy file between EZs with different EZ-keys or copy file form
EZ to non-EZ directory are not allowed. But my test shows it works completely fine. Is this
explicitly blocked or just not recommended?





> Encryption Key created in Java Key Store after Namenode start unavailable for EZ Creation

> ------------------------------------------------------------------------------------------
>
>                 Key: HDFS-7256
>                 URL: https://issues.apache.org/jira/browse/HDFS-7256
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: encryption, security
>    Affects Versions: 2.6.0
>            Reporter: Xiaoyu Yao
>
> Hit an error on "RemoteException: Key ezkey1 doesn't exist." when creating EZ with a
Key created after NN starts.
> Briefly check the code and found that the KeyProivder is loaded by FSN only at the NN
start. My work around is to restart the NN which triggers the reload of Key Provider. Is this
expected?
> Repro Steps:
> Create a new Key after NN and KMS starts
> hadoop/bin/hadoop key create ezkey1 -size 256 -provider jceks://file/home/hadoop/kms.keystore
> List Keys
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hadoop key list -provider jceks://file/home/hadoop/kms.keystore
-metadata
> Listing keys for KeyProvider: jceks://file/home/hadoop/kms.keystore
> ezkey1 : cipher: AES/CTR/NoPadding, length: 256, description: null, created: Thu Oct
16 18:51:30 EDT 2014, version: 1, attributes: null
> key2 : cipher: AES/CTR/NoPadding, length: 128, description: null, created: Tue Oct 14
19:44:09 EDT 2014, version: 1, attributes: null
> key1 : cipher: AES/CTR/NoPadding, length: 128, description: null, created: Tue Oct 14
17:52:36 EDT 2014, version: 1, attributes: null
> Create Encryption Zone
> hadoop/bin/hdfs dfs -mkdir /Ez1
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hdfs crypto -createZone -keyName ezkey1 -path /Ez1
> RemoteException: Key ezkey1 doesn't exist.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message