[jira] [Updated] (HADOOP-15473) Configure serialFilter in KeyProvider to avoid UnrecoverableKeyException caused by JDK-8189997

[Xiao Chen (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HADOOP-15473?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiao Chen updated HADOOP-15473:
-------------------------------
       Resolution: Fixed
     Hadoop Flags: Reviewed
    Fix Version/s: 2.8.5
                   2.7.7
                   3.0.3
                   2.9.2
                   3.1.1
                   3.2.0
                   2.10.0
           Status: Resolved  (was: Patch Available)

Committed to trunk through branch-2.7.
Thanks Gabor for the reporting and fixing the issue, and all others for 
comments!

There were some minor conflicts in branch-2.9, and then branch-2.7. {{mvn clean 
test -Dtest=TestKeyProviderFactory}}'ed before pushing. Another thing I noticed 
is my env actually have envvar {{HADOOP_KEYSTORE_PASSWORD}} set, which failed 
{{TestKeyProviderFactory}}. We should improve the test to be independent of 
this, but that's clearly a separate jira.


> Configure serialFilter in KeyProvider to avoid UnrecoverableKeyException 
> caused by JDK-8189997
> ----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-15473
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15473
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.7.6, 3.0.2
>         Environment: JDK 8u171
>            Reporter: Gabor Bota
>            Assignee: Gabor Bota
>            Priority: Critical
>             Fix For: 2.10.0, 3.2.0, 3.1.1, 2.9.2, 3.0.3, 2.7.7, 2.8.5
>
>         Attachments: HADOOP-15473.004.patch, HADOOP-15473.005.patch, 
> HADOOP-15473.006.patch, HDFS-13494.001.patch, HDFS-13494.002.patch, 
> HDFS-13494.003.patch, org.apache.hadoop.crypto.key.TestKeyProviderFactory.txt
>
>
> There is a new feature in JDK 8u171 called Enhanced KeyStore Mechanisms 
> (http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html#JDK-8189997).
> This is the cause of the following errors in the TestKeyProviderFactory:
> {noformat}
> Caused by: java.security.UnrecoverableKeyException: Rejected by the 
> jceks.key.serialFilter or jdk.serialFilter property
>       at com.sun.crypto.provider.KeyProtector.unseal(KeyProtector.java:352)
>       at 
> com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:136)
>       at java.security.KeyStore.getKey(KeyStore.java:1023)
>       at 
> org.apache.hadoop.crypto.key.JavaKeyStoreProvider.getMetadata(JavaKeyStoreProvider.java:410)
>       ... 28 more
> {noformat}
> This issue causes errors and failures in hbase tests right now (using hdfs) 
> and could affect other products running on this new Java version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org