[
https://issues.apache.org/jira/browse/HADOOP-16216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803924#comment-16803924
]
Steve Loughran commented on HADOOP-16216:
-----------------------------------------
* please add component, version of Hadoop this is effecting, change title so it
reflects the component
* edited your JIRA to remove potentially sensitive details like: hostnames,
kerberos, IPAddrs. Please don't share this stuff
> Cannot Delete Key with / in the key name
> ----------------------------------------
>
> Key: HADOOP-16216
> URL: https://issues.apache.org/jira/browse/HADOOP-16216
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Istvan Vajnorak
> Priority: Major
>
> Users can create keys with / in the path but eventually are unable to delete
> them due to the way the hadoop key command encodes URLs.
> Below are the steps to reproduce and the only way to get rid of such a key is
> to invoke the REST API directly.
> Please check if hadoop key command's implementation to be changed to cater
> for this, or implement a special character filtering to not allow such keys
> to be created.
> 1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop
> key create my/key my/key has been successfully created with options
> Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null',
> attributes=null}.
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has
> been updated.
> 2. List and ensure key is there:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key
> my/key
> {code}
> 3. Try to delete with normal hadoop key command:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key delete my/key
> You are about to DELETE all versions of key my/key from KeyProvider
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451.
> Continue? (Y or N) y
> Deleting key: my/key from KeyProvider:
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451
> 19/03/23 02:42:51 WARN security.UserGroupInformation:
> PriviledgedActionException as:hive/nightly514-1. [email protected]
> (auth:KERBEROS)
> cause:org.apache.hadoop.security.authentication.client.AuthenticationException:
> Authentication failed, URL: https://nightly514-1.
> example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message:
> Bad Request
> 19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at
> [https://nightly514-1. example.org:16000/kms/v1/] threw an IOException:
> java.io.IOException:
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> Authentication failed, URL: https://nightly514-1.
> example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message:
> Bad Request
> {code}
> 4. Delete it with curl directly:
> {code}
> [root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure
> -v "https://nightly514-1. example.org:16000/kms/v1/key/my/key"
> * About to connect() to nightly514-1. example.org port 16000 (#0)
> * Trying 192.168.1.1...
> * Connected to nightly514-1. example.org (192.168.1.1) port 16000 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate:
> * subject: CN=nightly514-1. example.org,OU=Engineering,O=Example,L=San
> Francsico,ST=CA,C=US
> * start date: Mar 23 08:24:49 2019 GMT
> * expire date: Mar 22 08:24:49 2020 GMT
> * common name: nightly514-1. example.org
> * issuer: CN=Example Intermediate Test
> CA,OU=Engineering,O=Example,ST=CA,C=US
> > DELETE /kms/v1/key/my/key HTTP/1.1
> > Authorization: Negotiate
> ...
> > User-Agent: curl/7.29.0
> > Host: nightly514-1. example.org:16000
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> HTTP/1.1 200 OK
> {code}
> 5. Listing to ensure the key is gone now:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key list
> Listing keys for KeyProvider:
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1
> hbase
> mapred
> hive
> systest
> hue
> solr
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
