[jira] [Resolved] (HADOOP-19639) SecretManager configuration at runtime

Fri, 01 Aug 2025 19:40:08 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-19639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Shilun Fan resolved HADOOP-19639.
---------------------------------
    Resolution: Fixed

> SecretManager configuration at runtime
> --------------------------------------
>
>                 Key: HADOOP-19639
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19639
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: hadoop-common
>    Affects Versions: 3.5.0
>            Reporter: Bence Kosztolnik
>            Assignee: Bence Kosztolnik
>            Priority: Major
>              Labels: pull-request-available
>
> In case of TEZ *DAGAppMaster* the Hadoop *SecretManager* code can not read 
> yarn config xml file, therefore the SELECTED_ALGORITHM and SELECTED_LENGTH 
> variables in SecretManager can not be set at runtime.
> This can results with the following exception in FIPS environment:
> {code:java}
> java.security.InvalidParameterException: Key size for HMAC must be at least 
> 112 bits in approved mode: SHA-1/HMAC
>       at 
> com.safelogic.cryptocomply.fips.core/com.safelogic.cryptocomply.jcajce.provider.BaseKeyGenerator.engineInit(Unknown
>  Source)
>       at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:540)
>       at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:517)
>       at 
> org.apache.hadoop.security.token.SecretManager.<init>(SecretManager.java:157)
>       at 
> org.apache.hadoop.yarn.security.client.BaseClientToAMTokenSecretManager.<init>(BaseClientToAMTokenSecretManager.java:38)
>       at 
> org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager.<init>(ClientToAMTokenSecretManager.java:46)
>       at 
> org.apache.tez.common.security.TezClientToAMTokenSecretManager.<init>(TezClientToAMTokenSecretManager.java:33)
>       at 
> org.apache.tez.dag.app.DAGAppMaster.serviceInit(DAGAppMaster.java:493)
>       at 
> org.apache.hadoop.service.AbstractService.init(AbstractService.java:164)
>       at org.apache.tez.dag.app.DAGAppMaster$9.run(DAGAppMaster.java:2649)
>       at java.base/java.security.AccessController.doPrivileged(Native Method)
>       at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
>       at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1910)
>       at 
> org.apache.tez.dag.app.DAGAppMaster.initAndStartAppMaster(DAGAppMaster.java:2646)
>       at org.apache.tez.dag.app.DAGAppMaster.main(DAGAppMaster.java:2440)
> {code}
> To mitigate the problem we should provide some ability for the component to 
> be able to modify the configuration without corresponding config files on 
> class path.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to