[
https://issues.apache.org/jira/browse/HDFS-12974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16313882#comment-16313882
]
Rushabh S Shah edited comment on HDFS-12974 at 1/5/18 10:31 PM:
----------------------------------------------------------------
Thanks [~zhenyi] for the updated patch.
bq. Don't think ValueQueue does any tricks to it - this is when creating the
zones, so should fail when getMetadata.
bq. <name>key.acl.key2.GENERATE_EEK</name>
IIUC the jira description, Fang has set the kms-acls for {{GENERATE_EEK}}
operation to mr.
{{getMetadata}} has its own set of acls which are separate from
{{GENERATE_EEK}} acls.
In {{FSDirEncryptionZoneOp#ensureKeyIsInitialized}} before returning it does
{{provider.warmUpEncryptedKeys(keyName)}} which in turn will fill the
{{KMSClientProvider#ValueQueue}} with EDEKs. I think its failing there since
namenode user {{hdfs}} is not allowed to {{generateEdek}} via {{GENERATE_EEK}}
acls.
+StringUtils.java+
Also I don't understand why {{AuthorizationException}} overrides
{{printStackTrace}} methods.
I don't see any other exceptions overriding those methods.
Today {{StringUtils#stringifyException}} does {{e.printStackTrace(wrt)}} at
[here|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/StringUtils.java#L89]
If we remove the overriden methods, then
{{Throwable#printStackTrace(PrintWriter)}} will do the right thing.
+TestEncryptionZones.java+
We can easily removed dozens of lines of code from Test class.
I don't see the need for creating ExecutorService.
Just create new instance of {{EncryptionFaultInjector}} with
{{ensureKeyIsInitialized}} overriden.
was (Author: shahrs87):
Thanks [~zhenyi] for the updated patch.
bq. Don't think ValueQueue does any tricks to it - this is when creating the
zones, so should fail when getMetadata.
bq. <name>key.acl.key2.GENERATE_EEK</name>
IIUC the jira description, Fang has set the kms-acls for {{GENERATE_EEK}}
operation to mr.
{{getMetadata}} has its own set of acls which are separate from
{{GENERATE_EEK}} acls.
In {{FSDirEncryptionZoneOp#ensureKeyIsInitialized}} before returning it does
{{provider.warmUpEncryptedKeys(keyName)}} which in turn will fill the
{{KMSClientProvider#ValueQueue}} with EDEKs. I think its failing there since
namenode user {{hdfs}} is not allowed to {{generateEdek}} via {{GENERATE_EEK}}
acls.
+StringUtils.java+
Also I don't understand why {{AuthorizationException}} overrides
{{printStackTrace}} methods.
I don't see any other exceptions overriding those methods.
If we remove the overriden methods, then
{{Throwable#printStackTrace(PrintWriter)}} will do the right thing.
+TestEncryptionZones.java+
We can easily removed dozens of lines of code from Test class.
I don't see the need for creating ExecutorService.
Just create new instance of {{EncryptionFaultInjector}} with
{{ensureKeyIsInitialized}} overriden.
> Exception information can not be returned when I create transparent
> encryption zone.
> ------------------------------------------------------------------------------------
>
> Key: HDFS-12974
> URL: https://issues.apache.org/jira/browse/HDFS-12974
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: encryption
> Affects Versions: 3.0.0
> Reporter: fang zhenyi
> Assignee: fang zhenyi
> Priority: Minor
> Attachments: HDFS-12974.001.patch, HDFS-12974.002.patch,
> HDFS-12974.003.patch, HDFS-12974.004.patch, HDFS-12974.005.patch
>
>
> When I add the following configuration to the kms-acl.xml file, I create
> encrypted space and I can not get any exception information.
> <property>
> <name>key.acl.key2.GENERATE_EEK</name>
> <value>mr</value>
> </property>
> root@fangzhenyi01:~# hdfs crypto -createZone -keyName key2 -path /zone
> 2018-01-02 10:41:44,632 WARN util.NativeCodeLoader: Unable to load
> native-hadoop library for your platform... using builtin-java classes where
> applicable
> RemoteException:
> root@fangzhenyi01:~#
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
