[jira] [Created] (HDFS-13682) Cannot create encryption zone after KMS auth token expires

Xiao Chen (JIRA) Thu, 14 Jun 2018 15:32:51 -0700

Xiao Chen created HDFS-13682:
--------------------------------

             Summary: Cannot create encryption zone after KMS auth token expires
                 Key: HDFS-13682
                 URL: https://issues.apache.org/jira/browse/HDFS-13682
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: encryption, namenode
    Affects Versions: 3.0.0
            Reporter: Xiao Chen
            Assignee: Xiao Chen
         Attachments: HDFS-13682.dirty.repro.patch


Our internal testing reported this behavior recently.
{noformat}
[root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt /cdep/keytabs/hdfs.keytab 
hdfs -l 30d -r 30d
[root@nightly6x-1 ~]# sudo -u hdfs klist
Ticket cache: FILE:/tmp/krb5cc_994
Default principal: [email protected]

Valid starting       Expires              Service principal
06/12/2018 03:24:09  07/12/2018 03:24:09  
krbtgt/[email protected]
[root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 -path 
/user/systest/ez
RemoteException: 
org.apache.hadoop.security.authentication.client.AuthenticationException: 
GSSException: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt)
{noformat}

Upon further investigation, it's due to the KMS client (cached in HDFS NN) 
cannot authenticate with the server after the authentication token (which is 
cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos 
credentials.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (HDFS-13682) Cannot create encryption zone after KMS auth token expires

Reply via email to