[
https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16513083#comment-16513083
]
Xiao Chen commented on HDFS-13682:
----------------------------------
Updated a patch that reproduces this. One potential solution is to call the KMS
as the login user, because all these are hdfs superuser-only ops. Uncommenting
the changes in FSDirEncryptionZoneOp would pass the test. I propose in this
jira, we do this one for createZone.
This a passing in CDH5, and failing in CDH6. I automatically suspected
HADOOP-9747, but cannot blame on it for anything. :)
One difference I noticed is that, In CDH5 we don't have [these lines in
KerberosAuthenticator|https://github.com/apache/hadoop/blob/branch-3.0.0/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java#L272-L273],
which is added by HADOOP-11332. Not sure what's the correct solution here
regarding that, but if we do this as the login user, the check should pass and
no new subject need to be created.
[~daryn], may I ask for your thoughts here? Thanks for the time.
> Cannot create encryption zone after KMS auth token expires
> ----------------------------------------------------------
>
> Key: HDFS-13682
> URL: https://issues.apache.org/jira/browse/HDFS-13682
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: encryption, namenode
> Affects Versions: 3.0.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Priority: Critical
> Attachments: HDFS-13682.dirty.repro.patch
>
>
> Our internal testing reported this behavior recently.
> {noformat}
> [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt
> /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d
> [root@nightly6x-1 ~]# sudo -u hdfs klist
> Ticket cache: FILE:/tmp/krb5cc_994
> Default principal: [email protected]
> Valid starting Expires Service principal
> 06/12/2018 03:24:09 07/12/2018 03:24:09
> krbtgt/[email protected]
> [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77
> -path /user/systest/ez
> RemoteException:
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)
> {noformat}
> Upon further investigation, it's due to the KMS client (cached in HDFS NN)
> cannot authenticate with the server after the authentication token (which is
> cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos
> credentials.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
