[
https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16516173#comment-16516173
]
Xiao Chen commented on HDFS-13682:
----------------------------------
Thanks for taking a look Wei-Chiu.
Could you clarify the fist comment? Are you suggesting to replace the checks
with {{shouldRelogin}}?
bq. Would this cause confusion in enforcing KMS access control? ... after the
patch, KMS would only see the request coming from hdfs user.
loginuser is the branch-2 behavior as well. So this patch is to bring the old
behavior back (the dirty.repro on branch-2 shows this)
>From API perspective, it feels to me the hdfs superuser that creates the zone
>only needs hdfs privilege (to reach NN). The getMetadata call from NN to KMS
>isn't returned to the caller.
bq. externally managed subjects
Can we create a follow-on to HADOOP-9747 to investigate this?
> Cannot create encryption zone after KMS auth token expires
> ----------------------------------------------------------
>
> Key: HDFS-13682
> URL: https://issues.apache.org/jira/browse/HDFS-13682
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: encryption, namenode
> Affects Versions: 3.0.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Priority: Critical
> Attachments: HDFS-13682.01.patch,
> HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch
>
>
> Our internal testing reported this behavior recently.
> {noformat}
> [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt
> /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d
> [root@nightly6x-1 ~]# sudo -u hdfs klist
> Ticket cache: FILE:/tmp/krb5cc_994
> Default principal: [email protected]
> Valid starting Expires Service principal
> 06/12/2018 03:24:09 07/12/2018 03:24:09
> krbtgt/[email protected]
> [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77
> -path /user/systest/ez
> RemoteException:
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)
> {noformat}
> Upon further investigation, it's due to the KMS client (cached in HDFS NN)
> cannot authenticate with the server after the authentication token (which is
> cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos
> credentials.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
