[
https://issues.apache.org/jira/browse/HDFS-7256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174744#comment-14174744
]
Xiaoyu Yao commented on HDFS-7256:
----------------------------------
Thanks [~hitliuyi] for the detail explanation. I configured my test
environment based on HDFS-6134 proposal:
https://issues.apache.org/jira/secure/attachment/12660368/HDFSDataatRestEncryption.pdf.
Can you point me the link to fs-encryption/KMS user doc if there is a different
one?
I do have a KMS setup with JavaKeyStoreProvider pointing to the same java key
store file.
Based on your suggestion, I just switch to use 'kms://http@localhost:16000/kms'
instead of the java key store file
'jceks://file/home/hadoop/kms.keystore' directly for the
'dfs.encryption.key.provider.uri' in hdfs-site.xml and
'hadoop.security.crypto.jce.provider' in core-site.xml.
Below I have two follow up questions when executing the the 'hadoop key'
command after the change. Can you confirm if these are expected or not?
1. Have to specify -provider explicitly even though
hadoop.security.crypto.jce.provider='kms://http@localhost:16000/kms' is
configured in core-site.xml.
hadoop@hadoopdev:~/deploy$ hadoop/bin/hadoop key list
There are no non-transient KeyProviders configured.
Use the -provider option to specify a provider. If you
want to list a transient provider then you must use the
-provider argument.
2. Keys are returned with -provider specified but WARN message is logged in
kms.log on Anonymous request. My understanding is that KMS should proxy user
'hadoop' based the proxy user setting below. Do I miss anything?
hadoop@hadoopdev:~/deploy$ hadoop/bin/hadoop key list -provider
kms://http@localhost:16000/kms
Listing keys for KeyProvider: KMSClientProvider[http://localhost:16000/kms/v1/]
key1
{code}
2014-10-16 22:08:38,386 WARN AuthenticationFilter - Authentication exception:
Anonymous requests are disallowed
org.apache.hadoop.security.authentication.client.AuthenticationException:
Anonymous requests are disallowed
at
org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler.authenticate(PseudoAuthenticationHandler.java:184)
at
org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:330)
at
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507)
at
org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter.doFilter(KMSAuthenticationFilter.java:129)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:745)
{/code}
The client runs with user 'hadoop'. The proxyuser and delegation token(use
default) are set up in kms-site.xml.
<!-- proxyuser configuration for user named: hadoop-->
<property>
<name>hadoop.kms.proxyuser.hadoop.users</name>
<value>*</value>
</property>
...
> Encryption Key created in Java Key Store after Namenode start unavailable for
> EZ Creation
> ------------------------------------------------------------------------------------------
>
> Key: HDFS-7256
> URL: https://issues.apache.org/jira/browse/HDFS-7256
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: encryption, security
> Affects Versions: 2.6.0
> Reporter: Xiaoyu Yao
>
> Hit an error on "RemoteException: Key ezkey1 doesn't exist." when creating EZ
> with a Key created after NN starts.
> Briefly check the code and found that the KeyProivder is loaded by FSN only
> at the NN start. My work around is to restart the NN which triggers the
> reload of Key Provider. Is this expected?
> Repro Steps:
> Create a new Key after NN and KMS starts
> hadoop/bin/hadoop key create ezkey1 -size 256 -provider
> jceks://file/home/hadoop/kms.keystore
> List Keys
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hadoop key list -provider
> jceks://file/home/hadoop/kms.keystore -metadata
> Listing keys for KeyProvider: jceks://file/home/hadoop/kms.keystore
> ezkey1 : cipher: AES/CTR/NoPadding, length: 256, description: null, created:
> Thu Oct 16 18:51:30 EDT 2014, version: 1, attributes: null
> key2 : cipher: AES/CTR/NoPadding, length: 128, description: null, created:
> Tue Oct 14 19:44:09 EDT 2014, version: 1, attributes: null
> key1 : cipher: AES/CTR/NoPadding, length: 128, description: null, created:
> Tue Oct 14 17:52:36 EDT 2014, version: 1, attributes: null
> Create Encryption Zone
> hadoop/bin/hdfs dfs -mkdir /Ez1
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hdfs crypto -createZone -keyName ezkey1
> -path /Ez1
> RemoteException: Key ezkey1 doesn't exist.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
