[
https://issues.apache.org/jira/browse/HDFS-7256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174804#comment-14174804
]
Yi Liu commented on HDFS-7256:
------------------------------
Thanks [~xyao].
*For your question 1:*
Please don't specify {{hadoop.security.crypto.jce.provider}}, it's a jce
provider used for jce cryptocodec. Not for key provider uri.
So please configure in hdfs-site.xml
{code}
<property>
<name>dfs.encryption.key.provider.uri</name>
<value>kms://http@localhost:16000/kms</value>
</property>
{code}
And in kms-site.xml
{code}
<property>
<name>hadoop.kms.key.provider.uri</name>
<value>jceks://file@/home/hadoop/kms.keystore</value>
</property>
{code}
When you use hadoop key shell, please specify
{code}
-provider kms://http@localhost:16000/kms
{code}
If you don't want specify {{-provider}} every time, please configure in
core-site.xml
{code}
<property>
<name>hadoop.security.key.provider.path</name>
<value>kms://http@localhost:16000/kms</value>
</property>
{code}
*For your question 2:*
For the warning, you see it from kms log?
If so, It's a warning and doesn't affect functionality, if kerberos is *not*
enabled, the request sent to kms is without an user for the first time, but it
will fail and trigger authenticatation again with the user name, then it
successes.
There was ever a bug (HADOOP-11151) to let request having an user name for the
first time in non-secured mode, let me check in latest trunk whether it's
fixed, if not, I can fix that.
> Encryption Key created in Java Key Store after Namenode start unavailable for
> EZ Creation
> ------------------------------------------------------------------------------------------
>
> Key: HDFS-7256
> URL: https://issues.apache.org/jira/browse/HDFS-7256
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: encryption, security
> Affects Versions: 2.6.0
> Reporter: Xiaoyu Yao
>
> Hit an error on "RemoteException: Key ezkey1 doesn't exist." when creating EZ
> with a Key created after NN starts.
> Briefly check the code and found that the KeyProivder is loaded by FSN only
> at the NN start. My work around is to restart the NN which triggers the
> reload of Key Provider. Is this expected?
> Repro Steps:
> Create a new Key after NN and KMS starts
> hadoop/bin/hadoop key create ezkey1 -size 256 -provider
> jceks://file/home/hadoop/kms.keystore
> List Keys
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hadoop key list -provider
> jceks://file/home/hadoop/kms.keystore -metadata
> Listing keys for KeyProvider: jceks://file/home/hadoop/kms.keystore
> ezkey1 : cipher: AES/CTR/NoPadding, length: 256, description: null, created:
> Thu Oct 16 18:51:30 EDT 2014, version: 1, attributes: null
> key2 : cipher: AES/CTR/NoPadding, length: 128, description: null, created:
> Tue Oct 14 19:44:09 EDT 2014, version: 1, attributes: null
> key1 : cipher: AES/CTR/NoPadding, length: 128, description: null, created:
> Tue Oct 14 17:52:36 EDT 2014, version: 1, attributes: null
> Create Encryption Zone
> hadoop/bin/hdfs dfs -mkdir /Ez1
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hdfs crypto -createZone -keyName ezkey1
> -path /Ez1
> RemoteException: Key ezkey1 doesn't exist.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
