[
https://issues.apache.org/jira/browse/HDFS-7256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174896#comment-14174896
]
Xiaoyu Yao commented on HDFS-7256:
----------------------------------
Thanks [~hitliuyi] again for the clarification. Three more follow up questions:
1. KMS and Hadoop Key Shell allows creating keys of length > 128. But HDFS
seems to have a hard limitation of AES-CTS 128 only. Is this expected?
hadoop@hadoopdev:~/deploy$ hadoop/bin/hadoop key list -metadata
Listing keys for KeyProvider: KMSClientProvider[http://localhost:16000/kms/v1/]
key2 : cipher: AES/CTR/NoPadding, length: 256, description: null, created: Thu
Oct 16 22:42:20 PDT 2014, version: 1, attributes: [key.acl.name=key2]
key1 : cipher: AES/CTR/NoPadding, length: 128, description: null, created: Thu
Oct 16 14:28:53 PDT 2014, version: 1, attributes: null
hadoop@hadoopdev:~/deploy$ hadoop/bin/hdfs crypto -createZone -path /ez2
-keyName key2
RemoteException: java.util.concurrent.ExecutionException: java.io.IOException:
java.io.IOException: java.util.concurrent.ExecutionException:
java.io.IOException: java.security.InvalidKeyException: Illegal key size
2. Thanks for pointing me the 'hadoop.security.key.provider.path'. That's
exactly what I'm looking for. However, I did not find it as it is hard coded in
KeyProviderFactory.java, which is different from other security configuration
keys in CommonConfigurationKeysPublic.java. If this key is targeted for public
usage, I would suggest to put it in CommonConfigurationKeysPublic.java and also
include in the hadoop key shell help message.
3. The document mentioned that copy file between EZs with different EZ-keys or
copy file form EZ to non-EZ directory are not allowed. But my test shows it
works completely fine. Is this explicitly blocked or just not recommended?
> Encryption Key created in Java Key Store after Namenode start unavailable for
> EZ Creation
> ------------------------------------------------------------------------------------------
>
> Key: HDFS-7256
> URL: https://issues.apache.org/jira/browse/HDFS-7256
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: encryption, security
> Affects Versions: 2.6.0
> Reporter: Xiaoyu Yao
>
> Hit an error on "RemoteException: Key ezkey1 doesn't exist." when creating EZ
> with a Key created after NN starts.
> Briefly check the code and found that the KeyProivder is loaded by FSN only
> at the NN start. My work around is to restart the NN which triggers the
> reload of Key Provider. Is this expected?
> Repro Steps:
> Create a new Key after NN and KMS starts
> hadoop/bin/hadoop key create ezkey1 -size 256 -provider
> jceks://file/home/hadoop/kms.keystore
> List Keys
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hadoop key list -provider
> jceks://file/home/hadoop/kms.keystore -metadata
> Listing keys for KeyProvider: jceks://file/home/hadoop/kms.keystore
> ezkey1 : cipher: AES/CTR/NoPadding, length: 256, description: null, created:
> Thu Oct 16 18:51:30 EDT 2014, version: 1, attributes: null
> key2 : cipher: AES/CTR/NoPadding, length: 128, description: null, created:
> Tue Oct 14 19:44:09 EDT 2014, version: 1, attributes: null
> key1 : cipher: AES/CTR/NoPadding, length: 128, description: null, created:
> Tue Oct 14 17:52:36 EDT 2014, version: 1, attributes: null
> Create Encryption Zone
> hadoop/bin/hdfs dfs -mkdir /Ez1
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hdfs crypto -createZone -keyName ezkey1
> -path /Ez1
> RemoteException: Key ezkey1 doesn't exist.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
