[jira] [Commented] (HDFS-7256) Encryption Key created in Java Key Store after Namenode start unavailable for EZ Creation

Fri, 17 Oct 2014 07:39:01 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-7256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14175101#comment-14175101
 ] 

Yi Liu commented on HDFS-7256:
------------------------------

Thanks [~xyao] for trying this. Responses to your comments:

*1.*  I think you are using java JCE crypto codec (If openssl is not configured 
or incorrect version, JCE will be used), by default, JCE only supports 128bits, 
if you want to use 256bits, you need to download additional thing from Oracle.

*2.* Ideally {{hadoop.security.key.provider.path}} is better in 
_CommonConfigurationKeysPublic_, it's committed early and we do not modified it 
later.

*3.* You are talking about *rename* which is not allowed between EZs with 
different EZ-keys or from EZ to non-EZ directly, but {{cp}} is allowed.

> Encryption Key created in Java Key Store after Namenode start unavailable for 
> EZ Creation 
> ------------------------------------------------------------------------------------------
>
>                 Key: HDFS-7256
>                 URL: https://issues.apache.org/jira/browse/HDFS-7256
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: encryption, security
>    Affects Versions: 2.6.0
>            Reporter: Xiaoyu Yao
>
> Hit an error on "RemoteException: Key ezkey1 doesn't exist." when creating EZ 
> with a Key created after NN starts.
> Briefly check the code and found that the KeyProivder is loaded by FSN only 
> at the NN start. My work around is to restart the NN which triggers the 
> reload of Key Provider. Is this expected?
> Repro Steps:
> Create a new Key after NN and KMS starts
> hadoop/bin/hadoop key create ezkey1 -size 256 -provider 
> jceks://file/home/hadoop/kms.keystore
> List Keys
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hadoop key list -provider 
> jceks://file/home/hadoop/kms.keystore -metadata
> Listing keys for KeyProvider: jceks://file/home/hadoop/kms.keystore
> ezkey1 : cipher: AES/CTR/NoPadding, length: 256, description: null, created: 
> Thu Oct 16 18:51:30 EDT 2014, version: 1, attributes: null
> key2 : cipher: AES/CTR/NoPadding, length: 128, description: null, created: 
> Tue Oct 14 19:44:09 EDT 2014, version: 1, attributes: null
> key1 : cipher: AES/CTR/NoPadding, length: 128, description: null, created: 
> Tue Oct 14 17:52:36 EDT 2014, version: 1, attributes: null
> Create Encryption Zone
> hadoop/bin/hdfs dfs -mkdir /Ez1
> hadoop@SaturnVm:~/deploy$ hadoop/bin/hdfs crypto -createZone -keyName ezkey1 
> -path /Ez1
> RemoteException: Key ezkey1 doesn't exist.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to