[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17383287#comment-17383287 ] Hadoop QA commented on HDFS-13697: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Logfile || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s{color} | {color:blue}{color} | {color:blue} Docker mode activated. {color} | | {color:red}-1{color} | {color:red} patch {color} | {color:red} 0m 11s{color} | {color:red}{color} | {color:red} HDFS-13697 does not apply to trunk. Rebase required? Wrong Branch? See https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute for help. {color} | \\ \\ || Subsystem || Report/Notes || | JIRA Issue | HDFS-13697 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12939137/HDFS-13697.12.patch | | Console output | https://ci-hadoop.apache.org/job/PreCommit-HDFS-Build/685/console | | versions | git=2.17.1 | | Powered by | Apache Yetus 0.13.0-SNAPSHOT https://yetus.apache.org | This message was automatically generated. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17383223#comment-17383223 ] Akira Ajisaka commented on HDFS-13697: -- We recently hit this issue while experimenting Hadoop KMS. Hi [~zvenczel], what is this issue going on? > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:832) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:209) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:205) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16646073#comment-16646073 ] Zsolt Venczel commented on HDFS-13697: -- Thanks a lot [~daryn] for your reply! Just a quick note: {quote}3. If all tests are passing, the patch is flawed. I recall the tests codified bugs.{quote} I took a look at the flawed tests and fixed them as far as I can tell. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:832) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:209) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:205) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16645590#comment-16645590 ] Daryn Sharp commented on HDFS-13697: Let me dig out my interrupted patch because the posted patch has a few fatal flaws. # There must be no conditionals regarding the stored ugi. The current user is the current user, regardless of token, and it's never the login user. # It's also not performing the entire request inside the correct doAs context. All processing must be within the doAs or unexpected authentication may happen with the wrong identity. # If all tests are passing, the patch is flawed. I recall the tests codified bugs. I'm glad you noted HADOOP-10771. I ripped auth url out of webhdfs after it caused never ending auth issues. I documented the auth url issues years ago but bowed to offline pressure to allow that completely broken atrocity to be integrated because "it wouldn't affect me" and I was needed by some critical feature – turned out to be the KMS and did affect me... Anyway, I don't think everything can be fixed at once, but the kms client needs to be done correctly. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16644131#comment-16644131 ] Xiao Chen commented on HDFS-13697: -- I had some more discussions with Zsolt about this jira. Our impression is that the fix here is making KMS stuff better, without worsening the DelegationTokenAuthenticatedURL issue Daryn mentioned. Zsolt also mentioned about testing this in test clusters with downstream before. [~zvenczel], could you comment on what downstream scenarios you have tested? We probably need [~xyao]'s help on reviewing if any HDP usages fall out of that coverage. But assuming the above goes well, it seems reasonable to move this forward unless [~daryn] strongly objects. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16612575#comment-16612575 ] Xiao Chen commented on HDFS-13697: -- Thanks for the update [~daryn]. As far as I can find, there were similar discussions initially on HADOOP-10771 / HADOOP-10880. I agree it's a day0 issue that's rather fundamental in authentication, and more difficult to fix. However, it seems to be a somewhat separate problem than what we are tackling so far. The existing code seems to have met requirement from all use cases so far, except the oozie one [~zvenczel] reported here. I believe Zsolt is setting up a cluster with the latest patch, to test the various cases to be sure. Assuming that goes well, would you be ok with this jira focusing on the kms client cache issue, and having another jira focusing on the hadoop-auth family improvements (which presumably impacts kms, httpfs, and maybe oozie)? I may not fully understand your intention, and the fix may turn out to be easy enough to come in this together, please help elaborate if that's the case. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16612380#comment-16612380 ] Daryn Sharp commented on HDFS-13697: Delayed because DelegationTokenAuthenticatedURL is fundamentally flawed. It's not really proxy aware other than the doAs query param. Both selecting a token and authenticating (either via the built-in spnego or the kerberos authenticator) is using the current user. This is incompatible with proxy users because the token is supposed to come from the current user and authentication is via the real user. Since auth url requires doAs real user to authenticate it has no access to the proxied user's credentials. So even if a delegation token is present in a proxy user ugi, it's ignored and authenticates via the real user. It "works" in something like a job because although the job may have been submitted in a proxy user context, the job's ugi is a "normal" remote user that contains a token. Since there's no real user, it uses the current user and finds the token. There appears to be no test coverage. Trying to find a simple/compatible/secure fix... > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16610908#comment-16610908 ] Daryn Sharp commented on HDFS-13697: The fix is a little more involved. DT auth url needs to look in the actual ugi for tokens, and the entire end-to-end handling of the requests needs to be in the doAs since HttpURLConnection may internally attempt retries. I should have my aforementioned patch up for consideration this afternoon. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:832) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:209) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16610349#comment-16610349 ] Zsolt Venczel commented on HDFS-13697: -- Above test failures should be unrelated as they are passing with the patch applied: {code} [INFO] --- maven-surefire-plugin:2.21.0:test (default-test) @ hadoop-hdfs --- [INFO] [INFO] --- [INFO] T E S T S [INFO] --- [INFO] Running org.apache.hadoop.hdfs.client.impl.TestBlockReaderLocal [INFO] Tests run: 38, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 36.834 s - in org.apache.hadoop.hdfs.client.impl.TestBlockReaderLocal [INFO] Running org.apache.hadoop.hdfs.server.datanode.TestDirectoryScanner [INFO] Tests run: 7, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 115 s - in org.apache.hadoop.hdfs.server.datanode.TestDirectoryScanner [INFO] [INFO] Results: [INFO] [INFO] Tests run: 45, Failures: 0, Errors: 0, Skipped: 0 [INFO] {code} > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16609907#comment-16609907 ] Hadoop QA commented on HDFS-13697: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 23s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 18 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 23s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 19m 47s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 16m 48s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 3m 24s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 5m 29s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 21m 58s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 8m 16s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 4m 36s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 22s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 21m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 21m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 3m 35s{color} | {color:green} root: The patch generated 0 new + 417 unchanged - 7 fixed = 417 total (was 424) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 5m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 12m 23s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 9m 30s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 4m 36s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 10m 54s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 4m 24s{color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 41s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 97m 57s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 4m 24s{color} | {color:green} hadoop-hdfs-httpfs in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 46s{color} | {color:green} hadoop-hdfs-nfs in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 44s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}260m 46s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.client.impl.TestBlockReaderLocal | |
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16609685#comment-16609685 ] Zsolt Venczel commented on HDFS-13697: -- In my latest patch I fixed the TestEncryptionZonesWithKMS failure. With the latest patch (11) all above, failed tests have passed: {code} [INFO] --- maven-surefire-plugin:2.21.0:test (default-test) @ hadoop-hdfs --- [INFO] [INFO] --- [INFO] T E S T S [INFO] --- [INFO] Running org.apache.hadoop.hdfs.web.TestWebHdfsTimeouts [INFO] Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.35 s - in org.apache.hadoop.hdfs.web.TestWebHdfsTimeouts [INFO] Running org.apache.hadoop.hdfs.TestRollingUpgrade [INFO] Tests run: 13, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 143.89 s - in org.apache.hadoop.hdfs.TestRollingUpgrade [INFO] Running org.apache.hadoop.hdfs.server.datanode.TestDataNodeVolumeFailure [INFO] Tests run: 10, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 70.541 s - in org.apache.hadoop.hdfs.server.datanode.TestDataNodeVolumeFailure [INFO] Running org.apache.hadoop.hdfs.server.balancer.TestBalancer [INFO] Tests run: 33, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 366.403 s - in org.apache.hadoop.hdfs.server.balancer.TestBalancer [INFO] Running org.apache.hadoop.hdfs.TestEncryptionZonesWithKMS [INFO] Tests run: 45, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 129.862 s - in org.apache.hadoop.hdfs.TestEncryptionZonesWithKMS [INFO] [INFO] Results: [INFO] [INFO] Tests run: 117, Failures: 0, Errors: 0, Skipped: 0 [INFO] {code} > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.11.patch, > HDFS-13697.12.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16609503#comment-16609503 ] Hadoop QA commented on HDFS-13697: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 24s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 18 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 49s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 17m 22s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 14m 39s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 2m 57s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 5m 16s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 19m 48s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 7m 30s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 4m 7s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 18s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 13m 58s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 13m 58s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 2m 59s{color} | {color:green} root: The patch generated 0 new + 418 unchanged - 7 fixed = 418 total (was 425) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 5m 10s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 37s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 8m 20s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 4m 5s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 27s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 4m 14s{color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 51s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}109m 25s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 4m 38s{color} | {color:green} hadoop-hdfs-httpfs in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 57s{color} | {color:green} hadoop-hdfs-nfs in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 48s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}250m 24s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.server.balancer.TestBalancer | | |
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16609125#comment-16609125 ] Zsolt Venczel commented on HDFS-13697: -- Thank you so much [~xyao] for the review! Please find my answers below: {quote}Line 408: The KMSCP is used by both client (DFSClient) and server (NN). authMethod ==PROXY is not a reliable way to cover all the proxy user cases. We could change line 408-409 to if (UserGroupInformation.getCurrentUser().getRealUser()!=null) {quote} I updated this section in my latest patch (11) based on your suggestions. {quote}Line 412: authMethod=TOKEN case Do we use the login user even if the current UGI has KMS delegation token? {quote} With the current approach we use the login user only if the authMethod at construction time was TOKEN. The potential issue that popped-up for me could be HADOOP-13381 that as I can see, after getting rid of the KP cache should no longer be a problem. I'll try to double check it though. What do you think? {quote}Line 484: NIT: can we wrap this with getCachedUgi() similar to getDoAsUser() to make future change easier? {quote} I updated it as you suggested. {quote}TestEncryptionZones.java Line 1340-1341: can be replaced with DFSTestUtil.mockDFSClientKeyProvider {quote} This is a good catch, thanks! After updating DFSTestUtil.mockDFSClientKeyProvider to cope with this scenario (had to mock dfs.dfs as well) I could use it in additional scenarios also. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16606199#comment-16606199 ] Xiaoyu Yao commented on HDFS-13697: --- {quote}, could you see if the above dynamic ugi morph logic is required in downstream, like reported in HADOOP-13749? {quote} The original issue reported by HADOOP-13749 is mainly caused by the KP cache which mix match KP and DFSClient. With KP removed, I don't see the requirement for dynamic ugi. The patch v10 looks pretty good to me. Just a few comments: KMSClientProvider.java Line 408: The KMSCP is used by both client (DFSClient) and server (NN). authMethod ==PROXY is not a reliable way to cover all the proxy user cases. We could change line 408-409 to if (UserGroupInformation.getCurrentUser().getRealUser()!=null) Line 412: authMethod=TOKEN case Do we use the login user even if the current UGI has KMS delegation token? Line 484: NIT: can we wrap this with getCachedUgi() similar to getDoAsUser() to make future change easier? TestEncryptionZones.java Line 1340-1341: can be replaced with DFSTestUtil.mockDFSClientKeyProvider > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16604892#comment-16604892 ] Xiaoyu Yao commented on HDFS-13697: --- Thanks [~xiaochen] for the heads up. Looking at the patch now... > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:832) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:209) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:205) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:205) >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16602633#comment-16602633 ] Xiao Chen commented on HDFS-13697: -- I think the KMSCP code in patch 10 looks pretty close to what we wanted (not checked whether the conditional assignment in ctor is necessary, or how that can be simplified, or why we cannot directly use currentUgi which is the dfsclient behavior.). I'll do a more thorough code review soon, but [~xyao] please comment if you think this would be problematic. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:832) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:209) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16598669#comment-16598669 ] Zsolt Venczel commented on HDFS-13697: -- Thanks [~xiaochen] for pointing out that KMSClientProvider.createConnection still had morphing I removed with patch 10. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.10.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:832) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:209) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:205) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16596512#comment-16596512 ] Zsolt Venczel commented on HDFS-13697: -- Thanks [~daryn] for the investigation and explanation and thanks [~xiaochen] for the continuous work and discussion! In my latest patch (09) I addressed the following: * *KMSClientProvider* No more morphing... The doAsUser is calculated at construction time and that's it. * *TestKMS* Based on Xiao's findings I fixed the key provider creation in the doProxyUserTest function to correctly test key creation by proxy users. * *TestAclsEndToEnd* I think the main issue with this test suite was that it was using the mini cluster dfs client for all of its operations. As we stopped morphing the problem had surfaced therefore I refactored it to use a truly end-to-end approach by having a proper client and a proper, client side key provider. The fat part of the changes are due to introducing a service user that needed the appropriate ACLs for the various testing scenarios. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.09.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16595499#comment-16595499 ] Daryn Sharp commented on HDFS-13697: I whipped up a patch to retain identity and avoid the x509 thread leak. {{TestAclsEndToEnd}} is just plain broken for other reasons. Creating a EZ requires the NN getting the key's metadata which requires ACL access. The ACLs don't include hdfs but seemingly pass. Why? The kms client's bizarre ugi handing ensures that when used in the context of the NN, it will always auth to the KMS as the login user (hdfs superuser). Proxy users get interesting. Ie. "daryn" becomes "hdfs" to the kms and my identity is lost. "daryn via proxy" becomes "daryn via hdfs" and my identity retained. Huh? That's odd. Think about the ACLs again. Notice the tests don't start the mini cluster as the hdfs user – it's the user with proxy and ACL privs. Tests always use proxy users – propagates the user with ACL privs. Sets the login user to the proxy ugi before each call – makes the NN/KMS believe they are the caller. Tricks to make tests pass since the ACLs won't allow the NN to query metadata. Back to the inconsistency in how proxy + login user works. The NN should not pass through proxy users to the kms as proxy users. It should always make the request as itself. EZ is purported to ensure encrypted data is safe when the hdfs user is compromised. Ie. hdfs should only be able to verify key exists and request EDEKs. If you allow the hdfs user to proxy, well, you just granted decrypt privs. Game over. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16592036#comment-16592036 ] Daryn Sharp commented on HDFS-13697: {quote}If userA creates the KMSCP, then proxies as userB and calls the KMSCP method, our test case is expecting this to be coming from userB. I'm not sure if we should deem this as a test issue - anyone knows any downstream usage this way? {quote} I think that is a completely invalid test case. It smells like writing the test to match the bug. There is no security conscious use case where you want a client using the kms to retain its identity but let the kms morph. Just think if you were to hand off a client to another thread for processing. Why would morphing into the user of the other thread by desirable? {quote}if we want to strictly retain compatibility, we'd have to keep the morph here. {quote} Challenge: name another hadoop core client that behaves this way? I vote no on morphing. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16587762#comment-16587762 ] Xiao Chen commented on HDFS-13697: -- ping [~xyao] / [~jnp], could you see if the above dynamic ugi morph logic is required in downstream, like reported in HADOOP-13749? Also ping [~daryn] for a compat comment as well. As noted above, if we want to strictly retain compatibility, we'd have to keep the morph here. :( We can still cache the ugi at creation to be better, but no way the TestAclsEndtoEnd tests would pass without KMSCP morphing. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:832) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:209) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16580737#comment-16580737 ] Xiao Chen commented on HDFS-13697: -- Thanks for the hard work on this [~zvenczel]! bq. As these use cases are around for a while I'd expect them to be used widely and hard to avoid. What do you think? This is the part that's really head-scratching. On one hand I really think there should be no morphing, but OTOH the existing {{TestAclsEndToEnd}} to 'work'. If userA creates the KMSCP, then proxies as userB and calls the KMSCP method, our test case is expecting this to be coming from userB. I'm not sure if we should deem this as a test issue - anyone knows any downstream usage this way? [~daryn] [~xyao] what are your thoughts on this? I don't see any other code changes that can satisfy these cases without dynamically checking the ugi at method invocation time. So it seems there's no way for this to be 'compatible' and satisfy the 'just use the ugi at construction time', due to the historical morphing nature of the KMSCP... > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16578717#comment-16578717 ] Zsolt Venczel commented on HDFS-13697: -- Test failures seem to be unrelated, I could not reproduce locally with or without my commit: {code:java} [INFO] --- [INFO] T E S T S [INFO] --- [INFO] Running org.apache.hadoop.hdfs.TestReadStripedFileWithMissingBlocks [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 132.276 s - in org.apache.hadoop.hdfs.TestReadStripedFileWithMissingBlocks [INFO] Running org.apache.hadoop.hdfs.TestDFSStripedOutputStreamWithFailureWithRandomECPolicy [INFO] Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 54.574 s - in org.apache.hadoop.hdfs.TestDFSStripedOutputStreamWithFailureWithRandomECPolicy [INFO] Running org.apache.hadoop.hdfs.server.datanode.TestDirectoryScanner [INFO] Tests run: 7, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 129.645 s - in org.apache.hadoop.hdfs.server.datanode.TestDirectoryScanner [INFO] Running org.apache.hadoop.tracing.TestTracing [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.591 s - in org.apache.hadoop.tracing.TestTracing [INFO] [INFO] Results: [INFO] [INFO] Tests run: 17, Failures: 0, Errors: 0, Skipped: 0 [INFO] {code} > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16578647#comment-16578647 ] genericqa commented on HDFS-13697: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 18s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 16 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 23s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 29m 57s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 32m 53s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 4m 58s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 16m 29s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 7m 56s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 21s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 21s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 58s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 31m 27s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 31m 27s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 4m 49s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 2s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 4s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 8m 32s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 23s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 10m 49s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 50s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}120m 26s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 5m 21s{color} | {color:green} hadoop-hdfs-httpfs in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 1s{color} | {color:green} hadoop-hdfs-nfs in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 48s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}299m 55s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.tracing.TestTracing | | | hadoop.hdfs.TestReadStripedFileWithMissingBlocks | | | hadoop.hdfs.TestDFSStripedOutputStreamWithFailureWithRandomECPolicy | | | hadoop.hdfs.server.datanode.TestDirectoryScanner | \\ \\ || Subsystem || Report/Notes ||
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16578191#comment-16578191 ] Zsolt Venczel commented on HDFS-13697: -- Hi [~xiaochen], Thanks a lot for working on this and providing your solution in the prelim patch. While investigating the proposal to cache the ugi and prevent morphing I came across the same set of failing tests your approach touched. The most interesting one is HDFS-9295 (full spectrum test by [~templedf]) in org.apache.hadoop.hdfs.TestAclsEndToEnd. This test suite does a test on all possible, expected variations about morphing and I found that the following tests are not compatible with the cached ugi approach: testGoodWithWhitelistWithoutBlacklist, testGoodWithKeyAcls, testGoodWithWhitelist, testGoodWithKeyAclsWithoutBlacklist As these use cases are around for a while I'd expect them to be used widely and hard to avoid. What do you think? I've uploaded a new patch (v08) where I factored out the keyProvider injection for the DFSClient to happen via Mockito only. Also reverted the TestKMS as you suggested leaving the HADOOP-13749 changes in. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.08.patch, > HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16571040#comment-16571040 ] genericqa commented on HDFS-13697: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 12s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 5 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 26m 2s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m 43s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 24s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 4m 19s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 56s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 6m 28s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 20s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 18s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 26m 59s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 26m 59s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 4m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 2s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 0m 51s{color} | {color:red} hadoop-common-project/hadoop-auth generated 2 new + 0 unchanged - 0 fixed = 2 total (was 0) {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 44s{color} | {color:red} hadoop-common-project/hadoop-common generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0) {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 17s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 44s{color} | {color:green} hadoop-auth in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 8m 32s{color} | {color:red} hadoop-common in the patch failed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 3m 58s{color} | {color:red} hadoop-kms in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 45s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 76m 45s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 45s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}235m 32s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | FindBugs |
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16570874#comment-16570874 ] Xiao Chen commented on HDFS-13697: -- Thanks for the continued work and an offline discussion [~zvenczel]. As it turns out, this part may be better discussed with code than anything else. :) I updated a [^HDFS-13697.prelim.patch] which kinda shows what I'm getting at. (Only verified it can pass {{TestKMS}} and {{TestSecureEncryptionZoneWithKMS}}) The meta point is, we should no longer morph the UGI dynamically at method calls. {{testProxyUser}} fails with this, but with some debugging I think it's 2-folded: the test itself should create the provider within the doAs, otherwise it's all testing the 'clientUgi'. With the provider created, the test now fails with or without our change. Debugging into the authenticator, it's out from the {{ProxyUsers.authorize}} check inside {{DelegationTokenAuthenticationFilter#doFilter}}, and this becomes a test problem (which we should still look into). bq. I've reverted HADOOP-13749 and these lines were introduced by it. I'm not sure if it makes sense to set the login user even after the revert. What do you think? I think we should keep the change and not revert those lines, to make sure the test case HADOOP-13749 wanted to add still passes. bq. KeyProviderSupplier As clarified offline, my only concern is that currently we have {{keyProvider}} and {{keyProviderSuplier}} variables in DFSClient class, which is a code smell. Some mechanisms to make sure we only have one would be good. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch, HDFS-13697.07.patch, HDFS-13697.prelim.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16570472#comment-16570472 ] genericqa commented on HDFS-13697: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 13s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 5 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 20s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 26m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m 42s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 46s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 33s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 5m 54s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 54s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 27m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 2s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 19s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 6m 23s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 52s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 8s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 58s{color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 41s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 76m 16s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 46s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}226m 49s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.TestDFSStripedOutputStreamWithFailureWithRandomECPolicy | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:ba1ab08 | | JIRA Issue | HDFS-13697 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12934477/HDFS-13697.07.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16570178#comment-16570178 ] Zsolt Venczel commented on HDFS-13697: -- Thanks a lot [~xiaochen] for the support on this task. It's a challenging one indeed :) Please find my answers below: {quote}Ideally we want to do the same as DFSClient, where a ugi of {{UGI#getCurrentUser}} is just cached at construction time, and used for later auths. I tried that but it caused test failures in TestKMS with the {{doWebHDFSProxyUserTest}} tests and {{testTGTRenewal}} - for the sake of compatibility I think we can do something like this to allow the tests to pass. {code:java} // in KMSCP ctor ugi = UserGroupInformation.getCurrentUser().getRealUser() == null ? UserGroupInformation.getCurrentUser() : UserGroupInformation.getCurrentUser().getRealUser(); {code} [~daryn] [~xyao] [~jnp] what do you think? {quote} The tests are failing because with the above approach we are not supporting the scenario when the user component provides new entitlements for KMS interactions through a doAs call (eg. calls the 'createConnection' function implicitly having a proxy user provided in a doAs context). If we do want to be compatible, caching at construction time the UGI is not enough. {quote} We don't need cachedProxyUgi, and getDoAsUser can figure things out from the ugi cached if we do the above {quote} I was trying to introduce some clean code here by defining explicitly under what circumstances can we have a cachedProxyUgi and by this I also moved one computation to the constructor level instead of having many on the getDoAsUser level. Does this make sense? {quote} ugiToUse doesn't seem necessary {quote} I was trying to make the code more meaningful and also to support the above mentioned, proxy scenario we still need to check whether the current call (currentUgi) introduces any proxy ugi. {quote} Could you explain why the setLoginUser lines were removed in TestKMS? I'd like to make sure existing tests pass as-is, if possible. {quote} I've reverted HADOOP-13749 and these lines were introduced by it. I'm not sure if it makes sense to set the login user even after the revert. What do you think? {quote} the new com.google imports should be placed next to other existing imports of that module. {quote} Thanks for checking, I've fixed it in my latest patch. {quote} I would not call the KeyProvider variable testKeyProvider - it's used for all purposes. Just the VisibleForTesting annotation on setKeyProvider would be enough, which you already have. {quote} Yes, it makes sense, I've fixed it in my latest patch. On a long run I might refactor these test cases to use Mockito to reduce production code complexity. {quote} The new patch's KeyProviderSupplier#isKeyProviderCreated doesn't seem necessary. We can't prevent the caller calling getKeyProvider after calling close here from that check. (We probably can add a guard in DFSClient to prevent all API calls after close, but that's separate from this jira.) {quote} KeyProviderSupplier#isKeyProviderCreated is the only way to know for sure whether KeyProvider got instantiated or not. If we call keyProviderCache.get() in the close method we might end up with an unnecessary creation of a KeyProvider. I agree that we should take care of any post closure calls separately. {quote} Although callers seem to have check about nullity of the provider, if DFSClient failed to create a key provider, it's preferred to throw immediately. {quote} I was trying to reproduce the already available behavior present in the KeyProviderCache that had returned a null and had emitted warn level log messages. Should we change that? > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16567537#comment-16567537 ] Xiao Chen commented on HDFS-13697: -- Hi [~zvenczel], thanks for revving. I tried to explore a few options this week but still have only done a partial review. Posting here and looking forward to discuss this with you offline later when you're back from vacation. - Ideally we want to do the same as DFSClient, where a ugi of {{UGI#getCurrentUser}} is just cached at construction time, and used for later auths. I tried that but it caused test failures in TestKMS with the {{doWebHDFSProxyUserTest}} tests and {{testTGTRenewal}} - for the sake of compatibility I think we can do something like this to allow the tests to pass. {code} // in KMSCP ctor ugi = UserGroupInformation.getCurrentUser().getRealUser() == null ? UserGroupInformation.getCurrentUser() : UserGroupInformation.getCurrentUser().getRealUser(); {code} [~daryn] [~xyao] [~jnp] what do you think? Other smaller review comments: - We don't need {{cachedProxyUgi}}, and {{getDoAsUser}} can figure things out from the ugi cached if we do the above - {{ugiToUse}} doesn't seem necessary - Could you explain why the {{setLoginUser}} lines were removed in TestKMS? I'd like to make sure existing tests pass as-is, if possible. DFSClient: - thanks for the explanation above! Good to learn about the guava Suppliers. I think your previous patch was fine. I was hoping we don't have to cache the Supplier object in my last comment, but it simplifies the code so let's go with it. - the new com.google imports should be placed next to other existing imports of that module. - I would not call the KeyProvider variable {{testKeyProvider}} - it's used for all purposes. Just the {{VisibleForTesting}} annotation on {{setKeyProvider}} would be enough, which you already have. - The new patch's {{KeyProviderSupplier#isKeyProviderCreated}} doesn't seem necessary. We can't prevent the caller calling {{getKeyProvider}} after calling {{close}} here from that check. (We probably can add a guard in DFSClient to prevent all API calls after {{close}}, but that's separate from this jira.) - Although callers seem to have check about nullity of the provider, if DFSClient failed to create a key provider, it's preferred to throw immediately. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16563911#comment-16563911 ] Gabor Bota commented on HDFS-13697: --- Seems like test failure {{hadoop.hdfs.TestDFSClientRetries}} unrelated - tried it locally with the patch applied and it passes. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch, > HDFS-13697.06.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > at > org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:607) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:565) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:832) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:209) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:205) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:94) > at > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:205) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16560874#comment-16560874 ] genericqa commented on HDFS-13697: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 13s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 5 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 19s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 25m 45s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m 30s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 22s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 41s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 15m 10s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 5m 46s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 51s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m 47s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 26m 41s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 26m 41s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 40s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 1s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 2s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 12m 24s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 6m 15s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 50s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 25s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 58s{color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 39s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 76m 33s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 44s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}226m 16s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.TestDFSClientRetries | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:ba1ab08 | | JIRA Issue | HDFS-13697 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12933481/HDFS-13697.06.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle xml | | uname |
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16560799#comment-16560799 ] Zsolt Venczel commented on HDFS-13697: -- Thank you [~xiaochen] for doing the review, much appreciated! Please find my answers below: {quote} * Per our discussion, we should be just caching UGI#getCurrentUser() at ctor. * Because doAsUser depends on the UGI, I think it would also make sense to cache that String at ctor.{quote} In order to support proxy users and functionalities introduced by HADOOP-10698 the current user and the doAsUser string cannot be cached. HADOOP-10698 does an in flight calculation as well at line 385 that I was trying to consolidate in the getDoAsUser function to reuse logic. Also, this feature requirement is being double checked by TestKMS#testProxyUserKerb and TestKMS#testProxyUserSimple tests. Please let me know if I misunderstood the intentions in the code. {quote} * Do we really need the supplier? It seems for each client the keyprovider will only be created once. If so I'd suggest we avoid caching the Supplier here. * {code:java} public KeyProvider getKeyProvider() { return provider==null ? keyProviderSupplier.get() : provider; } {code} need to handle the race condition here that multiple threads calling this method may end up creating more than 1 provider. {quote} Suppliers#memoize caches the output (the KeyProvider instance in this case) of the supplier and not the supplier. Also does this in a thread safe way not to create more than 1 provider. {quote} * trivial, SafeModeAction changes are unrelated{quote} Thanks for checking I've removed it in the latest patch. {quote} can do a VisibleForTesting setKeyProvider method, so TestEncryptionZones and TestReservedRawPaths don't have to be modified. {quote} Thanks for the hint, it was a remnant of a revert commit. I updated the patch as you suggested. In the latest patch I added a check to close the keyProvider only if it was created and also made the test key provider more explicit by renaming it to "testKeyProvider". > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at >
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16560500#comment-16560500 ] Xiao Chen commented on HDFS-13697: -- Thanks [~zvenczel] for taking up this large piece of work! I think it's fair to leave the research work for future, as long as we manually test the case that motivated HDFS-7718 isn't a problem. Some comments from my review: - I like the fact we're respecting the lazy creation of keyprovider in DFSClient, nice work! *KMSCP*: - Per our discussion, we should be just caching UGI#getCurrentUser() at ctor. - Because doAsUser depends on the UGI, I think it would also make sense to cache that String at ctor. *DFSClient*: - Do we really need the supplier? It seems for each client the keyprovider will only be created once. If so I'd suggest we avoid caching the Supplier here. - {code} public KeyProvider getKeyProvider() { return provider==null ? keyProviderSupplier.get() : provider; } {code} need to handle the race condition here that multiple threads calling this method may end up creating more than 1 provider. - trivial, {{SafeModeAction}} changes are unrelated - can do a VisibleForTesting setKeyProvider method, so {{TestEncryptionZones}} and {{TestReservedRawPaths}} don't have to be modified. > DFSClient should instantiate and cache KMSClientProvider using UGI at > creation time for consistent UGI handling > --- > > Key: HDFS-13697 > URL: https://issues.apache.org/jira/browse/HDFS-13697 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Zsolt Venczel >Assignee: Zsolt Venczel >Priority: Major > Attachments: HDFS-13697.01.patch, HDFS-13697.02.patch, > HDFS-13697.03.patch, HDFS-13697.04.patch, HDFS-13697.05.patch > > > While calling KeyProviderCryptoExtension decryptEncryptedKey the call stack > might not have doAs privileged execution call (in the DFSClient for example). > This results in loosing the proxy user from UGI as UGI.getCurrentUser finds > no AccessControllerContext and does a re-login for the login user only. > This can cause the following for example: if we have set up the oozie user to > be entitled to perform actions on behalf of example_user but oozie is > forbidden to decrypt any EDEK (for security reasons), due to the above issue, > example_user entitlements are lost from UGI and the following error is > reported: > {code} > [0] > SERVER[xxx] USER[example_user] GROUP[-] TOKEN[] APP[Test_EAR] > JOB[0020905-180313191552532-oozie-oozi-W] > ACTION[0020905-180313191552532-oozie-oozi-W@polling_dir_path] Error starting > action [polling_dir_path]. ErrorType [ERROR], ErrorCode [FS014], Message > [FS014: User [oozie] is not authorized to perform [DECRYPT_EEK] on key with > ACL name [encrypted_key]!!] > org.apache.oozie.action.ActionExecutorException: FS014: User [oozie] is not > authorized to perform [DECRYPT_EEK] on key with ACL name [encrypted_key]!! > at > org.apache.oozie.action.ActionExecutor.convertExceptionHelper(ActionExecutor.java:463) > at > org.apache.oozie.action.ActionExecutor.convertException(ActionExecutor.java:441) > at > org.apache.oozie.action.hadoop.FsActionExecutor.touchz(FsActionExecutor.java:523) > at > org.apache.oozie.action.hadoop.FsActionExecutor.doOperations(FsActionExecutor.java:199) > at > org.apache.oozie.action.hadoop.FsActionExecutor.start(FsActionExecutor.java:563) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:232) > at > org.apache.oozie.command.wf.ActionStartXCommand.execute(ActionStartXCommand.java:63) > at org.apache.oozie.command.XCommand.call(XCommand.java:286) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:332) > at > org.apache.oozie.service.CallableQueueService$CompositeCallable.call(CallableQueueService.java:261) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > org.apache.oozie.service.CallableQueueService$CallableWrapper.run(CallableQueueService.java:179) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User > [oozie] is not authorized to perform [DECRYPT_EEK] on key with ACL name > [encrypted_key]!! > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at
[jira] [Commented] (HDFS-13697) DFSClient should instantiate and cache KMSClientProvider using UGI at creation time for consistent UGI handling
[ https://issues.apache.org/jira/browse/HDFS-13697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16560170#comment-16560170 ] genericqa commented on HDFS-13697: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 17s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 8 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 20s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 25m 13s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 28m 34s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 25s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 37s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 10s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 5m 56s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 50s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 21s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m 43s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 27m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 27s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 3m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 2s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 43s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 6m 39s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 12s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 24s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 4m 11s{color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 49s{color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 99m 23s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 50s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}249m 12s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.server.datanode.TestDataNodeVolumeFailure | | | hadoop.hdfs.tools.offlineImageViewer.TestOfflineImageViewer | | | hadoop.hdfs.TestHdfsAdmin | | | hadoop.hdfs.security.TestDelegationToken | | | hadoop.hdfs.web.TestWebHdfsTimeouts | | | hadoop.hdfs.server.namenode.ha.TestDelegationTokensWithHA | | | hadoop.hdfs.security.TestDelegationTokenForProxyUser | | |