[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16994851#comment-16994851 ] Nanda kumar commented on HDFS-13682: This change is breaking externally managed subjects. Even if the {{currentUGI}} (which is managed externally) has access, we go ahead and return {{UserGroupInformation.getLoginUser()}} from {{KMSClientProvider#getActualUgi}}. When the {{LoginUser}} doesn't have access, we get "{{GSSException: No valid credentials provided}}." As UGI.shouldRelogin() depends on isHadoopLogin(), it will break externally managed subjects. > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, kms, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Fix For: 3.2.0, 3.1.1, 3.0.4 > > Attachments: HDFS-13682.01.patch, HDFS-13682.02.patch, > HDFS-13682.03.patch, HDFS-13682.dirty.repro.branch-2.patch, > HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16521427#comment-16521427 ] Hudson commented on HDFS-13682: --- FAILURE: Integrated in Jenkins build Hadoop-precommit-ozone-acceptance #20 (See [https://builds.apache.org/job/Hadoop-precommit-ozone-acceptance/20/]) HDFS-13682. Cannot create encryption zone after KMS auth token expires. (xiao: [https://github.com/apache/hadoop/commit/32f867a6a907c05a312657139d295a92756d98ef]) * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java * (edit) hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, kms, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Fix For: 3.2.0, 3.1.1, 3.0.4 > > Attachments: HDFS-13682.01.patch, HDFS-13682.02.patch, > HDFS-13682.03.patch, HDFS-13682.dirty.repro.branch-2.patch, > HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16518718#comment-16518718 ] Hudson commented on HDFS-13682: --- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #14457 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/14457/]) HDFS-13682. Cannot create encryption zone after KMS auth token expires. (xiao: rev 32f867a6a907c05a312657139d295a92756d98ef) * (edit) hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, kms, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Fix For: 3.2.0, 3.1.1, 3.0.4 > > Attachments: HDFS-13682.01.patch, HDFS-13682.02.patch, > HDFS-13682.03.patch, HDFS-13682.dirty.repro.branch-2.patch, > HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16518699#comment-16518699 ] Xiao Chen commented on HDFS-13682: -- Thanks a lot Wei-Chiu! Test failure is HDFS-13662, unrelated to this patch. Committing. > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, HDFS-13682.02.patch, > HDFS-13682.03.patch, HDFS-13682.dirty.repro.branch-2.patch, > HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16518670#comment-16518670 ] genericqa commented on HDFS-13682: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 33s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 41s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 27m 21s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 36s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 26s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 14s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 42s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 54s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 19s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 50s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 28m 29s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 28m 29s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 1s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 19s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 57s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 54s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 9m 17s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 97m 46s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 45s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}239m 22s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.client.impl.TestBlockReaderLocal | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:abb62dd | | JIRA Issue | HDFS-13682 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12928520/HDFS-13682.03.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 38b60da8f0c5 3.13.0-143-generic #192-Ubuntu SMP Tue Feb 27 10:45:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 9a9e969 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_171 | | findbugs | v3.1.0-RC1 | | unit |
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16518520#comment-16518520 ] Wei-Chiu Chuang commented on HDFS-13682: +1 pending Jenkins > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, HDFS-13682.02.patch, > HDFS-13682.03.patch, HDFS-13682.dirty.repro.branch-2.patch, > HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16518444#comment-16518444 ] Xiao Chen commented on HDFS-13682: -- Thanks for the review and offline discussion [~jojochuang]! Actually my memory overflowed and we can use {{UGI#shouldRelogin}}. [^HDFS-13682.03.patch]uploaded > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, HDFS-13682.02.patch, > HDFS-13682.03.patch, HDFS-13682.dirty.repro.branch-2.patch, > HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16518345#comment-16518345 ] Wei-Chiu Chuang commented on HDFS-13682: Thanks [~xiaochen]! Ok, I think the bug report & fix makes sense. so looks like the externally managed subjects are handled by HADOOP-9747. the shadedclient error doesn't seem related. Could you consider rename ugiCanRelogin as something like shouldUseLoginUser()? Somehow the name ugiCanRelogin confused me. +1 after that. > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, HDFS-13682.02.patch, > HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16516709#comment-16516709 ] genericqa commented on HDFS-13682: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 29s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 56s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 26m 54s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 36s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 25s{color} | {color:green} trunk passed {color} | | {color:red}-1{color} | {color:red} shadedclient {color} | {color:red} 5m 10s{color} | {color:red} branch has errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 44s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 55s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 18s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 50s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 28m 26s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 28m 26s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:red}-1{color} | {color:red} shadedclient {color} | {color:red} 2m 14s{color} | {color:red} patch has errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 59s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 52s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 9m 15s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 94m 33s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 45s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}217m 37s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.server.namenode.TestReencryptionWithKMS | | | hadoop.hdfs.qjournal.server.TestJournalNodeSync | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:abb62dd | | JIRA Issue | HDFS-13682 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12928286/HDFS-13682.02.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux bbd5b16ce9bf 3.13.0-143-generic #192-Ubuntu SMP Tue Feb 27 10:45:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / f386e78 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_171 | | findbugs | v3.1.0-RC1 | | unit |
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16516593#comment-16516593 ] Xiao Chen commented on HDFS-13682: -- Thanks for the clarification Wei-Chiu! Patch 2 refactored a bit to improve the if statement in {{KMSCP#getActualUgi}} with a dedicated method. External subject thing looks to be handled by HADOOP-9747 ok. There are some comments on the jira, and {{UGI#isHadoopLogin}} is the method that handles it. > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, HDFS-13682.02.patch, > HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16516308#comment-16516308 ] Wei-Chiu Chuang commented on HDFS-13682: Sorry for not being specific. Re: UGI.shouldRelogin(). I just feel that the if statement in KMSCP#getActualUgi() is long and confusing. it might help readability by making the if statement a separate helper method. Regarding the user authentication & subjects, I'll follow up separately. I want to be especially careful here since it's quite easy to break existing behavior in UGI. > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, > HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16516173#comment-16516173 ] Xiao Chen commented on HDFS-13682: -- Thanks for taking a look Wei-Chiu. Could you clarify the fist comment? Are you suggesting to replace the checks with {{shouldRelogin}}? bq. Would this cause confusion in enforcing KMS access control? ... after the patch, KMS would only see the request coming from hdfs user. loginuser is the branch-2 behavior as well. So this patch is to bring the old behavior back (the dirty.repro on branch-2 shows this) >From API perspective, it feels to me the hdfs superuser that creates the zone >only needs hdfs privilege (to reach NN). The getMetadata call from NN to KMS >isn't returned to the caller. bq. externally managed subjects Can we create a follow-on to HADOOP-9747 to investigate this? > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, > HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16516096#comment-16516096 ] Wei-Chiu Chuang commented on HDFS-13682: Still trying to understand it -- The gist of the patch is this line {code} !actualUgi.isFromKeytab() && !actualUgi.isFromTicket() {code} If I am not mistaken, this is effectively {code} !actualUgi.shouldRelogin() {code} What the patch tries to do is use the HDFS NameNode's login UGI to access KMS, instead of the current UGI (which issues crypto -createZone command). Would this cause confusion in enforcing KMS access control? Note that HDFS NameNode allows createEncryptionZone operation for super users (may not even be hdfs user) and after the patch, KMS would only see the request coming from hdfs user. Additionally, UGI.shouldRelogin() depends on isHadoopLogin(). I am curious what’s the effect if the subject is actually managed externally (as allowed HADOOP-13805). (I understand that HADOOP-9747 removed some code in HADOOP-13805, but I have not been able to reason if it would still allow externally managed subjects) > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, > HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16514294#comment-16514294 ] Xiao Chen commented on HDFS-13682: -- Test failures doesn't look related. [~daryn] / [~jojochuang], do you have cycles to review? > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.01.patch, > HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16514292#comment-16514292 ] genericqa commented on HDFS-13682: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 22s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 19s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 26m 46s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 39s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 22s{color} | {color:green} trunk passed {color} | | {color:red}-1{color} | {color:red} shadedclient {color} | {color:red} 5m 6s{color} | {color:red} branch has errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 40s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 55s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 18s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 50s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 28m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 28m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:red}-1{color} | {color:red} shadedclient {color} | {color:red} 2m 13s{color} | {color:red} patch has errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 57s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 57s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 9m 19s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}110m 57s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 1m 1s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}232m 52s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hdfs.qjournal.server.TestJournalNodeSync | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:abb62dd | | JIRA Issue | HDFS-13682 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12928006/HDFS-13682.01.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 477af303e894 3.13.0-143-generic #192-Ubuntu SMP Tue Feb 27 10:45:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 3e37a9a | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_171 | | findbugs | v3.1.0-RC1 | | unit |
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16513427#comment-16513427 ] genericqa commented on HDFS-13682: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 28s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 19s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 27m 12s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 50s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 26s{color} | {color:green} trunk passed {color} | | {color:red}-1{color} | {color:red} shadedclient {color} | {color:red} 5m 7s{color} | {color:red} branch has errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 4m 4s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 49s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 19s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:red}-1{color} | {color:red} mvninstall {color} | {color:red} 0m 56s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:red}-1{color} | {color:red} compile {color} | {color:red} 2m 26s{color} | {color:red} root in the patch failed. {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 2m 26s{color} | {color:red} root in the patch failed. {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 13s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} mvnsite {color} | {color:red} 1m 9s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:red}-1{color} | {color:red} shadedclient {color} | {color:red} 1m 54s{color} | {color:red} patch has errors when building and testing our client artifacts. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 0m 22s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 37s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 9m 31s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 0m 57s{color} | {color:red} hadoop-hdfs in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 24s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 93m 50s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:abb62dd | | JIRA Issue | HDFS-13682 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12927933/HDFS-13682.01.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 01cc4873cf4c 3.13.0-143-generic #192-Ubuntu SMP Tue Feb 27 10:45:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 020dd61 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_171 | | findbugs | v3.1.0-RC1 | | mvninstall | https://builds.apache.org/job/PreCommit-HDFS-Build/24449/artifact/out/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs.txt | | compile |
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16513312#comment-16513312 ] Xiao Chen commented on HDFS-13682: -- Took an easier route and debugged branch-2. It turns out HADOOP-9747 does have some effects here - specifically at [this method|https://github.com/apache/hadoop/commit/59cf7588779145ad5850ad63426743dfe03d8347#diff-e6a2371b73365b7ba7ff9a266b9aa138L724]. When this meets the KMSCP's morph-based-on-ugi logic, the ugi being used as actual changed from loginUgi to currentUgi. (Also has a weird HTTP 400 somehow, which is fixed if contentType is set). Following this, I confirmed if we change {{KMSCP#getActualUgi}}'s check from {{actualUgi.hasKerberosCredentials()}} to {{!actualUgi.isFromKeytab() && !actualUgi.isFromTicket()}} (and making {{UGI#isFromTicket}} public of course), the test passes. This appears to be a more 'compatible' change. IMO we should still consider explicitly doing the KMS call using the NN login ugi, this applies to both the {{getMetadata}} call during createEZ and the \{{generateEncryptedKey}} call from startFile. Reason being these calls are internal to the NN, and the hdfs rpc caller isn't expected to really interact with the KMS in this case. > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.dirty.repro.branch-2.patch, > HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-13682) Cannot create encryption zone after KMS auth token expires
[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16513083#comment-16513083 ] Xiao Chen commented on HDFS-13682: -- Updated a patch that reproduces this. One potential solution is to call the KMS as the login user, because all these are hdfs superuser-only ops. Uncommenting the changes in FSDirEncryptionZoneOp would pass the test. I propose in this jira, we do this one for createZone. This a passing in CDH5, and failing in CDH6. I automatically suspected HADOOP-9747, but cannot blame on it for anything. :) One difference I noticed is that, In CDH5 we don't have [these lines in KerberosAuthenticator|https://github.com/apache/hadoop/blob/branch-3.0.0/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java#L272-L273], which is added by HADOOP-11332. Not sure what's the correct solution here regarding that, but if we do this as the login user, the check should pass and no new subject need to be created. [~daryn], may I ask for your thoughts here? Thanks for the time. > Cannot create encryption zone after KMS auth token expires > -- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode >Affects Versions: 3.0.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org