You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2018/06/14 22:32:00 UTC
[jira] [Created] (HDFS-13682) Cannot create encryption zone after
KMS auth token expires
Xiao Chen created HDFS-13682:
--------------------------------
Summary: Cannot create encryption zone after KMS auth token expires
Key: HDFS-13682
URL: https://issues.apache.org/jira/browse/HDFS-13682
Project: Hadoop HDFS
Issue Type: Bug
Components: encryption, namenode
Affects Versions: 3.0.0
Reporter: Xiao Chen
Assignee: Xiao Chen
Attachments: HDFS-13682.dirty.repro.patch
Our internal testing reported this behavior recently.
{noformat}
[root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d
[root@nightly6x-1 ~]# sudo -u hdfs klist
Ticket cache: FILE:/tmp/krb5cc_994
Default principal: hdfs@GCE.CLOUDERA.COM
Valid starting Expires Service principal
06/12/2018 03:24:09 07/12/2018 03:24:09 krbtgt/GCE.CLOUDERA.COM@GCE.CLOUDERA.COM
[root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 -path /user/systest/ez
RemoteException: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
{noformat}
Upon further investigation, it's due to the KMS client (cached in HDFS NN) cannot authenticate with the server after the authentication token (which is cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos credentials.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org