You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2018/06/14 22:32:00 UTC

[jira] [Created] (HDFS-13682) Cannot create encryption zone after KMS auth token expires

Xiao Chen created HDFS-13682:
--------------------------------

             Summary: Cannot create encryption zone after KMS auth token expires
                 Key: HDFS-13682
                 URL: https://issues.apache.org/jira/browse/HDFS-13682
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: encryption, namenode
    Affects Versions: 3.0.0
            Reporter: Xiao Chen
            Assignee: Xiao Chen
         Attachments: HDFS-13682.dirty.repro.patch

Our internal testing reported this behavior recently.
{noformat}
[root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d
[root@nightly6x-1 ~]# sudo -u hdfs klist
Ticket cache: FILE:/tmp/krb5cc_994
Default principal: hdfs@GCE.CLOUDERA.COM

Valid starting       Expires              Service principal
06/12/2018 03:24:09  07/12/2018 03:24:09  krbtgt/GCE.CLOUDERA.COM@GCE.CLOUDERA.COM
[root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 -path /user/systest/ez
RemoteException: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
{noformat}

Upon further investigation, it's due to the KMS client (cached in HDFS NN) cannot authenticate with the server after the authentication token (which is cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos credentials.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org