[jira] [Created] (HADOOP-13864) KMS should not require truststore password

Mike Yoder (JIRA) Sat, 03 Dec 2016 17:11:44 -0800

Mike Yoder created HADOOP-13864:
-----------------------------------

             Summary: KMS should not require truststore password
                 Key: HADOOP-13864
                 URL: https://issues.apache.org/jira/browse/HADOOP-13864
             Project: Hadoop Common
          Issue Type: Bug
          Components: kms, security
            Reporter: Mike Yoder
            Assignee: Mike Yoder



Trust store passwords are actually not required for read operations. They're 
only needed for writing to the trust store; in reads they serve as an integrity 
check. Normal hadoop sslclient.xml files don't require the truststore password, 
but when the KMS is used it's required. 

If I don't specify a hadoop trust store password I get:

{noformat}
Failed to start namenode.
java.io.IOException: java.security.GeneralSecurityException: The property 
'ssl.client.truststore.password' has not been set in the ssl configuration file.
        at 
org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:428)
        at 
org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:333)
        at 
org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:324)
        at 
org.apache.hadoop.crypto.key.KeyProviderFactory.get(KeyProviderFactory.java:95)
        at org.apache.hadoop.util.KMSUtil.createKeyProvider(KMSUtil.java:65)
        at org.apache.hadoop.hdfs.DFSUtil.createKeyProvider(DFSUtil.java:1920)
        at 
org.apache.hadoop.hdfs.DFSUtil.createKeyProviderCryptoExtension(DFSUtil.java:1934)
        at 
org.apache.hadoop.hdfs.server.namenode.FSNamesystem.<init>(FSNamesystem.java:811)
        at 
org.apache.hadoop.hdfs.server.namenode.FSNamesystem.loadFromDisk(FSNamesystem.java:770)
        at 
org.apache.hadoop.hdfs.server.namenode.NameNode.loadNamesystem(NameNode.java:614)
        at 
org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:676)
        at 
org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:844)
        at 
org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:823)
        at 
org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1548)
        at 
org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1616)
Caused by: java.security.GeneralSecurityException: The property 
'ssl.client.truststore.password' has not been set in the ssl configuration file.
        at 
org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:199)
        at org.apache.hadoop.security.ssl.SSLFactory.init(SSLFactory.java:131)
        at 
org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:426)
        ... 14 more
{noformat}

Note that this _does not_ happen to the namenode when the kms isn't in use.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (HADOOP-13864) KMS should not require truststore password

Reply via email to