[jira] [Commented] (HADOOP-15473) Configure serialFilter to avoid UnrecoverableKeyException caused by JDK-8189997

Tue, 22 May 2018 22:44:50 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-15473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16486746#comment-16486746
 ] 

Xiao Chen commented on HADOOP-15473:
------------------------------------

Thanks [~gabor.bota] for the work here, and everyone for the comment.

I agree changing the startup script is less lines of code. But we generally 
don't worry about adding configs, and for this specific case I can see the 
value in having a default, like Steve mentioned.

Question on patch 4: if the property is provided to the JVM from -D (like Phil 
did), is it intentional that this patch always override it and force a 
configuration update? IMO this case the -D should take priority.
If both -D and the config was given, fair game, but we should document the 
behavior in the xml.

> Configure serialFilter to avoid UnrecoverableKeyException caused by 
> JDK-8189997
> -------------------------------------------------------------------------------
>
>                 Key: HADOOP-15473
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15473
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.7.6, 3.0.2
>         Environment: JDK 8u171
>            Reporter: Gabor Bota
>            Assignee: Gabor Bota
>            Priority: Critical
>         Attachments: HADOOP-15473.004.patch, HDFS-13494.001.patch, 
> HDFS-13494.002.patch, HDFS-13494.003.patch, 
> org.apache.hadoop.crypto.key.TestKeyProviderFactory.txt
>
>
> There is a new feature in JDK 8u171 called Enhanced KeyStore Mechanisms 
> (http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html#JDK-8189997).
> This is the cause of the following errors in the TestKeyProviderFactory:
> {noformat}
> Caused by: java.security.UnrecoverableKeyException: Rejected by the 
> jceks.key.serialFilter or jdk.serialFilter property
>       at com.sun.crypto.provider.KeyProtector.unseal(KeyProtector.java:352)
>       at 
> com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:136)
>       at java.security.KeyStore.getKey(KeyStore.java:1023)
>       at 
> org.apache.hadoop.crypto.key.JavaKeyStoreProvider.getMetadata(JavaKeyStoreProvider.java:410)
>       ... 28 more
> {noformat}
> This issue causes errors and failures in hbase tests right now (using hdfs) 
> and could affect other products running on this new Java version.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to