[jira] [Created] (HADOOP-19639) SecretManager configuration at runtime

Wed, 23 Jul 2025 09:18:37 -0700 

Bence Kosztolnik created HADOOP-19639:
-----------------------------------------

             Summary: SecretManager configuration at runtime
                 Key: HADOOP-19639
                 URL: https://issues.apache.org/jira/browse/HADOOP-19639
             Project: Hadoop Common
          Issue Type: Improvement
          Components: hadoop-common
    Affects Versions: 3.5.0
            Reporter: Bence Kosztolnik
            Assignee: Bence Kosztolnik


In case of TEZ *DAGAppMaster* the Hadoop *SecretManager* code can not read yarn 
config xml file, therefore the SELECTED_ALGORITHM and SELECTED_LENGTH variables 
in SecretManager can not be set at runtime.
This can results with the following exception in FIPS environment:

{code:java}
java.security.InvalidParameterException: Key size for HMAC must be at least 112 
bits in approved mode: SHA-1/HMAC
        at 
com.safelogic.cryptocomply.fips.core/com.safelogic.cryptocomply.jcajce.provider.BaseKeyGenerator.engineInit(Unknown
 Source)
        at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:540)
        at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:517)
        at 
org.apache.hadoop.security.token.SecretManager.<init>(SecretManager.java:157)
        at 
org.apache.hadoop.yarn.security.client.BaseClientToAMTokenSecretManager.<init>(BaseClientToAMTokenSecretManager.java:38)
        at 
org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager.<init>(ClientToAMTokenSecretManager.java:46)
        at 
org.apache.tez.common.security.TezClientToAMTokenSecretManager.<init>(TezClientToAMTokenSecretManager.java:33)
        at 
org.apache.tez.dag.app.DAGAppMaster.serviceInit(DAGAppMaster.java:493)
        at 
org.apache.hadoop.service.AbstractService.init(AbstractService.java:164)
        at org.apache.tez.dag.app.DAGAppMaster$9.run(DAGAppMaster.java:2649)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1910)
        at 
org.apache.tez.dag.app.DAGAppMaster.initAndStartAppMaster(DAGAppMaster.java:2646)
        at org.apache.tez.dag.app.DAGAppMaster.main(DAGAppMaster.java:2440)
{code}

To mitigate the problem we should modify the *ClientToAMTokenSecretManager* to 
have a constructor where TEZ can path a configuration object with the selected 
values.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org

Reply via email to