[ https://issues.apache.org/jira/browse/HADOOP-13864?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Yoder updated HADOOP-13864: -------------------------------- Attachment: HADOOP-13864.000.patch > KMS should not require truststore password > ------------------------------------------ > > Key: HADOOP-13864 > URL: https://issues.apache.org/jira/browse/HADOOP-13864 > Project: Hadoop Common > Issue Type: Bug > Components: kms, security > Reporter: Mike Yoder > Assignee: Mike Yoder > Attachments: HADOOP-13864.000.patch > > > Trust store passwords are actually not required for read operations. They're > only needed for writing to the trust store; in reads they serve as an > integrity check. Normal hadoop sslclient.xml files don't require the > truststore password, but when the KMS is used it's required. > If I don't specify a hadoop trust store password I get: > {noformat} > Failed to start namenode. > java.io.IOException: java.security.GeneralSecurityException: The property > 'ssl.client.truststore.password' has not been set in the ssl configuration > file. > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:428) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:333) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:324) > at > org.apache.hadoop.crypto.key.KeyProviderFactory.get(KeyProviderFactory.java:95) > at org.apache.hadoop.util.KMSUtil.createKeyProvider(KMSUtil.java:65) > at org.apache.hadoop.hdfs.DFSUtil.createKeyProvider(DFSUtil.java:1920) > at > org.apache.hadoop.hdfs.DFSUtil.createKeyProviderCryptoExtension(DFSUtil.java:1934) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.<init>(FSNamesystem.java:811) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.loadFromDisk(FSNamesystem.java:770) > at > org.apache.hadoop.hdfs.server.namenode.NameNode.loadNamesystem(NameNode.java:614) > at > org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:676) > at > org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:844) > at > org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:823) > at > org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1548) > at > org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1616) > Caused by: java.security.GeneralSecurityException: The property > 'ssl.client.truststore.password' has not been set in the ssl configuration > file. > at > org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:199) > at org.apache.hadoop.security.ssl.SSLFactory.init(SSLFactory.java:131) > at > org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:426) > ... 14 more > {noformat} > Note that this _does not_ happen to the namenode when the kms isn't in use. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org