[ https://issues.apache.org/jira/browse/HADOOP-15519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16582408#comment-16582408 ]
wanzhai commented on HADOOP-15519: ---------------------------------- I also encountered this error.But my hadoop version is 2.6.5 When I executed "hadoop key list -metadata",I got this: {code:java} Cannot list keys for KeyProvider: KMSClientProvider[http://IP:PORT/kms/v1/]: Can't recover key for key1 from keystore file:/root/kms.keystore java.io.IOException: Can't recover key for key1 from keystore file:/root/kms.keystore at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:157) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:482) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:441) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.getKeysMetadata(KMSClientProvider.java:584) at org.apache.hadoop.crypto.key.KeyShell$ListCommand.execute(KeyShell.java:289) at org.apache.hadoop.crypto.key.KeyShell.run(KeyShell.java:79) at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) at org.apache.hadoop.crypto.key.KeyShell.main(KeyShell.java:513){code} kms.log: {code:java} 2018-08-15 03:03:42,889 WARN AuthenticationFilter - Authentication exception: Anonymous requests are disallowed org.apache.hadoop.security.authentication.client.AuthenticationException: Anonymous requests are disallowed at org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler.authenticate(PseudoAuthenticationHandler.java:183) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:347) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:509) at org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter.doFilter(KMSAuthenticationFilter.java:129) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:748){code} I replaced jdk8u171 and the error is gone. I don't know if the error I encountered is related to this issue. > KMS fails to read the existing key metadata after upgrading to JDK 1.8u171 > --------------------------------------------------------------------------- > > Key: HADOOP-15519 > URL: https://issues.apache.org/jira/browse/HADOOP-15519 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.7.3 > Reporter: Vipin Rathor > Priority: Critical > > Steps to reproduce are: > a. Setup a KMS with any OpenJDK 1.8 before u171 and create few KMS keys. > b. Update KMS to run with OpenJDK 1.8u171 JDK and keys can't be read > anymore, as can be seen below > {code:java} > hadoop key list -metadata > <keyname> : null > {code} > c. Going back to earlier JDK version fixes the issue. > > There are no direct error / stacktrace in kms.log when it is not able to read > the key metadata. Only Java serialization INFO messages are printed, followed > by this one empty line in log which just says: > {code:java} > ERROR RangerKeyStore - > {code} > In some cases, kms.log can also have these lines: > {code:java} > 2018-05-18 10:40:46,438 DEBUG RangerKmsAuthorizer - <== > RangerKmsAuthorizer.assertAccess(null, rangerkms/node1.host....@env.com > (auth:KERBEROS), GET_METADATA) > 2018-05-18 10:40:46,598 INFO serialization - ObjectInputFilter REJECTED: > class org.apache.hadoop.crypto.key.RangerKeyStoreProvider$KeyMetadata, array > length: -1, nRefs: 1, depth: 1, bytes: 147, ex: n/a > 2018-05-18 10:40:46,598 ERROR RangerKeyStore - > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org