[jira] [Updated] (HADOOP-16216) Cannot Delete Key with / in the key name

Steve Loughran (JIRA) Thu, 28 Mar 2019 06:29:11 -0700


     [ 
https://issues.apache.org/jira/browse/HADOOP-16216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Steve Loughran updated HADOOP-16216:
------------------------------------
    Description: 
Users can create keys with / in the path but eventually are unable to delete 
them due to the way the hadoop key command encodes URLs.

Below are the steps to reproduce and the only way to get rid of such a key is 
to invoke the REST API directly.

Please check if hadoop key command's implementation to be changed to cater for 
this, or implement a special character filtering to not allow such keys to be 
created.


1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop 
key create my/key my/key has been successfully created with options 
Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null', 
attributes=null}. 
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has 
been updated.

2. List and ensure key is there:
{code}
[root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key
my/key
{code}
3. Try to delete with normal hadoop key command:
{code}
[root@nightly514-1 hadoop-kms]# hadoop key delete my/key
You are about to DELETE all versions of  key my/key from KeyProvider 
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451. 
Continue?  (Y or N) y
Deleting key: my/key from KeyProvider: 
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451
19/03/23 02:42:51 WARN security.UserGroupInformation: 
PriviledgedActionException as:hive/nightly514-1. example....@vpc.cloudera.com 
(auth:KERBEROS) 
cause:org.apache.hadoop.security.authentication.client.AuthenticationException: 
Authentication failed, URL: https://nightly514-1. 
example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: Bad 
Request
19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at 
[https://nightly514-1. example.org:16000/kms/v1/] threw an IOException: 
java.io.IOException: 
org.apache.hadoop.security.authentication.client.AuthenticationException: 
Authentication failed, URL: https://nightly514-1. 
example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: Bad 
Request
{code}
4. Delete it with curl directly:
{code}
[root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure 
-v "https://nightly514-1. example.org:16000/kms/v1/key/my/key"
* About to connect() to nightly514-1. example.org port 16000 (#0)
*   Trying 192.168.1.1...
* Connected to nightly514-1. example.org (192.168.1.1) port 16000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=nightly514-1. example.org,OU=Engineering,O=Example,L=San 
Francsico,ST=CA,C=US
*       start date: Mar 23 08:24:49 2019 GMT
*       expire date: Mar 22 08:24:49 2020 GMT
*       common name: nightly514-1. example.org
*       issuer: CN=Example Intermediate Test 
CA,OU=Engineering,O=Example,ST=CA,C=US
> DELETE /kms/v1/key/my/key HTTP/1.1
> Authorization: Negotiate
...
> User-Agent: curl/7.29.0
> Host: nightly514-1. example.org:16000
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
{code}
5. Listing to ensure the key is gone now:
{code}
[root@nightly514-1 hadoop-kms]# hadoop key list
Listing keys for KeyProvider: 
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1
hbase
mapred
hive
systest
hue
solr
{code}

  was:
Users can create keys with / in the path but eventually are unable to delete 
them due to the way the hadoop key command encodes URLs.

Below are the steps to reproduce and the only way to get rid of such a key is 
to invoke the REST API directly.

Please check if hadoop key command's implementation to be changed to cater for 
this, or implement a special character filtering to not allow such keys to be 
created.





1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop 
key create my/key my/key has been successfully created with options 
Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null', 
attributes=null}. 
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has 
been updated.

2. List and ensure key is there:

[root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key
my/key

3. Try to delete with normal hadoop key command:

[root@nightly514-1 hadoop-kms]# hadoop key delete my/key
You are about to DELETE all versions of  key my/key from KeyProvider 
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451. 
Continue?  (Y or N) y
Deleting key: my/key from KeyProvider: 
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451
19/03/23 02:42:51 WARN security.UserGroupInformation: 
PriviledgedActionException 
as:hive/nightly514-1.vpc.cloudera....@vpc.cloudera.com (auth:KERBEROS) 
cause:org.apache.hadoop.security.authentication.client.AuthenticationException: 
Authentication failed, URL: 
https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my%2Fkey?user.name=hive, 
status: 400, message: Bad Request
19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at 
[https://nightly514-1.vpc.cloudera.com:16000/kms/v1/] threw an IOException: 
java.io.IOException: 
org.apache.hadoop.security.authentication.client.AuthenticationException: 
Authentication failed, URL: 
https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my%2Fkey?user.name=hive, 
status: 400, message: Bad Request

4. Delete it with curl directly:

[root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure 
-v "https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my/key";
* About to connect() to nightly514-1.vpc.cloudera.com port 16000 (#0)
*   Trying 10.65.28.216...
* Connected to nightly514-1.vpc.cloudera.com (10.65.28.216) port 16000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: 
CN=nightly514-1.vpc.cloudera.com,OU=Engineering,O=Cloudera,L=San 
Francsico,ST=CA,C=US
*       start date: Mar 23 08:24:49 2019 GMT
*       expire date: Mar 22 08:24:49 2020 GMT
*       common name: nightly514-1.vpc.cloudera.com
*       issuer: CN=Cloudera Intermediate Test 
CA,OU=Engineering,O=Cloudera,ST=CA,C=US
> DELETE /kms/v1/key/my/key HTTP/1.1
> Authorization: Negotiate
...
> User-Agent: curl/7.29.0
> Host: nightly514-1.vpc.cloudera.com:16000
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK

5. Listing to ensure the key is gone now:

[root@nightly514-1 hadoop-kms]# hadoop key list
Listing keys for KeyProvider: 
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1
hbase
mapred
hive
systest
hue
solr


> Cannot Delete Key with / in the key name
> ----------------------------------------
>
>                 Key: HADOOP-16216
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16216
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Istvan Vajnorak
>            Priority: Major
>
> Users can create keys with / in the path but eventually are unable to delete 
> them due to the way the hadoop key command encodes URLs.
> Below are the steps to reproduce and the only way to get rid of such a key is 
> to invoke the REST API directly.
> Please check if hadoop key command's implementation to be changed to cater 
> for this, or implement a special character filtering to not allow such keys 
> to be created.
> 1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop 
> key create my/key my/key has been successfully created with options 
> Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null', 
> attributes=null}. 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has 
> been updated.
> 2. List and ensure key is there:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key
> my/key
> {code}
> 3. Try to delete with normal hadoop key command:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key delete my/key
> You are about to DELETE all versions of  key my/key from KeyProvider 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451. 
> Continue?  (Y or N) y
> Deleting key: my/key from KeyProvider: 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451
> 19/03/23 02:42:51 WARN security.UserGroupInformation: 
> PriviledgedActionException as:hive/nightly514-1. example....@vpc.cloudera.com 
> (auth:KERBEROS) 
> cause:org.apache.hadoop.security.authentication.client.AuthenticationException:
>  Authentication failed, URL: https://nightly514-1. 
> example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: 
> Bad Request
> 19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at 
> [https://nightly514-1. example.org:16000/kms/v1/] threw an IOException: 
> java.io.IOException: 
> org.apache.hadoop.security.authentication.client.AuthenticationException: 
> Authentication failed, URL: https://nightly514-1. 
> example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: 
> Bad Request
> {code}
> 4. Delete it with curl directly:
> {code}
> [root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure 
> -v "https://nightly514-1. example.org:16000/kms/v1/key/my/key"
> * About to connect() to nightly514-1. example.org port 16000 (#0)
> *   Trying 192.168.1.1...
> * Connected to nightly514-1. example.org (192.168.1.1) port 16000 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate:
> *     subject: CN=nightly514-1. example.org,OU=Engineering,O=Example,L=San 
> Francsico,ST=CA,C=US
> *     start date: Mar 23 08:24:49 2019 GMT
> *     expire date: Mar 22 08:24:49 2020 GMT
> *     common name: nightly514-1. example.org
> *     issuer: CN=Example Intermediate Test 
> CA,OU=Engineering,O=Example,ST=CA,C=US
> > DELETE /kms/v1/key/my/key HTTP/1.1
> > Authorization: Negotiate
> ...
> > User-Agent: curl/7.29.0
> > Host: nightly514-1. example.org:16000
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> HTTP/1.1 200 OK
> {code}
> 5. Listing to ensure the key is gone now:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key list
> Listing keys for KeyProvider: 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1
> hbase
> mapred
> hive
> systest
> hue
> solr
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16216) Cannot Delete Key with / in the key name

Reply via email to