[ https://issues.apache.org/jira/browse/HADOOP-16216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steve Loughran updated HADOOP-16216: ------------------------------------ Description: Users can create keys with / in the path but eventually are unable to delete them due to the way the hadoop key command encodes URLs. Below are the steps to reproduce and the only way to get rid of such a key is to invoke the REST API directly. Please check if hadoop key command's implementation to be changed to cater for this, or implement a special character filtering to not allow such keys to be created. 1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop key create my/key my/key has been successfully created with options Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null', attributes=null}. org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has been updated. 2. List and ensure key is there: {code} [root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key my/key {code} 3. Try to delete with normal hadoop key command: {code} [root@nightly514-1 hadoop-kms]# hadoop key delete my/key You are about to DELETE all versions of key my/key from KeyProvider org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451. Continue? (Y or N) y Deleting key: my/key from KeyProvider: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451 19/03/23 02:42:51 WARN security.UserGroupInformation: PriviledgedActionException as:hive/nightly514-1. example....@vpc.cloudera.com (auth:KERBEROS) cause:org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: https://nightly514-1. example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: Bad Request 19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [https://nightly514-1. example.org:16000/kms/v1/] threw an IOException: java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: https://nightly514-1. example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: Bad Request {code} 4. Delete it with curl directly: {code} [root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure -v "https://nightly514-1. example.org:16000/kms/v1/key/my/key" * About to connect() to nightly514-1. example.org port 16000 (#0) * Trying 192.168.1.1... * Connected to nightly514-1. example.org (192.168.1.1) port 16000 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=nightly514-1. example.org,OU=Engineering,O=Example,L=San Francsico,ST=CA,C=US * start date: Mar 23 08:24:49 2019 GMT * expire date: Mar 22 08:24:49 2020 GMT * common name: nightly514-1. example.org * issuer: CN=Example Intermediate Test CA,OU=Engineering,O=Example,ST=CA,C=US > DELETE /kms/v1/key/my/key HTTP/1.1 > Authorization: Negotiate ... > User-Agent: curl/7.29.0 > Host: nightly514-1. example.org:16000 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK {code} 5. Listing to ensure the key is gone now: {code} [root@nightly514-1 hadoop-kms]# hadoop key list Listing keys for KeyProvider: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1 hbase mapred hive systest hue solr {code} was: Users can create keys with / in the path but eventually are unable to delete them due to the way the hadoop key command encodes URLs. Below are the steps to reproduce and the only way to get rid of such a key is to invoke the REST API directly. Please check if hadoop key command's implementation to be changed to cater for this, or implement a special character filtering to not allow such keys to be created. 1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop key create my/key my/key has been successfully created with options Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null', attributes=null}. org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has been updated. 2. List and ensure key is there: [root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key my/key 3. Try to delete with normal hadoop key command: [root@nightly514-1 hadoop-kms]# hadoop key delete my/key You are about to DELETE all versions of key my/key from KeyProvider org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451. Continue? (Y or N) y Deleting key: my/key from KeyProvider: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451 19/03/23 02:42:51 WARN security.UserGroupInformation: PriviledgedActionException as:hive/nightly514-1.vpc.cloudera....@vpc.cloudera.com (auth:KERBEROS) cause:org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: Bad Request 19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [https://nightly514-1.vpc.cloudera.com:16000/kms/v1/] threw an IOException: java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: Bad Request 4. Delete it with curl directly: [root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure -v "https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my/key" * About to connect() to nightly514-1.vpc.cloudera.com port 16000 (#0) * Trying 10.65.28.216... * Connected to nightly514-1.vpc.cloudera.com (10.65.28.216) port 16000 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=nightly514-1.vpc.cloudera.com,OU=Engineering,O=Cloudera,L=San Francsico,ST=CA,C=US * start date: Mar 23 08:24:49 2019 GMT * expire date: Mar 22 08:24:49 2020 GMT * common name: nightly514-1.vpc.cloudera.com * issuer: CN=Cloudera Intermediate Test CA,OU=Engineering,O=Cloudera,ST=CA,C=US > DELETE /kms/v1/key/my/key HTTP/1.1 > Authorization: Negotiate ... > User-Agent: curl/7.29.0 > Host: nightly514-1.vpc.cloudera.com:16000 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK 5. Listing to ensure the key is gone now: [root@nightly514-1 hadoop-kms]# hadoop key list Listing keys for KeyProvider: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1 hbase mapred hive systest hue solr > Cannot Delete Key with / in the key name > ---------------------------------------- > > Key: HADOOP-16216 > URL: https://issues.apache.org/jira/browse/HADOOP-16216 > Project: Hadoop Common > Issue Type: Bug > Reporter: Istvan Vajnorak > Priority: Major > > Users can create keys with / in the path but eventually are unable to delete > them due to the way the hadoop key command encodes URLs. > Below are the steps to reproduce and the only way to get rid of such a key is > to invoke the REST API directly. > Please check if hadoop key command's implementation to be changed to cater > for this, or implement a special character filtering to not allow such keys > to be created. > 1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop > key create my/key my/key has been successfully created with options > Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null', > attributes=null}. > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has > been updated. > 2. List and ensure key is there: > {code} > [root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key > my/key > {code} > 3. Try to delete with normal hadoop key command: > {code} > [root@nightly514-1 hadoop-kms]# hadoop key delete my/key > You are about to DELETE all versions of key my/key from KeyProvider > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451. > Continue? (Y or N) y > Deleting key: my/key from KeyProvider: > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451 > 19/03/23 02:42:51 WARN security.UserGroupInformation: > PriviledgedActionException as:hive/nightly514-1. example....@vpc.cloudera.com > (auth:KERBEROS) > cause:org.apache.hadoop.security.authentication.client.AuthenticationException: > Authentication failed, URL: https://nightly514-1. > example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: > Bad Request > 19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at > [https://nightly514-1. example.org:16000/kms/v1/] threw an IOException: > java.io.IOException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > Authentication failed, URL: https://nightly514-1. > example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: > Bad Request > {code} > 4. Delete it with curl directly: > {code} > [root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure > -v "https://nightly514-1. example.org:16000/kms/v1/key/my/key" > * About to connect() to nightly514-1. example.org port 16000 (#0) > * Trying 192.168.1.1... > * Connected to nightly514-1. example.org (192.168.1.1) port 16000 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * skipping SSL peer certificate verification > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > * Server certificate: > * subject: CN=nightly514-1. example.org,OU=Engineering,O=Example,L=San > Francsico,ST=CA,C=US > * start date: Mar 23 08:24:49 2019 GMT > * expire date: Mar 22 08:24:49 2020 GMT > * common name: nightly514-1. example.org > * issuer: CN=Example Intermediate Test > CA,OU=Engineering,O=Example,ST=CA,C=US > > DELETE /kms/v1/key/my/key HTTP/1.1 > > Authorization: Negotiate > ... > > User-Agent: curl/7.29.0 > > Host: nightly514-1. example.org:16000 > > Accept: */* > > > < HTTP/1.1 200 OK > HTTP/1.1 200 OK > {code} > 5. Listing to ensure the key is gone now: > {code} > [root@nightly514-1 hadoop-kms]# hadoop key list > Listing keys for KeyProvider: > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1 > hbase > mapred > hive > systest > hue > solr > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org