[jira] [Commented] (HADOOP-16216) Cannot Delete Key with / in the key name

Steve Loughran (JIRA) Thu, 28 Mar 2019 06:30:08 -0700


    [ 
https://issues.apache.org/jira/browse/HADOOP-16216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803924#comment-16803924
 ]


Steve Loughran commented on HADOOP-16216:
-----------------------------------------

* please add component, version of Hadoop this is effecting, change title so it 
reflects the component
* edited your JIRA to remove potentially sensitive details like: hostnames, 
kerberos, IPAddrs. Please don't share this stuff

> Cannot Delete Key with / in the key name
> ----------------------------------------
>
>                 Key: HADOOP-16216
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16216
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Istvan Vajnorak
>            Priority: Major
>
> Users can create keys with / in the path but eventually are unable to delete 
> them due to the way the hadoop key command encodes URLs.
> Below are the steps to reproduce and the only way to get rid of such a key is 
> to invoke the REST API directly.
> Please check if hadoop key command's implementation to be changed to cater 
> for this, or implement a special character filtering to not allow such keys 
> to be created.
> 1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop 
> key create my/key my/key has been successfully created with options 
> Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null', 
> attributes=null}. 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has 
> been updated.
> 2. List and ensure key is there:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key
> my/key
> {code}
> 3. Try to delete with normal hadoop key command:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key delete my/key
> You are about to DELETE all versions of  key my/key from KeyProvider 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451. 
> Continue?  (Y or N) y
> Deleting key: my/key from KeyProvider: 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451
> 19/03/23 02:42:51 WARN security.UserGroupInformation: 
> PriviledgedActionException as:hive/nightly514-1. example....@vpc.cloudera.com 
> (auth:KERBEROS) 
> cause:org.apache.hadoop.security.authentication.client.AuthenticationException:
>  Authentication failed, URL: https://nightly514-1. 
> example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: 
> Bad Request
> 19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at 
> [https://nightly514-1. example.org:16000/kms/v1/] threw an IOException: 
> java.io.IOException: 
> org.apache.hadoop.security.authentication.client.AuthenticationException: 
> Authentication failed, URL: https://nightly514-1. 
> example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: 
> Bad Request
> {code}
> 4. Delete it with curl directly:
> {code}
> [root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure 
> -v "https://nightly514-1. example.org:16000/kms/v1/key/my/key"
> * About to connect() to nightly514-1. example.org port 16000 (#0)
> *   Trying 192.168.1.1...
> * Connected to nightly514-1. example.org (192.168.1.1) port 16000 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate:
> *     subject: CN=nightly514-1. example.org,OU=Engineering,O=Example,L=San 
> Francsico,ST=CA,C=US
> *     start date: Mar 23 08:24:49 2019 GMT
> *     expire date: Mar 22 08:24:49 2020 GMT
> *     common name: nightly514-1. example.org
> *     issuer: CN=Example Intermediate Test 
> CA,OU=Engineering,O=Example,ST=CA,C=US
> > DELETE /kms/v1/key/my/key HTTP/1.1
> > Authorization: Negotiate
> ...
> > User-Agent: curl/7.29.0
> > Host: nightly514-1. example.org:16000
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> HTTP/1.1 200 OK
> {code}
> 5. Listing to ensure the key is gone now:
> {code}
> [root@nightly514-1 hadoop-kms]# hadoop key list
> Listing keys for KeyProvider: 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1
> hbase
> mapred
> hive
> systest
> hue
> solr
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16216) Cannot Delete Key with / in the key name

Reply via email to