[ https://issues.apache.org/jira/browse/HADOOP-16216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803924#comment-16803924 ]
Steve Loughran commented on HADOOP-16216: ----------------------------------------- * please add component, version of Hadoop this is effecting, change title so it reflects the component * edited your JIRA to remove potentially sensitive details like: hostnames, kerberos, IPAddrs. Please don't share this stuff > Cannot Delete Key with / in the key name > ---------------------------------------- > > Key: HADOOP-16216 > URL: https://issues.apache.org/jira/browse/HADOOP-16216 > Project: Hadoop Common > Issue Type: Bug > Reporter: Istvan Vajnorak > Priority: Major > > Users can create keys with / in the path but eventually are unable to delete > them due to the way the hadoop key command encodes URLs. > Below are the steps to reproduce and the only way to get rid of such a key is > to invoke the REST API directly. > Please check if hadoop key command's implementation to be changed to cater > for this, or implement a special character filtering to not allow such keys > to be created. > 1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop > key create my/key my/key has been successfully created with options > Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null', > attributes=null}. > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has > been updated. > 2. List and ensure key is there: > {code} > [root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key > my/key > {code} > 3. Try to delete with normal hadoop key command: > {code} > [root@nightly514-1 hadoop-kms]# hadoop key delete my/key > You are about to DELETE all versions of key my/key from KeyProvider > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451. > Continue? (Y or N) y > Deleting key: my/key from KeyProvider: > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451 > 19/03/23 02:42:51 WARN security.UserGroupInformation: > PriviledgedActionException as:hive/nightly514-1. example....@vpc.cloudera.com > (auth:KERBEROS) > cause:org.apache.hadoop.security.authentication.client.AuthenticationException: > Authentication failed, URL: https://nightly514-1. > example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: > Bad Request > 19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at > [https://nightly514-1. example.org:16000/kms/v1/] threw an IOException: > java.io.IOException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > Authentication failed, URL: https://nightly514-1. > example.org:16000/kms/v1/key/my%2Fkey?user.name=hive, status: 400, message: > Bad Request > {code} > 4. Delete it with curl directly: > {code} > [root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure > -v "https://nightly514-1. example.org:16000/kms/v1/key/my/key" > * About to connect() to nightly514-1. example.org port 16000 (#0) > * Trying 192.168.1.1... > * Connected to nightly514-1. example.org (192.168.1.1) port 16000 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * skipping SSL peer certificate verification > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > * Server certificate: > * subject: CN=nightly514-1. example.org,OU=Engineering,O=Example,L=San > Francsico,ST=CA,C=US > * start date: Mar 23 08:24:49 2019 GMT > * expire date: Mar 22 08:24:49 2020 GMT > * common name: nightly514-1. example.org > * issuer: CN=Example Intermediate Test > CA,OU=Engineering,O=Example,ST=CA,C=US > > DELETE /kms/v1/key/my/key HTTP/1.1 > > Authorization: Negotiate > ... > > User-Agent: curl/7.29.0 > > Host: nightly514-1. example.org:16000 > > Accept: */* > > > < HTTP/1.1 200 OK > HTTP/1.1 200 OK > {code} > 5. Listing to ensure the key is gone now: > {code} > [root@nightly514-1 hadoop-kms]# hadoop key list > Listing keys for KeyProvider: > org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1 > hbase > mapred > hive > systest > hue > solr > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org