Xiao Chen created HDFS-13682:
--------------------------------
Summary: Cannot create encryption zone after KMS auth token expires
Key: HDFS-13682
URL: https://issues.apache.org/jira/browse/HDFS-13682
Project: Hadoop HDFS
Issue Type: Bug
Components: encryption, namenode
Affects Versions: 3.0.0
Reporter: Xiao Chen
Assignee: Xiao Chen
Attachments: HDFS-13682.dirty.repro.patch
Our internal testing reported this behavior recently.
{noformat}
[root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt /cdep/keytabs/hdfs.keytab
hdfs -l 30d -r 30d
[root@nightly6x-1 ~]# sudo -u hdfs klist
Ticket cache: FILE:/tmp/krb5cc_994
Default principal: h...@gce.cloudera.com
Valid starting Expires Service principal
06/12/2018 03:24:09 07/12/2018 03:24:09
krbtgt/gce.cloudera....@gce.cloudera.com
[root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 -path
/user/systest/ez
RemoteException:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
{noformat}
Upon further investigation, it's due to the KMS client (cached in HDFS NN)
cannot authenticate with the server after the authentication token (which is
cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos
credentials.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
