Xiao Chen created HDFS-13682: -------------------------------- Summary: Cannot create encryption zone after KMS auth token expires Key: HDFS-13682 URL: https://issues.apache.org/jira/browse/HDFS-13682 Project: Hadoop HDFS Issue Type: Bug Components: encryption, namenode Affects Versions: 3.0.0 Reporter: Xiao Chen Assignee: Xiao Chen Attachments: HDFS-13682.dirty.repro.patch
Our internal testing reported this behavior recently. {noformat} [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d [root@nightly6x-1 ~]# sudo -u hdfs klist Ticket cache: FILE:/tmp/krb5cc_994 Default principal: h...@gce.cloudera.com Valid starting Expires Service principal 06/12/2018 03:24:09 07/12/2018 03:24:09 krbtgt/gce.cloudera....@gce.cloudera.com [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 -path /user/systest/ez RemoteException: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) {noformat} Upon further investigation, it's due to the KMS client (cached in HDFS NN) cannot authenticate with the server after the authentication token (which is cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org