[
https://issues.apache.org/jira/browse/HDFS-13494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16477649#comment-16477649
]
Akira Ajisaka commented on HDFS-13494:
--------------------------------------
Thanks [~gabor.bota] for updating the patch! Some comments:
* Would you add the default value in CommonConfigurationKeysPublic.java as
well? That way we don't need comment that default value added to
core-default.xml in the source code.
* This change is in hadoop-common, so I'll move this issue to Hadoop Common
project shortly. Would you update the issue id in the patch?
* In the description of the new parameter, would you document how the new
parameter work in Apache Hadoop KeyProvider?
bq. The default pattern allows java.lang.Enum, java.security.KeyRep,
java.security.KeyRep$Type, and javax.crypto.spec.SecretKeySpec but rejects all
the others.
In this case, "the default pattern" is misunderstanding. It looks to be the
default value of the new parameter.
> Configure serialFilter to avoid UnrecoverableKeyException caused by
> JDK-8189997
> -------------------------------------------------------------------------------
>
> Key: HDFS-13494
> URL: https://issues.apache.org/jira/browse/HDFS-13494
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.7.6, 3.0.2
> Environment: JDK 8u171
> Reporter: Gabor Bota
> Assignee: Gabor Bota
> Priority: Critical
> Attachments: HDFS-13494.001.patch, HDFS-13494.002.patch,
> HDFS-13494.003.patch, org.apache.hadoop.crypto.key.TestKeyProviderFactory.txt
>
>
> There is a new feature in JDK 8u171 called Enhanced KeyStore Mechanisms
> (http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html#JDK-8189997).
> This is the cause of the following errors in the TestKeyProviderFactory:
> {noformat}
> Caused by: java.security.UnrecoverableKeyException: Rejected by the
> jceks.key.serialFilter or jdk.serialFilter property
> at com.sun.crypto.provider.KeyProtector.unseal(KeyProtector.java:352)
> at
> com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:136)
> at java.security.KeyStore.getKey(KeyStore.java:1023)
> at
> org.apache.hadoop.crypto.key.JavaKeyStoreProvider.getMetadata(JavaKeyStoreProvider.java:410)
> ... 28 more
> {noformat}
> This issue causes errors and failures in hbase tests right now (using hdfs)
> and could affect other products running on this new Java version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
