[ https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Xiao Chen updated HDFS-13682: ----------------------------- Attachment: HDFS-13682.01.patch > Cannot create encryption zone after KMS auth token expires > ---------------------------------------------------------- > > Key: HDFS-13682 > URL: https://issues.apache.org/jira/browse/HDFS-13682 > Project: Hadoop HDFS > Issue Type: Bug > Components: encryption, namenode > Affects Versions: 3.0.0 > Reporter: Xiao Chen > Assignee: Xiao Chen > Priority: Critical > Attachments: HDFS-13682.01.patch, > HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch > > > Our internal testing reported this behavior recently. > {noformat} > [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt > /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d > [root@nightly6x-1 ~]# sudo -u hdfs klist > Ticket cache: FILE:/tmp/krb5cc_994 > Default principal: h...@gce.cloudera.com > Valid starting Expires Service principal > 06/12/2018 03:24:09 07/12/2018 03:24:09 > krbtgt/gce.cloudera....@gce.cloudera.com > [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77 > -path /user/systest/ez > RemoteException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to find > any Kerberos tgt) > {noformat} > Upon further investigation, it's due to the KMS client (cached in HDFS NN) > cannot authenticate with the server after the authentication token (which is > cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos > credentials. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org