[
https://issues.apache.org/jira/browse/HDFS-13682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16516096#comment-16516096
]
Wei-Chiu Chuang commented on HDFS-13682:
----------------------------------------
Still trying to understand it --
The gist of the patch is this line
{code}
!actualUgi.isFromKeytab() && !actualUgi.isFromTicket()
{code}
If I am not mistaken, this is effectively
{code}
!actualUgi.shouldRelogin()
{code}
What the patch tries to do is use the HDFS NameNode's login UGI to access KMS,
instead of the current UGI (which issues crypto -createZone command).
Would this cause confusion in enforcing KMS access control? Note that HDFS
NameNode allows createEncryptionZone operation for super users (may not even be
hdfs user) and after the patch, KMS would only see the request coming from hdfs
user.
Additionally, UGI.shouldRelogin() depends on isHadoopLogin(). I am curious
what’s the effect if the subject is actually managed externally (as allowed
HADOOP-13805). (I understand that HADOOP-9747 removed some code in
HADOOP-13805, but I have not been able to reason if it would still allow
externally managed subjects)
> Cannot create encryption zone after KMS auth token expires
> ----------------------------------------------------------
>
> Key: HDFS-13682
> URL: https://issues.apache.org/jira/browse/HDFS-13682
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: encryption, namenode
> Affects Versions: 3.0.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Priority: Critical
> Attachments: HDFS-13682.01.patch,
> HDFS-13682.dirty.repro.branch-2.patch, HDFS-13682.dirty.repro.patch
>
>
> Our internal testing reported this behavior recently.
> {noformat}
> [root@nightly6x-1 ~]# sudo -u hdfs /usr/bin/kinit -kt
> /cdep/keytabs/hdfs.keytab hdfs -l 30d -r 30d
> [root@nightly6x-1 ~]# sudo -u hdfs klist
> Ticket cache: FILE:/tmp/krb5cc_994
> Default principal: h...@gce.cloudera.com
> Valid starting Expires Service principal
> 06/12/2018 03:24:09 07/12/2018 03:24:09
> krbtgt/gce.cloudera....@gce.cloudera.com
> [root@nightly6x-1 ~]# sudo -u hdfs hdfs crypto -createZone -keyName key77
> -path /user/systest/ez
> RemoteException:
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> GSSException: No valid credentials provided (Mechanism level: Failed to find
> any Kerberos tgt)
> {noformat}
> Upon further investigation, it's due to the KMS client (cached in HDFS NN)
> cannot authenticate with the server after the authentication token (which is
> cached by KMSCP) expires, even if the HDFS client RPC has valid kerberos
> credentials.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
