Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13864

KMS should not require truststore password

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0-alpha2
    • Component/s: kms, security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Trust store passwords are actually not required for read operations. They're only needed for writing to the trust store; in reads they serve as an integrity check. Normal hadoop sslclient.xml files don't require the truststore password, but when the KMS is used it's required.

      If I don't specify a hadoop trust store password I get:

      Failed to start namenode.
      java.io.IOException: java.security.GeneralSecurityException: The property 'ssl.client.truststore.password' has not been set in the ssl configuration file.
      	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:428)
      	at org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:333)
      	at org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:324)
      	at org.apache.hadoop.crypto.key.KeyProviderFactory.get(KeyProviderFactory.java:95)
      	at org.apache.hadoop.util.KMSUtil.createKeyProvider(KMSUtil.java:65)
      	at org.apache.hadoop.hdfs.DFSUtil.createKeyProvider(DFSUtil.java:1920)
      	at org.apache.hadoop.hdfs.DFSUtil.createKeyProviderCryptoExtension(DFSUtil.java:1934)
      	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.<init>(FSNamesystem.java:811)
      	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.loadFromDisk(FSNamesystem.java:770)
      	at org.apache.hadoop.hdfs.server.namenode.NameNode.loadNamesystem(NameNode.java:614)
      	at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:676)
      	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:844)
      	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:823)
      	at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1548)
      	at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1616)
      Caused by: java.security.GeneralSecurityException: The property 'ssl.client.truststore.password' has not been set in the ssl configuration file.
      	at org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:199)
      	at org.apache.hadoop.security.ssl.SSLFactory.init(SSLFactory.java:131)
      	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:426)
      	... 14 more
      

      Note that this does not happen to the namenode when the kms isn't in use.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                yoderme Mike Yoder
                Reporter:
                yoderme Mike Yoder
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: