Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13864

KMS should not require truststore password

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0-alpha2
    • kms, security
    • None
    • Reviewed

    Description

      Trust store passwords are actually not required for read operations. They're only needed for writing to the trust store; in reads they serve as an integrity check. Normal hadoop sslclient.xml files don't require the truststore password, but when the KMS is used it's required.

      If I don't specify a hadoop trust store password I get:

      Failed to start namenode.
java.io.IOException: java.security.GeneralSecurityException: The property 'ssl.client.truststore.password' has not been set in the ssl configuration file.
	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:428)
	at org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:333)
	at org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:324)
	at org.apache.hadoop.crypto.key.KeyProviderFactory.get(KeyProviderFactory.java:95)
	at org.apache.hadoop.util.KMSUtil.createKeyProvider(KMSUtil.java:65)
	at org.apache.hadoop.hdfs.DFSUtil.createKeyProvider(DFSUtil.java:1920)
	at org.apache.hadoop.hdfs.DFSUtil.createKeyProviderCryptoExtension(DFSUtil.java:1934)
	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.<init>(FSNamesystem.java:811)
	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.loadFromDisk(FSNamesystem.java:770)
	at org.apache.hadoop.hdfs.server.namenode.NameNode.loadNamesystem(NameNode.java:614)
	at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:676)
	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:844)
	at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:823)
	at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1548)
	at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1616)
Caused by: java.security.GeneralSecurityException: The property 'ssl.client.truststore.password' has not been set in the ssl configuration file.
	at org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:199)
	at org.apache.hadoop.security.ssl.SSLFactory.init(SSLFactory.java:131)
	at org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:426)
	... 14 more

      Note that this does not happen to the namenode when the kms isn't in use.

      Attachments

        1. HADOOP-13864.000.patch
          4 kB
          Mike Yoder

        Issue Links

        relates to

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-13911 Remove TRUSTSTORE_PASSWORD related scripts from KMS

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            yoderme Mike Yoder
            yoderme Mike Yoder
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment