Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15473

Configure serialFilter in KeyProvider to avoid UnrecoverableKeyException caused by JDK-8189997

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.7.6, 3.0.2
    • Fix Version/s: 2.10.0, 3.2.0, 3.1.1, 2.9.2, 3.0.3, 2.7.7, 2.8.5
    • Component/s: kms
    • Labels:
      None
    • Environment:

      JDK 8u171

    • Hadoop Flags:
      Reviewed

      Description

      There is a new feature in JDK 8u171 called Enhanced KeyStore Mechanisms (http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html#JDK-8189997).
      This is the cause of the following errors in the TestKeyProviderFactory:

      Caused by: java.security.UnrecoverableKeyException: Rejected by the jceks.key.serialFilter or jdk.serialFilter property
      	at com.sun.crypto.provider.KeyProtector.unseal(KeyProtector.java:352)
      	at com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:136)
      	at java.security.KeyStore.getKey(KeyStore.java:1023)
      	at org.apache.hadoop.crypto.key.JavaKeyStoreProvider.getMetadata(JavaKeyStoreProvider.java:410)
      	... 28 more
      

      This issue causes errors and failures in hbase tests right now (using hdfs) and could affect other products running on this new Java version.

        Attachments

        1. org.apache.hadoop.crypto.key.TestKeyProviderFactory.txt
          6 kB
          Gabor Bota
        2. HDFS-13494.003.patch
          4 kB
          Gabor Bota
        3. HDFS-13494.002.patch
          1 kB
          Gabor Bota
        4. HDFS-13494.001.patch
          1 kB
          Gabor Bota
        5. HADOOP-15473.006.patch
          5 kB
          Gabor Bota
        6. HADOOP-15473.005.patch
          5 kB
          Gabor Bota
        7. HADOOP-15473.004.patch
          5 kB
          Gabor Bota

          Issue Links

            Activity

              People

              • Assignee:
                gabor.bota Gabor Bota
                Reporter:
                gabor.bota Gabor Bota
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: