Istvan Vajnorak created HADOOP-16216:
----------------------------------------
Summary: Cannot Delete Key with / in the key name
Key: HADOOP-16216
URL: https://issues.apache.org/jira/browse/HADOOP-16216
Project: Hadoop Common
Issue Type: Bug
Reporter: Istvan Vajnorak
Users can create keys with / in the path but eventually are unable to delete
them due to the way the hadoop key command encodes URLs.
Below are the steps to reproduce and the only way to get rid of such a key is
to invoke the REST API directly.
Please check if hadoop key command's implementation to be changed to cater for
this, or implement a special character filtering to not allow such keys to be
created.
1. Create a key with a / in it's name: [root@nightly514-1 hadoop-kms]# hadoop
key create my/key my/key has been successfully created with options
Options\{cipher='AES/CTR/NoPadding', bitLength=128, description='null',
attributes=null}.
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@5890e879 has
been updated.
2. List and ensure key is there:
[root@nightly514-1 hadoop-kms]# hadoop key list | grep my/key
my/key
3. Try to delete with normal hadoop key command:
[root@nightly514-1 hadoop-kms]# hadoop key delete my/key
You are about to DELETE all versions of key my/key from KeyProvider
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451.
Continue? (Y or N) y
Deleting key: my/key from KeyProvider:
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@2890c451
19/03/23 02:42:51 WARN security.UserGroupInformation:
PriviledgedActionException
as:hive/nightly514-1.vpc.cloudera....@vpc.cloudera.com (auth:KERBEROS)
cause:org.apache.hadoop.security.authentication.client.AuthenticationException:
Authentication failed, URL:
https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my%2Fkey?user.name=hive,
status: 400, message: Bad Request
19/03/23 02:42:51 WARN kms.LoadBalancingKMSClientProvider: KMS provider at
[https://nightly514-1.vpc.cloudera.com:16000/kms/v1/] threw an IOException:
java.io.IOException:
org.apache.hadoop.security.authentication.client.AuthenticationException:
Authentication failed, URL:
https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my%2Fkey?user.name=hive,
status: 400, message: Bad Request
4. Delete it with curl directly:
[root@nightly514-1 hadoop-kms]# curl -i --negotiate -u : -X DELETE --insecure
-v "https://nightly514-1.vpc.cloudera.com:16000/kms/v1/key/my/key";
* About to connect() to nightly514-1.vpc.cloudera.com port 16000 (#0)
* Trying 10.65.28.216...
* Connected to nightly514-1.vpc.cloudera.com (10.65.28.216) port 16000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject:
CN=nightly514-1.vpc.cloudera.com,OU=Engineering,O=Cloudera,L=San
Francsico,ST=CA,C=US
* start date: Mar 23 08:24:49 2019 GMT
* expire date: Mar 22 08:24:49 2020 GMT
* common name: nightly514-1.vpc.cloudera.com
* issuer: CN=Cloudera Intermediate Test
CA,OU=Engineering,O=Cloudera,ST=CA,C=US
> DELETE /kms/v1/key/my/key HTTP/1.1
> Authorization: Negotiate
...
> User-Agent: curl/7.29.0
> Host: nightly514-1.vpc.cloudera.com:16000
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
5. Listing to ensure the key is gone now:
[root@nightly514-1 hadoop-kms]# hadoop key list
Listing keys for KeyProvider:
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7161d8d1
hbase
mapred
hive
systest
hue
solr
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
