Skip to content

HDFS Repository fails when over-the-wire encryption is enabled #76734

New issue
New issue
Closed
#76897
Closed
HDFS Repository fails when over-the-wire encryption is enabled#76734
#76897
Labels
>bugTeam:Data ManagementMeta label for data/management team
@masseyke

Description

@masseyke
masseyke
opened on Aug 19, 2021

Elasticsearch version (bin/elasticsearch --version): 7.11.1

Plugins installed: [repository-hdfs]

JVM version (8 or 15):

Description of the problem including expected versus actual behavior:

Steps to reproduce:
If HDFS is configured to use over-the-wire encryption (i.e. dfs.encrypt.data.transfer is set to true), then the repository-hdfs plugin fails when creating a snapshot. The reason appears to be that this setting results in the HDFS client using CryptoOutputStream, which requires some additional runtime permissions that this plugin is not already granted.
To make matters worse, the version of CryptoOutputStream in the hadoop 2 client is not compatible with java 9 and later. It looks like this has only been addressed in the hadoop 3 client. Here is a stack trace on java 8:

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.nio.ch")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_275]
at java.security.AccessController.checkPermission(AccessController.java:886) ~[?:1.8.0_275]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_275]
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564) ~[?:1.8.0_275]
at java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:814) ~[?:1.8.0_275]
at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ~[?:1.8.0_275]
at org.apache.hadoop.crypto.CryptoStreamUtils.freeDB(CryptoStreamUtils.java:39) ~[?:?]
at org.apache.hadoop.crypto.CryptoInputStream.freeBuffers(CryptoInputStream.java:683) ~[?:?]
at org.apache.hadoop.crypto.CryptoInputStream.close(CryptoInputStream.java:317) ~[?:?]
at java.io.FilterInputStream.close(FilterInputStream.java:181) ~[?:1.8.0_275]
at org.apache.hadoop.hdfs.DataStreamer.closeStream(DataStreamer.java:996) ~[?:?]
at org.apache.hadoop.hdfs.DataStreamer.closeInternal(DataStreamer.java:839) ~[?:?]
at org.apache.hadoop.hdfs.DataStreamer.run(DataStreamer.java:834) ~[?:?]

Metadata

Metadata

Assignees

No one assigned

    Labels

    >bugTeam:Data ManagementMeta label for data/management team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions