HDFS Encryption Troubleshooting
This topic contains HDFS Encryption-specific troubleshooting information in the form of issues you might face when encrypting HDFS files/directories and their workarounds.
Retrieval of encryption keys fails
DistCp between unencrypted and encrypted locations fails
Cannot move encrypted files to trash
NameNode - KMS communication fails after long periods of inactivity
Description
Encrypted files and encryption zones cannot be created if a long period of time (by default, 20 hours) has passed since the last time the KMS and NameNode communicated.
Solution
For lower CDH 5 releases, there are two possible workarounds to this issue :
- You can increase the KMS authentication token validity period to a very high number. Since the default value is 10 hours, this bug will only be encountered after 20 hours of no
communication between the NameNode and the KMS. Add the following property to the kms-site.xmlSafety Valve:
<property> <name>hadoop.kms.authentication.token.validity</name> <value>SOME VERY HIGH NUMBER</value> </property>
- You can switch the KMS signature secret provider to the string secret provider by adding the following property to the kms-site.xml Safety Valve:
<property> <name>hadoop.kms.authentication.signature.secret</name> <value>SOME VERY SECRET STRING</value> </property>