HopsSSLSocketFactory consults ssl-client.xml IF it exists for configuration properties regarding the reloading key managers. In general we do NOT use this file for configuration as HopsSSLSocketFactory will auto-discover the filepath to the necessary cryptographic material. If the file doesn't exist, then the default values will be used.
Some operations, such us dfs fsck, use the web interface of HDFS to issue commands. The web-client initializes the SSLContext and it needs the ssl-client.xml file to read the configuration as it does not use HopsSSLSocketFactory. So we template ssl-client.xml with very restrictive permissions.
In that case, when a user makes an RPC call, it goes through HopsSSLSocketFactory which looks for ssl-client.xml to read the configuration. The file exists now but the user is not allowed to read the file and throws a FileNotFoundException.
HopsSSLSocketFactory consults ssl-client.xml only for reloading intervals, so the configuration is not critical. If we get an IOException while reading the file, we should catch it and fallback to the default values.