4

I'm trying to setup HDFS encryption with Ranger KMS on HDP 2.4.

I was able to deploy and configure the KMS service. I've created a key and an access policy to grant all permissions to hdfs user for operating with this key.

I'm able to create an encrypted zone with

sudo -uhdfs hdfs mkdir /data_enc
sudo -uhdfs hdfs crypto -createZone -keyName hdfskey  -path /data_enc

However when I try to put a file into the directory, I get this error:

    sudo -uhdfs hdfs dfs -put /tmp/file.txt /data_enc/
...
    User:hdfs not allowed to do 'DECRYPT_EEK' on 'hdfskey'

hdfs user has all permissions for this key, including DECRYPT_EEK. Does anyone knows what could go wrong?

Dennis Jaheruddin
  • 21,208
  • 8
  • 66
  • 122
facha
  • 11,862
  • 14
  • 59
  • 82

1 Answers1

6

hdfs user is blacklisted by default for decrypt operations in Ranger.
It is possible that this blacklisting is overriding the DECRYPT_EEK permission given to the key.

Edit the property hadoop.kms.blacklist.DECRYPT_EEK in either Advanced dbks-site Menu in Ranger or in dbks-site.xml.

franklinsijo
  • 17,784
  • 4
  • 45
  • 63