Re: HDFS User impersonation on encrypted zone | Ranger KMS

Sandeep Nemuri Fri, 03 Aug 2018 04:34:02 -0700

+1 for KMS proxy user settings.

On Fri, 3 Aug 2018 at 1:42 AM, Ashish Tadose <[email protected]> wrote:


> Thanks a ton, will try this out.
>
> On Fri, 3 Aug 2018 at 1:12 AM, Wei-Chiu Chuang <[email protected]> wrote:
>
>> Hi, this is a supported use case.
>> Please make sure you configure the KMS proxy user correctly as well (it
>> is separately from HDFS proxy user settings)
>>
>> https://hadoop.apache.org/docs/current/hadoop-kms/index.html#KMS_Proxyuser_Configuration
>>
>> On Thu, Aug 2, 2018 at 12:30 PM Ashish Tadose <[email protected]>
>> wrote:
>>
>>> Hi,
>>>
>>> Does HDFS user impersonation work on HDFS encrypted zone backed by
>>> ranger KMS?
>>>
>>> Our Hadoop environment configured with Kerberos and also supports
>>> creating an encrypted zone in HDFS by ranger KMS.
>>>
>>> Specific application id has HDFS user impersonation access to
>>> impersonate users of a certain group which works flawlessly on normal HDFS
>>> folders, however same not working on encrypted zones.
>>>
>>> PFB - Masked log extract
>>>
>>> WARN kms.LoadBalancingKMSClientProvider: KMS provider at
>>> [<host>/kms/v1/] threw an IOException!! java.io.IOException:
>>> org.apache.hadoop.security.authentication.client.AuthenticationException:
>>> Authentication failed, URL:
>>> <host>/kms/v1/keyversion/<group>%400/_eek?eek_op=decrypt&doAs=<user1>&
>>> user.name=<service-user>, status: 403, message: Forbidden
>>> at
>>> org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:551)
>>> at
>>> org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:831)
>>> at
>>> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:207)
>>> at
>>> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:203)
>>> at
>>> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:95)
>>> at
>>> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:203)
>>> at
>>> org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.decryptEncryptedKey(KeyProviderCryptoExtension.java:388)
>>> at
>>> org.apache.hadoop.hdfs.DFSClient.decryptEncryptedDataEncryptionKey(DFSClient.java:1393)
>>> at
>>> org.apache.hadoop.hdfs.DFSClient.createWrappedInputStream(DFSClient.java:1463)
>>> at
>>> org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:333)
>>> at
>>> org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:327)
>>> at
>>> org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
>>> at
>>> org.apache.hadoop.hdfs.DistributedFileSystem.open(DistributedFileSystem.java:340)
>>> at com.wandisco.fs.client.ReplicatedFC.open(ReplicatedFC.java:752)
>>> at
>>> com.wandisco.fs.client.ReplicatedFC.xlateAndOpen(ReplicatedFC.java:377)
>>> at com.wandisco.fs.client.FusionHdfs.open(FusionHdfs.java:452)
>>> at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:786)
>>> at <masked-package>.EncryptFsTest.readFile(EncryptFsTest.java:118)
>>> at <masked-package>.EncryptFsTest$1.run(EncryptFsTest.java:71)
>>> at <masked-package>.kerberos.EncryptFsTest$1.run(EncryptFsTest.java:69)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>> at
>>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
>>>
>>> Thanks in advance.
>>>
>>> Regards,
>>>
>> Ashish
>>>
>>
>>>
>>> --
>>> A very happy Hadoop contributor
>>>
>> --
Sent from iPhone

Re: HDFS User impersonation on encrypted zone | Ranger KMS

Reply via email to