https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170328#M25274 <P>But turning off Kerberos auth is not an option for me.</P> Fri, 15 Apr 2016 19:32:24 GMT sadek_mostefai 2016-04-15T19:32:24Z https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170326#M25272 <P>Hi, </P><P>Since I've enabled Kerberos I cannot get the keyadmin user to list the previously created keys or create new ones. First I noticed that the keyadmin principal hadn't been created along the other ones during the Kerberos set up. I did add it manually following these instructions: </P><P><A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Ranger_KMS_Admin_Guide/content/ch02s01s03.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Ranger_KMS_Admin_Guide/content/ch02s01s03.html</A> </P><P>Also part 6.b is not very clear to me at </P><P><A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Ranger_KMS_Admin_Guide/content/ch02s01.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Ranger_KMS_Admin_Guide/content/ch02s01.html</A> </P><P>What values are those attributes supposed to have? </P><P>The error I see in the kms-audit.log file is: </P><P>2016-04-14 18:54:57,923 UNAUTHENTICATED RemoteHost:xxxxxxxx Method:GET URL:http://xxxxxxxxxx:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required' Thanks, Sadek</P> Fri, 15 Apr 2016 06:27:30 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170326#M25272 sadek_mostefai 2016-04-15T06:27:30Z https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170327#M25273 <P>Same problem here on HDP 2.3.4 with Ambari 2.2.0</P><P>Changing hadoop.kms.authentication.type to simple works fine. </P> Fri, 15 Apr 2016 18:17:32 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170327#M25273 rahulpathak109 2016-04-15T18:17:32Z https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170328#M25274 <P>But turning off Kerberos auth is not an option for me.</P> Fri, 15 Apr 2016 19:32:24 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170328#M25274 sadek_mostefai 2016-04-15T19:32:24Z https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170329#M25275 <A rel="user" href="https://community.cloudera.com/users/6068/sadek-mostefai.html" nodeid="6068">@Sadek M</A><P>Please first configure KMS for Kerberos authentication.</P><P>Use <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Ranger_KMS_Admin_Guide/content/ch02s01.html">second</A> link you have mentioned in your question.</P><P>Regarding point 6b</P><P>Add values for the following properties in the "Custom kms-site" section. These properties allow the specified system users (<CODE>hive</CODE>, <CODE>oozie</CODE>, and others) to proxy on behalf of other users when communicating with Ranger KMS. This helps individual services (such as Hive) use their own keytabs, but retain the ability to access Ranger KMS as the end user (use access policies associated with the end user).</P><UL> <LI><CODE>hadoop.kms.proxyuser.hive.users</CODE></LI><LI><CODE>hadoop.kms.proxyuser.oozie.users</CODE></LI><LI><CODE>hadoop.kms.proxyuser.HTTP.users</CODE></LI><LI><CODE>hadoop.kms.proxyuser.ambari.users</CODE></LI><LI><CODE>hadoop.kms.proxyuser.yarn.users</CODE></LI><LI><CODE>hadoop.kms.proxyuser.hive.hosts</CODE></LI><LI><CODE>hadoop.kms.proxyuser.oozie.hosts</CODE></LI><LI><CODE>hadoop.kms.proxyuser.HTTP.hosts</CODE></LI><LI><CODE>hadoop.kms.proxyuser.ambari.hosts</CODE></LI><LI><CODE>hadoop.kms.proxyuser.yarn.hosts</CODE></LI></UL><P>These properties are for user impersonation</P> Sun, 17 Apr 2016 12:30:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170329#M25275 KuldeepK 2016-04-17T12:30:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170330#M25276 <P><A rel="user" href="https://community.cloudera.com/users/6068/sadek-mostefai.html" nodeid="6068">@Sadek M</A> </P><P>I was able to resolve it after restarting Ranger Service.</P><P>Ambari does not prompt for restarting Ranger service, but prompt for only Ranger Kms. </P><P>Be sure to edit the repository username from Ranger UI by logging in as keyadmin user.</P><P>Changing user from Ambari does not work. </P><P>Set values of below to *</P><UL><LI><CODE>hadoop.kms.proxyuser.hive.users=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.oozie.users=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.HTTP.users=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.ambari.users=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.yarn.users=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.hive.hosts=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.oozie.hosts=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.HTTP.hosts=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.ambari.hosts=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.yarn.hosts=*</CODE></LI></UL> Sun, 17 Apr 2016 13:56:25 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170330#M25276 rahulpathak109 2016-04-17T13:56:25Z https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170331#M25277 <P>That did it!. </P> Mon, 18 Apr 2016 18:10:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170331#M25277 sadek_mostefai 2016-04-18T18:10:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170332#M25278 <P><A rel="user" href="https://community.cloudera.com/users/872/rahulpathak109.html" nodeid="872">@Rahul Pathak</A> </P><P>That didn't quite fix everything though. I was trying to put a file in an (hdfs) encryted zone and got the follwoing exception:</P><P>put: java.util.concurrent.ExecutionException: org.apache.hadoop.security.authorize.AuthorizationException: User:nn not allowed to do 'GENERATE_EEK' on 'mykey'.</P><P>The nn procipal should map to the 'hdfs' OS user according to the entry in </P><P>hadoop.security.auth_to_local: RULE:[2:$1@$0](nn@MYREALM.COM)s/.*/hdfs/</P><P>Even after adding similar properties as above to the hdfs user </P><UL> <LI><CODE>hadoop.kms.proxyuser.hdfs.users=*</CODE></LI><LI><CODE>hadoop.kms.proxyuser.hdfs.hosts=*</CODE></LI></UL><P>And allowing all permissions to 'hdfs' user in the KMS policy.</P> Tue, 19 Apr 2016 00:24:15 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170332#M25278 sadek_mostefai 2016-04-19T00:24:15Z https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170333#M25279 <P><A rel="user" href="https://community.cloudera.com/users/6068/sadek-mostefai.html" nodeid="6068">@Sadek M</A> </P><P>If I understand this correctly, you are trying to use TDE with hdfs user.</P><P>This will not work because hdfs user is blacklisted for TDE operations. </P><P>Here is note from Hortonworks Doc.</P><P>For separation of administrative roles, do not use the <CODE>hdfs</CODE> user to create encryption zones. Instead, designate another administrative account for creating encryption keys and zones. See <A href="http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_hdfs_admin_tools/content/hdfs-encr-appendix.html">Creating an HDFS Admin User</A> for more information.</P> Tue, 19 Apr 2016 10:19:14 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/keyadmin-user-not-working-after-enabling-Kerberos/m-p/170333#M25279 rahulpathak109 2016-04-19T10:19:14Z