https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220167#M62973 <P>Hi team,</P><P>I have couple of questions on functionality.</P><P>What I have expected to using Ranger KMS is when the data is written in encrypted zone, the data should be in human readable but as below:</P><PRE>$ hdfs dfs -get /data/protegrity/data4.dat ./encrypted_data4.dat $ cat encrypted_data4.dat 1AY&amp;SX—“#„bd3ƒ'• DE_ENC256®&#127;XQy”ª8@¿UuaùfšÆe4@ãoNVÕh¡}69þC$8¤ÌªÒÓ»Ö]\GR®´éXûš™?âëD }‹]ê~+¨ÑN•Ä²z?iÄÝ 5ùDüt.ïÆ,+í/–öõZ9õXÙ+]R_&#141;#Ä×â6&gt; ¦KÂœÌ'„J çÜÑâ,OzÝi.Ú&#129;^4WG­±´± 2P‹q&#144;ããE¼iåsLH'xH×oÚ6_ˆ'„ôE¦¯î©{_Hç˃ðîËíÒ†t¾+’:ÁÓ‡›°àå&#129;7¢@fH“9¾XTd/F'Îc9«þí òûHýÁN‰QO4y5ànG¤wš2¢»&lt;</PRE><P>Is this possible using Ranger KMS?</P><P>Secondly is it possible to do column level encryption in Hive/HBase using Ranger KMS?</P><P>Example as below:</P><PRE>0: jdbc:hive2://hortonworks.com&gt; select * from table4; +------------+---------------+---------------+-----------------------+------------------------+---------------------+ | table4.id | table4.fname | table4.lname | table4.fake_prim_nss | table4.fake_secnd_nss | table4.fake_bod_dt | +------------+---------------+---------------+-----------------------+------------------------+---------------------+ | 1 | Sridhar | Reddy | 123456789 | 123456789 | 1990-03-23 | | 2 | Happy | Tom | 234567890 | 234567890 | 1971-02-10 | | 3 | Jun | Yu | 345678901 | 345678901 | 1972-10-23 | +------------+---------------+---------------+-----------------------+------------------------+---------------------+ 5 rows selected (0.255 seconds) 0: jdbc:hive2://hortonworks.com&gt; select id, fname, lname, ptyProtectStr(cast(fake_prim_nss as string),'DE_nss23') as fake_prim_nss, fake_secnd_nss, fake_bod_dt, fake_bod_tms from table4; +-----+---------+--------+----------------+-----------------+--------------+ | id | fname | lname | fake_prim_nss | fake_secnd_nss | fake_bod_dt | +-----+---------+--------+----------------+-----------------+--------------+ | 2 | Happy | Tom | 682585704 | 234567890 | 1971-02-10 | | 1 | Sridhar | Reddy | 115506653 | 123456789 | 1990-03-23 | | 3 | Jun | Yu | 874950339 | 345678901 | 1972-10-23 | +-----+---------+--------+----------------+-----------------+--------------+</PRE><P>Thirdly, how Ranger KMS will honor when you set hive doAs=false.</P><P>Any needful help is highly appreciated. Thanks in advance.</P> Thu, 15 Jun 2017 23:03:46 GMT bandarusridhar1 2017-06-15T23:03:46Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220167#M62973 <P>Hi team,</P><P>I have couple of questions on functionality.</P><P>What I have expected to using Ranger KMS is when the data is written in encrypted zone, the data should be in human readable but as below:</P><PRE>$ hdfs dfs -get /data/protegrity/data4.dat ./encrypted_data4.dat $ cat encrypted_data4.dat 1AY&amp;SX—“#„bd3ƒ'• DE_ENC256®&#127;XQy”ª8@¿UuaùfšÆe4@ãoNVÕh¡}69þC$8¤ÌªÒÓ»Ö]\GR®´éXûš™?âëD }‹]ê~+¨ÑN•Ä²z?iÄÝ 5ùDüt.ïÆ,+í/–öõZ9õXÙ+]R_&#141;#Ä×â6&gt; ¦KÂœÌ'„J çÜÑâ,OzÝi.Ú&#129;^4WG­±´± 2P‹q&#144;ããE¼iåsLH'xH×oÚ6_ˆ'„ôE¦¯î©{_Hç˃ðîËíÒ†t¾+’:ÁÓ‡›°àå&#129;7¢@fH“9¾XTd/F'Îc9«þí òûHýÁN‰QO4y5ànG¤wš2¢»&lt;</PRE><P>Is this possible using Ranger KMS?</P><P>Secondly is it possible to do column level encryption in Hive/HBase using Ranger KMS?</P><P>Example as below:</P><PRE>0: jdbc:hive2://hortonworks.com&gt; select * from table4; +------------+---------------+---------------+-----------------------+------------------------+---------------------+ | table4.id | table4.fname | table4.lname | table4.fake_prim_nss | table4.fake_secnd_nss | table4.fake_bod_dt | +------------+---------------+---------------+-----------------------+------------------------+---------------------+ | 1 | Sridhar | Reddy | 123456789 | 123456789 | 1990-03-23 | | 2 | Happy | Tom | 234567890 | 234567890 | 1971-02-10 | | 3 | Jun | Yu | 345678901 | 345678901 | 1972-10-23 | +------------+---------------+---------------+-----------------------+------------------------+---------------------+ 5 rows selected (0.255 seconds) 0: jdbc:hive2://hortonworks.com&gt; select id, fname, lname, ptyProtectStr(cast(fake_prim_nss as string),'DE_nss23') as fake_prim_nss, fake_secnd_nss, fake_bod_dt, fake_bod_tms from table4; +-----+---------+--------+----------------+-----------------+--------------+ | id | fname | lname | fake_prim_nss | fake_secnd_nss | fake_bod_dt | +-----+---------+--------+----------------+-----------------+--------------+ | 2 | Happy | Tom | 682585704 | 234567890 | 1971-02-10 | | 1 | Sridhar | Reddy | 115506653 | 123456789 | 1990-03-23 | | 3 | Jun | Yu | 874950339 | 345678901 | 1972-10-23 | +-----+---------+--------+----------------+-----------------+--------------+</PRE><P>Thirdly, how Ranger KMS will honor when you set hive doAs=false.</P><P>Any needful help is highly appreciated. Thanks in advance.</P> Thu, 15 Jun 2017 23:03:46 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220167#M62973 bandarusridhar1 2017-06-15T23:03:46Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220168#M62974 <P>1] Since KMS supports HDFS TDE (Transparent data encryption), client will decrypt the file during read so real content will be shown. If interested in seeing actual encrypted data, /.reserved/raw/&lt;directory-path&gt;/&lt;filename&gt; can be used. </P><P>2] Since the entire hive warehouse or hbase data dir is encrypted with HDFS TDE, column level encryption is not required. </P><P>3] If hive doAs is false, then hive user needs to be setup as proxy user in KMS. </P> Thu, 15 Jun 2017 23:18:41 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220168#M62974 vperiasamy 2017-06-15T23:18:41Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220169#M62975 <P><A rel="user" href="https://community.cloudera.com/users/47/vperiasamy.html" nodeid="47">@vperiasamy</A> </P><P>Awesome.</P><P>Can you please even let me know the permissions/functionality of below in Ranger KMS UI, it would be helpful if you can share any notes or links</P><PRE>Get Set Key Materials Get Keys Get Metadata</PRE><P>After installing Ranger KMS even though if the user is not having any permissions on location '/data/protegrity/' from Ranger, and having 'Decrypt EEK' permissions from Ranger KMS UI, user is able to read the data. My question is now, will the Ranger permissions(Read, Write, Create) will not honored on encrypted zone?</P> Thu, 15 Jun 2017 23:40:21 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220169#M62975 bandarusridhar1 2017-06-15T23:40:21Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220170#M62976 <P><A rel="user" href="https://community.cloudera.com/users/5746/bandarusridhar1.html" nodeid="5746">@Sridhar Reddy</A> - HDFS/Ranger permissions will continue to work as-is on encryption zone. If there are audit logs, please check how the user is getting read access to the folder (whether through Ranger ACL or Hadoop ACL). </P><P>Refer <A href="https://hadoop.apache.org/docs/r2.8.0/hadoop-kms/index.html#ACLs_Access_Control_Lists">this link</A> for KMS ACL. </P> Thu, 15 Jun 2017 23:51:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220170#M62976 vperiasamy 2017-06-15T23:51:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220171#M62977 <P><A rel="user" href="https://community.cloudera.com/users/47/vperiasamy.html" nodeid="47">@vperiasamy</A></P><P>Thanks for confirm that Ranger ACL will work as-is. I will debug on it. Thanks for the help, you are the best... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 15 Jun 2017 23:56:31 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-KMS-functionality-behavior/m-p/220171#M62977 bandarusridhar1 2017-06-15T23:56:31Z