question Re: Key Trustee KMS Proxy ACLs confusion in Archives of Support Questions (Read Only)

Key Trustee KMS Proxy ACLs confusion

Nae2Ju7w — Wed, 30 Aug 2017 18:31:35 GMT

In the Cloudera Security Guide, step 6 on page 303 for adding a Key Trusteee KMS Service says "To generate the recommended ACLS, enter the username and group responsible for managing cryptographic keys and click Generate ACLs."

Are the username and group mentioned in this step arbitrary or is it referencing a username and group that should have been created as part of some previous configuration?

Re: Key Trustee KMS Proxy ACLs confusion

Nae2Ju7w — Thu, 31 Aug 2017 06:16:09 GMT

The username and/or group should be a user present in Linux and Kerberos that you have designated as the user responsible for managing keys on your cluster, and you can use an existing user/group or create a new one as makes sense in your environment. Typically this would be a group of administrators who you would entrust to configure security for you, so that only one user or a handful of users can grant access.