Community Articles
Find and share helpful community-sourced technical articles

ENVIRONMENT: HDP 2.3.4, Ambari 2.2.1

SYMPTOMS: After creating an encryption zone and attempting to move data in this zone "Authentication Required" errors are reported in the kms-audit.log.

2016-11-15 09:06:40,561 UNAUTHENTICATED RemoteHost:W.X.Y.Z 
Method:OPTIONS URL: ErrorMsg:'Authentication required'

The issue reproduces only in ambari-view and not via HDFS commands. Following errors are reported from browser.

500 GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) 

ROOT CAUSE: For webhdfs to work with TDE, Ranger KMS must be configured to allow hdfs user to access all keys. This is a configuration issue in Ranger KMS. Ambari deploys default configuration where hdfs user is not allowed. This is a known behavior reported in BUG-45012

          Blacklist for decrypt EncryptedKey
          CryptoExtension operations

SOLUTION: Upgrade to HDP 2.3.6

WORKAROUND: Since its a security issue, please log a case with HWX support team for any suggestions about possible workarounds.