Community Articles

ENVIRONMENT: HDP 2.3.4, Ambari 2.2.1

SYMPTOMS: After creating an encryption zone and attempting to move data in this zone "Authentication Required" errors are reported in the kms-audit.log.

2016-11-15 09:06:40,561 UNAUTHENTICATED RemoteHost:W.X.Y.Z 
Method:OPTIONS URL:http://hdp02.example.com:9292/kms/v1/keyversion/e1dw_dev_enc_key%400/_eek?eek_op=decrypt&doAs=test ErrorMsg:'Authentication required'

The issue reproduces only in ambari-view and not via HDFS commands. Following errors are reported from browser.

500 org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) 

ROOT CAUSE: For webhdfs to work with TDE, Ranger KMS must be configured to allow hdfs user to access all keys. This is a configuration issue in Ranger KMS. Ambari deploys default configuration where hdfs user is not allowed. This is a known behavior reported in BUG-45012

<property>
    <name>hadoop.kms.blacklist.DECRYPT_EEK</name>
    <value>hdfs</value>
    <description>
          Blacklist for decrypt EncryptedKey
          CryptoExtension operations
    </description>
  </property>

SOLUTION: Upgrade to HDP 2.3.6

WORKAROUND: Since its a security issue, please log a case with HWX support team for any suggestions about possible workarounds.