Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can a single HDFS Client talk to two different Ranger KMS instances?

Can a single HDFS Client talk to two different Ranger KMS instances?

New Contributor

I have a Java client that talks to two different HDP clusters (one for reading data and the other to write data). I have currently successfully setup Ranger KMS on one of my clusters and I am able to successfully read/write data from my Java client into an encrypted zone in my cluster. Apart from setting the right policies in KMS, all I had to do was update the hdfs-site.xml and core-site.xml to point to my KMS instance.

E.g of my hdfs-site.xml changes:

<property>
  <name>dfs.encrypt.data.transfer.cipher.suites</name>
  <value>AES/CTR/NoPadding</value>
</property>
<property>
  <name>dfs.encryption.key.provider.uri</name>
  <value>kms://http@<KMS_FQDN>:9292/kms</value>
</property>

However, I want to eventually setup Ranger KMS on both my clusters. Once I do that, my Java client would have to read files from one encrypted zone in cluster #1 and write data to another encrypted zone in cluster #2. They will both be managed as separate KMS instances. How would I set this up? Would I have to include two separate properties in my hdfs-site and core-site? or would the dfs.encryption.key.provider.uri property support a comma separated list of KMS hosts from 2 separate clusters?

E.g:

<property>
  <name>dfs.encryption.key.provider.uri</name>
  <value>kms://http@<CLUSTER_1_KMS_FQDN>;<CLUSTER_2_KMS_FQDN>:9292/kms</value>
</property>

Could someone please help?

Thanks,

Amit

Don't have an account?
Coming from Hortonworks? Activate your account here