I've done the setup required for enabling hdfs transparent encryption. But its not quite working for me. I'm getthing the following error:
hdfs crypto -createZone -keyName hdfsKey -path /encrypted
17/05/22 17:40:04 WARN retry.RetryInvocationHandler: Exception while invoking ClientNamenodeProtocolTranslatorPB.createEncryptionZone over null. Not retrying because try once and fail.
org.apache.hadoop.ipc.RemoteException(java.io.FileNotFoundException): http://sandbox.hadoopcluster.com:9292/kms/v1/key/hdfsKey/_metadata?user.name=hdfs
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:275)
at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:212)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132)
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.openConnection(DelegationTokenAuthenticatedURL.java:322)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:550)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:545)
xa_portal.log:
2017-05-22 17:24:41,223 [http-bio-6080-exec-1] INFO apache.ranger.security.web.filter.RangerKRBAuthenticationFilter (RangerKRBAuthenticationFilter.java:220) - Logged into Ranger as = HTTP
2017-05-22 17:24:41,228 [http-bio-6080-exec-1] INFO org.apache.ranger.biz.SessionMgr (SessionMgr.java:232) - UserSession Updated to set new Permissions to User: HTTP
2017-05-22 17:24:41,228 [http-bio-6080-exec-1] INFO org.apache.ranger.biz.SessionMgr (SessionMgr.java:184) - Login Success: loginId=HTTP, sessionId=null, sessionId=610783DCAD8146B71131A12112E93AE5, requestId=10.196.27.218, epoch=1495488281228
2017-05-22 17:24:41,233 [http-bio-6080-exec-1] ERROR org.apache.ranger.rest.ServiceREST (ServiceREST.java:1921) - getSecureServicePoliciesIfUpdated(cluster1_kms, -1) failed as User doesn't have permission to download Policy
2017-05-22 17:24:41,234 [http-bio-6080-exec-1] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:357) - Request failed. SessionId=null, loginId=HTTP, logMessage=User doesn't have permission to download policy
javax.ws.rs.WebApplicationException
at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:347)
at org.apache.ranger.rest.ServiceREST.getSecureServicePoliciesIfUpdated(ServiceREST.java:1935)
at org.apache.ranger.rest.ServiceREST$FastClassByCGLIB$92dab672.invoke(<generated>)
at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191)
Anyone hit this before or have any ideas? I have a feeling that HTTP user is not being proxied to the correct user, but I have setup the proxy user accordingly.
