Support Questions

Find answers, ask questions, and share your expertise

Error trying to enable transparent HDFS encryption


I've done the setup required for enabling hdfs transparent encryption. But its not quite working for me. I'm getthing the following error:

hdfs crypto -createZone -keyName hdfsKey -path /encrypted

17/05/22 17:40:04 WARN retry.RetryInvocationHandler: Exception while invoking ClientNamenodeProtocolTranslatorPB.createEncryptionZone over null. Not retrying because try once and fail. org.apache.hadoop.ipc.RemoteException( at at at at at at at at org.apache.hadoop.crypto.key.kms.KMSClientProvider$ at org.apache.hadoop.crypto.key.kms.KMSClientProvider$


2017-05-22 17:24:41,223 [http-bio-6080-exec-1] INFO ( - Logged into Ranger as = HTTP 2017-05-22 17:24:41,228 [http-bio-6080-exec-1] INFO ( - UserSession Updated to set new Permissions to User: HTTP 2017-05-22 17:24:41,228 [http-bio-6080-exec-1] INFO ( - Login Success: loginId=HTTP, sessionId=null, sessionId=610783DCAD8146B71131A12112E93AE5, requestId=, epoch=1495488281228 2017-05-22 17:24:41,233 [http-bio-6080-exec-1] ERROR ( - getSecureServicePoliciesIfUpdated(cluster1_kms, -1) failed as User doesn't have permission to download Policy 2017-05-22 17:24:41,234 [http-bio-6080-exec-1] INFO org.apache.ranger.common.RESTErrorUtil ( - Request failed. SessionId=null, loginId=HTTP, logMessage=User doesn't have permission to download policy at org.apache.ranger.common.RESTErrorUtil.createRESTException( at at$FastClassByCGLIB$92dab672.invoke(<generated>) at net.sf.cglib.proxy.MethodProxy.invoke(

Anyone hit this before or have any ideas? I have a feeling that HTTP user is not being proxied to the correct user, but I have setup the proxy user accordingly.


Could you please tell me which user you are using while firing this command ? If this is some user other then hdfs then it will not work. Try using hdfs and fire this command.

I was also facing this issue but then after firing this command using hdfs user, it worked like a charm.