Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error trying to enable transparent HDFS encryption

Error trying to enable transparent HDFS encryption

New Contributor

I've done the setup required for enabling hdfs transparent encryption. But its not quite working for me. I'm getthing the following error:

hdfs crypto -createZone -keyName hdfsKey -path /encrypted

17/05/22 17:40:04 WARN retry.RetryInvocationHandler: Exception while invoking ClientNamenodeProtocolTranslatorPB.createEncryptionZone over null. Not retrying because try once and fail. org.apache.hadoop.ipc.RemoteException(java.io.FileNotFoundException): http://sandbox.hadoopcluster.com:9292/kms/v1/key/hdfsKey/_metadata?user.name=hdfs at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:275) at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:212) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.openConnection(DelegationTokenAuthenticatedURL.java:322) at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:550) at org.apache.hadoop.crypto.key.kms.KMSClientProvider$1.run(KMSClientProvider.java:545)

xa_portal.log:

2017-05-22 17:24:41,223 [http-bio-6080-exec-1] INFO apache.ranger.security.web.filter.RangerKRBAuthenticationFilter (RangerKRBAuthenticationFilter.java:220) - Logged into Ranger as = HTTP 2017-05-22 17:24:41,228 [http-bio-6080-exec-1] INFO org.apache.ranger.biz.SessionMgr (SessionMgr.java:232) - UserSession Updated to set new Permissions to User: HTTP 2017-05-22 17:24:41,228 [http-bio-6080-exec-1] INFO org.apache.ranger.biz.SessionMgr (SessionMgr.java:184) - Login Success: loginId=HTTP, sessionId=null, sessionId=610783DCAD8146B71131A12112E93AE5, requestId=10.196.27.218, epoch=1495488281228 2017-05-22 17:24:41,233 [http-bio-6080-exec-1] ERROR org.apache.ranger.rest.ServiceREST (ServiceREST.java:1921) - getSecureServicePoliciesIfUpdated(cluster1_kms, -1) failed as User doesn't have permission to download Policy 2017-05-22 17:24:41,234 [http-bio-6080-exec-1] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:357) - Request failed. SessionId=null, loginId=HTTP, logMessage=User doesn't have permission to download policy javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:347) at org.apache.ranger.rest.ServiceREST.getSecureServicePoliciesIfUpdated(ServiceREST.java:1935) at org.apache.ranger.rest.ServiceREST$FastClassByCGLIB$92dab672.invoke(<generated>) at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191)

Anyone hit this before or have any ideas? I have a feeling that HTTP user is not being proxied to the correct user, but I have setup the proxy user accordingly.

1 REPLY 1

Re: Error trying to enable transparent HDFS encryption

New Contributor

Could you please tell me which user you are using while firing this command ? If this is some user other then hdfs then it will not work. Try using hdfs and fire this command.

I was also facing this issue but then after firing this command using hdfs user, it worked like a charm.