Created 04-22-2016 03:37 PM
Recently, I encountered a security issue, The HDFS data combined with KMS and Ranger protection, then the file will be stored in HDFS is plaintext or ciphertext. In other words, If I uninstall the KMS and Ranger plugin, Do these HDSF file is a plain text?
Created 04-22-2016 04:19 PM
The data is stored encrypted with a copy of the encrypted decryption key (EDEK) attached to the file. No user will be able to access the contents of the O/S level files unless they get the KMS to provide an unencrypted version of the decryption key (DEK). The EDEK is stored with the file so the KMS can determine which version of the key was used to encrypt the file to provide the appropriate DEK once policy checks for access to the file have passed. At the HDFS layer, the user has to have policy access to the KMS key to unencrypt the file. The user will not be able to decrypt the file unless this policy check passes. If you uninstall Ranger and the KMS, you will start seeing errors in the HDFS logs when you try to access files in an encryption zone because the namenode will no longer be able to communicate with the KMS for keys or Ranger for key access policies to the files.
Created 04-22-2016 05:01 PM
THE DATA ON HDFS WILL STILL BE ENCRYPTED.