screen-shot-2017-01-23-at-63028-pm.png
screen-shot-2017-01-23-at-63106-pm.png
hi - i'm evaluating & implementing HDP Data at Rest encryption .. & hdfs user is not able to access file put in HDFS encryption zone.
Here is what is done -
- created hdfs folder, -> /enczone1
- created key -> testkeyfromcli & encryption zone using the key
- added 2 files to encryption zone - /enczone1/myfile.txt & /enczone1/myfile_1.txt
- Using Ranger, created policy to provide read/write access to user - hdfs
- User Ranger, provided access to key - testkeyfromcli
One other step i did was run the following command to ensure super-user does not have access to file myfile.txt->
sudo -u hdfs hadoop fs -setfattr -n security.hdfs.unreadable.by.superuser /enczone1/myfile.txt
On running the following commands, i'm unable to access /enczone1/myfile.txt (Expected result)
However, i'm not able to access file /enczone1/myfile_1.txt, the error says - user hdfs is not allowed to 'DECRYPT_EEK' on 'testkeyfromcli'
However, access is already given to user - hdfs (as seen in file uploaded)
Any ideas ?
----------------------------------------------------------------------------------------------------------------
[root@sandbox ~]# sudo -u hdfs hdfs dfs -cat /enczone1/myfile.txt
cat: Access is denied for hdfs since the superuser is not allowed to perform this operation.
[root@sandbox ~]# sudo -u hdfs hdfs dfs -cat /enczone1/myfile_1.txt
cat: User:hdfs not allowed to do 'DECRYPT_EEK' on 'testkeyfromcli'
[root@sandbox ~]# sudo -u hdfs hdfs crypto -listZones
/zone_encr key1
/enczone1 testkeyfromcli
/enczone2 testkeyfromcli
/enczone3 key2
