Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to access Encryption_Zone data through another cluster Gateway.

How to access Encryption_Zone data through another cluster Gateway.

Explorer

Hi Team,

 

I have 2 clusters A and B. 

 

i) Cluster A is Kerberos enabled and it has Encryption_zone with KMS.

ii) Cluster B is Kerberos enabled and it has Encryption_zone with KMS.

 

From cluster A to B I have enabled trust between 2 KDC's and its working fine. I was able to do Distcp from B cluster.

I am able to access the cluster A from cluster B and able read the data from Users Home directory. 

 

1)But I have a requirement such way that from Cluster B I have read cluster A encrytion_zone data. I looged with Cluster A kerberos Cred's in cluster B and when i am trying to access cluster A encryption_zone i am not able to see decrypt output.

2) Through spark-shell, I read cluster B data and trying access and facing below error.

I am doing this from cluster B

scala> val txt =
sc.textFile("hdfs://Exnameservice/user/Exuser/tmp/sk_stg.conf")
txt: org.apache.spark.rdd.RDD[String] =
hdfs://Exnameservice/user/Exuser/tmp/sk_stg.conf MapPartitionsRDD[1]
at textFile at <console>:27

scala> txt.take(3)

18/02/26 14:41:45 WARN scheduler.TaskSetManager: Lost task 0.0 in stage
0.0 (TID 0, clusterB15.examaple.com): java.io.IOException:
Failed on local exception: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot
authenticate via:[TOKEN, KERBEROS]; Host Details : local host is:
"clusterB15.examaple.com/172.xx.xx.xx"; destination host is:
"clusterAnamenode1.example1.com":8020;

Caused by: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot
authenticate via:[TOKEN, KERBEROS]

 

 

Could you please someone help here. 

 

 

 

 

 

Don't have an account?
Coming from Hortonworks? Activate your account here