Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to promote a principal in IPA to a user for a use case with Ranger, KMS, TDE and HBase?

Solved Go to solution

How to promote a principal in IPA to a user for a use case with Ranger, KMS, TDE and HBase?

Recently use TDE to encrypt an HBase installation and found some interesting request for Key access by the Region Servers.

Out of the box, we locked down the Key permissions to allow only the "hbase" user, since this was the user accessing the files by way of the Region Servers. During normal operations, we saw additional requests from the "nn" user and later from "hdfs".

Well, "hdfs" is a user, that's fine. But "nn" is not. "nn" was setup as a principal per host for Kerberos (in IPA).

We got around this by actually creating an "nn" user in IPA and granting them rights to the Key in Ranger KMS. Was that the best way?

And I'm a little curious "how" the "nn" principal expressed itself as a user in hdfs operations.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to promote a principal in IPA to a user for a use case with Ranger, KMS, TDE and HBase?

New Contributor

If the service accounts (such as nn, hbase, hdfs) need to access the hadoop data and/or kms-key, you must provide necessary permission for these users in ranger and these (service) users must be available in ranger to add them as part of the security access policies. If your usersync process does not bring these users from Enterprise Directory (such as LDAP, AD), you can add these users in Ranger by login as admin user and use the "Add New User" option under "Settings -> User/Groups" menu options.

2 REPLIES 2

Re: How to promote a principal in IPA to a user for a use case with Ranger, KMS, TDE and HBase?

New Contributor

If the service accounts (such as nn, hbase, hdfs) need to access the hadoop data and/or kms-key, you must provide necessary permission for these users in ranger and these (service) users must be available in ranger to add them as part of the security access policies. If your usersync process does not bring these users from Enterprise Directory (such as LDAP, AD), you can add these users in Ranger by login as admin user and use the "Add New User" option under "Settings -> User/Groups" menu options.

Re: How to promote a principal in IPA to a user for a use case with Ranger, KMS, TDE and HBase?

Contributor

The question is why is "nn" user trying to access data?