Support Questions

Find answers, ask questions, and share your expertise

KMS Unable to decrypt

avatar
Contributor

Configured Ranger and KMS on a Kerberized cluster. Able to create zones and keys.However unable to cat any file put on the directory.

Have given the user access to directory in ranger and ability to decrypt eeks. Any ideas?

hdfs dfs -cat /zone_encr3/abc1.txt cat: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, status: 500, message: Internal Server Error

Nothing much in kms.log either.

1 ACCEPTED SOLUTION

avatar

@Ash Pad

You need to provide additional privileges to the user via keyadmin. The user will need "Get Keys", "Get Metadata", and "Decrypt EEK" privileges on the key to read files in the encryption zone.

View solution in original post

2 REPLIES 2

avatar

any errors being shown catalina.out? are there entries in kms-audit.log?

as what user are you trying to copy the files?

avatar

@Ash Pad

You need to provide additional privileges to the user via keyadmin. The user will need "Get Keys", "Get Metadata", and "Decrypt EEK" privileges on the key to read files in the encryption zone.