Support Questions

Nae2Ju7w · ‎08-30-2017

In the Cloudera Security Guide, step 6 on page 303 for adding a Key Trusteee KMS Service says "To generate the recommended ACLS, enter the username and group responsible for managing cryptographic keys and click Generate ACLs."

Are the username and group mentioned in this step arbitrary or is it referencing a username and group that should have been created as part of some previous configuration?

Nae2Ju7w · ‎08-30-2017

The username and/or group should be a user present in Linux and Kerberos that you have designated as the user responsible for managing keys on your cluster, and you can use an existing user/group or create a new one as makes sense in your environment. Typically this would be a group of administrators who you would entrust to configure security for you, so that only one user or a handful of users can grant access.

View solution in original post

Nae2Ju7w · ‎08-30-2017

The username and/or group should be a user present in Linux and Kerberos that you have designated as the user responsible for managing keys on your cluster, and you can use an existing user/group or create a new one as makes sense in your environment. Typically this would be a group of administrators who you would entrust to configure security for you, so that only one user or a handful of users can grant access.

Cloudera Community

Support Questions

Key Trustee KMS Proxy ACLs confusion