Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS + HSM integration

Highlighted

Ranger KMS + HSM integration

Expert Contributor

Hi,

We have installed Ranger KMS and migrated the master key from Ranger KMS Database to HSM.

I have a few doubts here. Would you please help to clarify.

During the HDFS write operation, HDFS client tells the Name Node that it wants to write a file to the EZ, the Name Node requests the KMS to return a EDEK. The KMS does this by generating a unique DEK and DEK will be encrypted using EZK which is present in Ranger database. This EDEK is returned to the NameNode and stored along with the the file’s metadata.


1. How frequently Ranger KMS(EZK) connects to HSM(master key)?

2. What is the load on HSM from Ranger KMS i.e. no. of crypto operations/sec/hour/day?


Whenever, there is a Read/Write operation on HDFS encryption zones, I could see the below methods being invoked in KMS log

kms.log

Read Operation:
    INFO KMS - Entering decryptEncryptedKey method
    DEBUG RangerPluginClassLoader - <== RangerPluginClassLoader.activate()
    DEBUG RangerKmsAuthorizer - ==> RangerKmsAuthorizer.assertAccess(testkey1, useid@domain (auth:KERBEROS), DECRYPT_EEK)
    DEBUG RangerKmsAuthorizer - ==> RangerKmsAuthorizer.hasAccess(DECRYPT_EEK, userid@domain (auth:KERBEROS) , testkey1)
    INFO  KMS - Exiting handleEncryptedKeyOp method
	
Write operation:
    INFO  KMS - Entering generateEncryptedKeys method
    INFO  KMS - Entering decryptEncryptedKey method
    DEBUG RangerKmsAuthorizer - ==> RangerKmsAuthorizer.assertAccess(testkey1, userid@domain (auth:KERBEROS), DECRYPT_EEK)
    DEBUG RangerPluginClassLoader - ==> RangerPluginClassLoader.activate()
    DEBUG RangerPluginClassLoader - <== RangerPluginClassLoader.activate()
    DEBUG RangerKmsAuthorizer - ==> RangerKmsAuthorizer.assertAccess(testkey1, userid@domain (auth:KERBEROS), DECRYPT_EEK)
    INFO  KMS - Exiting handleEncryptedKeyOp method.

3. Once the decryptEncryptedKey method is invoked, request will be sent to HSM for decrypting EZK using master key. Please correct me if I'm wrong.

4. Whenever we perform create new EZ key/Rollover key operation from Ranger KMS UI, request will be sent to HSM for encrypting/decrypting the EZ key using master key. Please correct me if I'm wrong.

Thank you.