Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS throws exception

SOLVED Go to solution
Highlighted

Ranger KMS throws exception

New Contributor

Hi,

My cluster is kerbeorized with KMS. When I execute the following command I am getting the below error. Could anyone help me on this asap.

curl --negotiate -u : -X GET http://<clustername>:9292/kms/v1/keyversion/<keyname@0/_eek?ee_op=decrypt

{ "RemoteException" : { "message" : null, "exception" : "WebApplicationException", "javaClassName" : "javax.ws.rs.WebApplicationException" }

In the kms-audit.log I see the following error "ErrorMsg:'Authentication required' saying that Authentication required.

I specified --negotiate option and -u option as well.

But the below command is working

curl --negotiate -u : -X GET http://<clustername>:9292/kms/v1/keyversion/<keyname@0

{ "name" : "<keyname", "versionName" : "<keyname>@0", "material" : "<some value>" }

The user with which the command is being executed has the valid Kerberos ticket and decrypt permissions also set with Ranger kms web ui

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ranger KMS throws exception

Rising Star

decrypt operation needs POST instead of GET. Check the samples form KMS doc below.

Decrypt Encrypted Key

REQUEST:

POST http://HOST:PORT/kms/v1/keyversion/<version-name>/_eek?ee_op=decrypt
Content-Type: application/json

{
  "name"        : "<key-name>",
  "iv"          : "<iv>",          //base64
  "material"    : "<material>",    //base64
}

RESPONSE:

200 OK
Content-Type: application/json

{
  "name"        : "EK",
  "material"    : "<material>",    //base64
}
1 REPLY 1

Re: Ranger KMS throws exception

Rising Star

decrypt operation needs POST instead of GET. Check the samples form KMS doc below.

Decrypt Encrypted Key

REQUEST:

POST http://HOST:PORT/kms/v1/keyversion/<version-name>/_eek?ee_op=decrypt
Content-Type: application/json

{
  "name"        : "<key-name>",
  "iv"          : "<iv>",          //base64
  "material"    : "<material>",    //base64
}

RESPONSE:

200 OK
Content-Type: application/json

{
  "name"        : "EK",
  "material"    : "<material>",    //base64
}