Support Questions

Find answers, ask questions, and share your expertise

Ranger KMS throws exception

Explorer

Hi,

My cluster is kerbeorized with KMS. When I execute the following command I am getting the below error. Could anyone help me on this asap.

curl --negotiate -u : -X GET http://<clustername>:9292/kms/v1/keyversion/<keyname@0/_eek?ee_op=decrypt

{ "RemoteException" : { "message" : null, "exception" : "WebApplicationException", "javaClassName" : "javax.ws.rs.WebApplicationException" }

In the kms-audit.log I see the following error "ErrorMsg:'Authentication required' saying that Authentication required.

I specified --negotiate option and -u option as well.

But the below command is working

curl --negotiate -u : -X GET http://<clustername>:9292/kms/v1/keyversion/<keyname@0

{ "name" : "<keyname", "versionName" : "<keyname>@0", "material" : "<some value>" }

The user with which the command is being executed has the valid Kerberos ticket and decrypt permissions also set with Ranger kms web ui

1 ACCEPTED SOLUTION

Rising Star

decrypt operation needs POST instead of GET. Check the samples form KMS doc below.

Decrypt Encrypted Key

REQUEST:

POST http://HOST:PORT/kms/v1/keyversion/<version-name>/_eek?ee_op=decrypt
Content-Type: application/json

{
  "name"        : "<key-name>",
  "iv"          : "<iv>",          //base64
  "material"    : "<material>",    //base64
}

RESPONSE:

200 OK
Content-Type: application/json

{
  "name"        : "EK",
  "material"    : "<material>",    //base64
}

View solution in original post

1 REPLY 1

Rising Star

decrypt operation needs POST instead of GET. Check the samples form KMS doc below.

Decrypt Encrypted Key

REQUEST:

POST http://HOST:PORT/kms/v1/keyversion/<version-name>/_eek?ee_op=decrypt
Content-Type: application/json

{
  "name"        : "<key-name>",
  "iv"          : "<iv>",          //base64
  "material"    : "<material>",    //base64
}

RESPONSE:

200 OK
Content-Type: application/json

{
  "name"        : "EK",
  "material"    : "<material>",    //base64
}
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.