Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger KMS + why files that copy to encrypted folders are not encrypted

Labels:
avatar
author-rank mike_bronson7
Guru

Created on ‎11-24-2021 01:10 PM - edited ‎11-24-2021 01:18 PM

we have HDP cluster ( Hadoop cluster version 2.6.5 )

and we add the ranger and ranger KMS to the cluster as services

after adding the service - ranger KMS and do some settings


we performed the following

 

[hdfs@worker01 tmp]$ hdfs dfs -mkdir /zone_encr_1
[hdfs@worker01 tmp]$ hdfs crypto -createZone -keyName secret_hdp1 -path /zone_encr_1
Added encryption zone /zone_encr_1
[hdfs@worker01 tmp]$ hdfs dfs -copyFromLocal file.txt /zone_encr_1
[hdfs@worker01 tmp]$ hdfs dfs -cat /zone_encr_1/file.txt
hello every one
[hdfs@worker01 tmp]$ hdfs dfs -ls /zone_encr_1/file.txt
-rw-r--r-- 2 hdfs hdfs 23 2021-11-24 20:19 /zone_encr_1/file.txt
[hdfs@worker01 tmp]$ hdfs crypto -listZones
/zone_encr secret_hdp1
/zone_encr_new secret_hdp1
/zone_encr_1 secret_hdp1


as we can see above

first we create folder - /zone_encr_1 under hdfs

then

we add encryption to folder - /zone_encr_1

then

we copy from local folder the file - file.txt that include the text - "hello every one" to hdfs folder - /zone_encr_1

then

we do the test with `hdfs dfs -cat /zone_encr_1/file.txt`

and we expect to get encrypted file , but we not

 

we still get the file as

 

hello every one

since I just to learn the ranger KMS capabilities , I am not sure if I missed something

 

 

 

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/copy-to-from-encr-zone.htm...

Michael-Bronson
1,612 Views
0 Kudos
2 REPLIES 2

avatar
author-rank arunek95 author-rank
Expert Contributor

Created ‎11-26-2021 12:23 AM

Hi @mike_bronson7 , I can see you are using the same hdfs user to cat the encryption zone file. And it is allowing it because HDFS user might be having "DECRYPT_EEK" permission in the kms policies. Please try to use another user to cat the encrypted zone file to see if the encryption is working or not. 

 

Also if you do not have any other user , then remove the "DECRYPT_EEK" permission for HDFS user from the policy and it should work.

1,573 Views

avatar
author-rank pbhagade author-rank
Expert Contributor

Created ‎12-01-2021 02:55 AM

HI @mike_bronson7 ,
Please go through the link https://www.youtube.com/watch?v=GjswCzMaW9k
Let us know if you have any concerns.

HDP-2.6.3 HDFS Transparent Encryption Using Ranger KMS
HDP-2.6.3 HDFS Transparent Encryption Using Ranger KMS
youtube.com/watch?v=GjswCzMaW9k
We will discuss about HDFS transparent encryption using Ranger KMS service
1,548 Views
0 Kudos
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
Welcome to the Cloudera Community!
Community Announcements
September 2025 Community Highlights
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
View More Announcements