Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Ranger KMS + why files that copy to encrypted folders are not encrypted


we have HDP cluster ( Hadoop cluster version 2.6.5 )

and we add the ranger and ranger KMS to the cluster as services

after adding the service - ranger KMS and do some settings

we performed the following


[hdfs@worker01 tmp]$ hdfs dfs -mkdir /zone_encr_1
[hdfs@worker01 tmp]$ hdfs crypto -createZone -keyName secret_hdp1 -path /zone_encr_1
Added encryption zone /zone_encr_1
[hdfs@worker01 tmp]$ hdfs dfs -copyFromLocal file.txt /zone_encr_1
[hdfs@worker01 tmp]$ hdfs dfs -cat /zone_encr_1/file.txt
hello every one
[hdfs@worker01 tmp]$ hdfs dfs -ls /zone_encr_1/file.txt
-rw-r--r-- 2 hdfs hdfs 23 2021-11-24 20:19 /zone_encr_1/file.txt
[hdfs@worker01 tmp]$ hdfs crypto -listZones
/zone_encr secret_hdp1
/zone_encr_new secret_hdp1
/zone_encr_1 secret_hdp1

as we can see above

first we create folder - /zone_encr_1 under hdfs


we add encryption to folder - /zone_encr_1


we copy from local folder the file - file.txt that include the text - "hello every one" to hdfs folder - /zone_encr_1


we do the test with `hdfs dfs -cat /zone_encr_1/file.txt`

and we expect to get encrypted file , but we not


we still get the file as


hello every one

since I just to learn the ranger KMS capabilities , I am not sure if I missed something


Expert Contributor

Hi @mike_bronson7 , I can see you are using the same hdfs user to cat the encryption zone file. And it is allowing it because HDFS user might be having "DECRYPT_EEK" permission in the kms policies. Please try to use another user to cat the encrypted zone file to see if the encryption is working or not. 


Also if you do not have any other user , then remove the "DECRYPT_EEK" permission for HDFS user from the policy and it should work.

Expert Contributor

HI @mike_bronson7 ,
Please go through the link
Let us know if you have any concerns.