Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger KMS + why files that copy to encrypted folders are not encrypted

Labels:
avatar
author-rank mike_bronson7
Guru

Created on ‎11-24-2021 01:10 PM - edited ‎11-24-2021 01:18 PM

we have HDP cluster ( Hadoop cluster version 2.6.5 )

and we add the ranger and ranger KMS to the cluster as services

after adding the service - ranger KMS and do some settings


we performed the following

 

[hdfs@worker01 tmp]$ hdfs dfs -mkdir /zone_encr_1
[hdfs@worker01 tmp]$ hdfs crypto -createZone -keyName secret_hdp1 -path /zone_encr_1
Added encryption zone /zone_encr_1
[hdfs@worker01 tmp]$ hdfs dfs -copyFromLocal file.txt /zone_encr_1
[hdfs@worker01 tmp]$ hdfs dfs -cat /zone_encr_1/file.txt
hello every one
[hdfs@worker01 tmp]$ hdfs dfs -ls /zone_encr_1/file.txt
-rw-r--r-- 2 hdfs hdfs 23 2021-11-24 20:19 /zone_encr_1/file.txt
[hdfs@worker01 tmp]$ hdfs crypto -listZones
/zone_encr secret_hdp1
/zone_encr_new secret_hdp1
/zone_encr_1 secret_hdp1


as we can see above

first we create folder - /zone_encr_1 under hdfs

then

we add encryption to folder - /zone_encr_1

then

we copy from local folder the file - file.txt that include the text - "hello every one" to hdfs folder - /zone_encr_1

then

we do the test with `hdfs dfs -cat /zone_encr_1/file.txt`

and we expect to get encrypted file , but we not

 

we still get the file as

 

hello every one

since I just to learn the ranger KMS capabilities , I am not sure if I missed something

 

 

 

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/copy-to-from-encr-zone.htm...

Michael-Bronson
726 Views
0 Kudos
2 REPLIES 2

avatar
author-rank arunek95 author-rank
Expert Contributor

Created ‎11-26-2021 12:23 AM

Hi @mike_bronson7 , I can see you are using the same hdfs user to cat the encryption zone file. And it is allowing it because HDFS user might be having "DECRYPT_EEK" permission in the kms policies. Please try to use another user to cat the encrypted zone file to see if the encryption is working or not. 

 

Also if you do not have any other user , then remove the "DECRYPT_EEK" permission for HDFS user from the policy and it should work.

687 Views

avatar
author-rank pbhagade author-rank
Expert Contributor

Created ‎12-01-2021 02:55 AM

HI @mike_bronson7 ,
Please go through the link https://www.youtube.com/watch?v=GjswCzMaW9k
Let us know if you have any concerns.

662 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements