Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Updating to Ranger KMS after previously used Hadoop KMS

avatar
Contributor

If I previously didn't use Ranger KMS, but used Hadoop KMS to manage my keys: Will I lose my keys in the Hadoop KMS when I start to use Ranger KMS? Will they all be copied over to the Ranger KMS seamlessly during Ranger KMS install?

Also, my second question is on trying to set up Ranger KMS. I'm able to see policies in my Ranger KMS UI at 6080 enforced:

For example,

# after updating ranger kms policy to include public permissions to create keys
>> sudo sudo -u hdfs hadoop key create testkeyfromcli1 -size 256 
testkeyfromcli1 has been successfully created with options Options{cipher='AES/CTR/NoPadding', bitLength=256, description='null
KMSClientProvider[http:/XXXXX.com:9292/kms/v1/] has been updated.
# after updating policies to only allow keyadmin permissions to create keys
>> sudo sudo -u hdfs hadoop key create testkeyfromcli2 -size 256
testkeyfromcli2 has not been created. org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs-189 not allowed toeyfromcli2'

But when I log into Ranger KMS UI using keyadmin, I notice

1) When I try to view the keys under my kms repo, I see the error: Unauthenticated : Please check the premission in the policy for the use

2) When I try to Test Connection I see: Connection Failed. Unable to connect repository with given config for hdpClusterName_kms.

Do you know why I can't connect? My KMS URL is: kms://http@XXXXXX.com:9292/kms.

In my kms.log, when I try to view the keys in the repo, I do see:

Caused by: java.lang.IllegalArgumentException: Failed to specify server's Kerberos principal name
        at org.apache.hadoop.security.SaslRpcClient.getServerPrincipal(SaslRpcClient.java:322)
        at org.apache.hadoop.security.SaslRpcClient.createSaslClient(SaslRpcClient.java:231)
        at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:159)
        at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:396)
        at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:555)
        at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:370)
        at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:724)
        at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:720)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:720)
        ... 30 more

Thanks!

1 ACCEPTED SOLUTION

avatar
@Anna Shaverdian

1] For this, existing keys need to be imported into Ranger KMS (using a script provided by Ranger KMS)

2] Please check your KMS repo configuration. Looks like you are using kerberos, but the repo config user name is not a valid kerberos user. Please refer the docs here. http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_KMS_Admin_Guide/content/ch02s01s03...

Since KMS repo is already created, username needs to be changed directly in the ranger UI, not in Ambari.

View solution in original post

1 REPLY 1

avatar
@Anna Shaverdian

1] For this, existing keys need to be imported into Ranger KMS (using a script provided by Ranger KMS)

2] Please check your KMS repo configuration. Looks like you are using kerberos, but the repo config user name is not a valid kerberos user. Please refer the docs here. http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_KMS_Admin_Guide/content/ch02s01s03...

Since KMS repo is already created, username needs to be changed directly in the ranger UI, not in Ambari.