Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Updating to Ranger KMS after previously used Hadoop KMS

Solved Go to solution

Updating to Ranger KMS after previously used Hadoop KMS

New Contributor

If I previously didn't use Ranger KMS, but used Hadoop KMS to manage my keys: Will I lose my keys in the Hadoop KMS when I start to use Ranger KMS? Will they all be copied over to the Ranger KMS seamlessly during Ranger KMS install?

Also, my second question is on trying to set up Ranger KMS. I'm able to see policies in my Ranger KMS UI at 6080 enforced:

For example,

# after updating ranger kms policy to include public permissions to create keys
>> sudo sudo -u hdfs hadoop key create testkeyfromcli1 -size 256 
testkeyfromcli1 has been successfully created with options Options{cipher='AES/CTR/NoPadding', bitLength=256, description='null
KMSClientProvider[http:/XXXXX.com:9292/kms/v1/] has been updated.
# after updating policies to only allow keyadmin permissions to create keys
>> sudo sudo -u hdfs hadoop key create testkeyfromcli2 -size 256
testkeyfromcli2 has not been created. org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs-189 not allowed toeyfromcli2'

But when I log into Ranger KMS UI using keyadmin, I notice

1) When I try to view the keys under my kms repo, I see the error: Unauthenticated : Please check the premission in the policy for the use

2) When I try to Test Connection I see: Connection Failed. Unable to connect repository with given config for hdpClusterName_kms.

Do you know why I can't connect? My KMS URL is: kms://http@XXXXXX.com:9292/kms.

In my kms.log, when I try to view the keys in the repo, I do see:

Caused by: java.lang.IllegalArgumentException: Failed to specify server's Kerberos principal name
        at org.apache.hadoop.security.SaslRpcClient.getServerPrincipal(SaslRpcClient.java:322)
        at org.apache.hadoop.security.SaslRpcClient.createSaslClient(SaslRpcClient.java:231)
        at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:159)
        at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:396)
        at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:555)
        at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:370)
        at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:724)
        at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:720)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:720)
        ... 30 more

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Updating to Ranger KMS after previously used Hadoop KMS

@Anna Shaverdian

1] For this, existing keys need to be imported into Ranger KMS (using a script provided by Ranger KMS)

2] Please check your KMS repo configuration. Looks like you are using kerberos, but the repo config user name is not a valid kerberos user. Please refer the docs here. http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_KMS_Admin_Guide/content/ch02s01s03...

Since KMS repo is already created, username needs to be changed directly in the ranger UI, not in Ambari.

1 REPLY 1

Re: Updating to Ranger KMS after previously used Hadoop KMS

@Anna Shaverdian

1] For this, existing keys need to be imported into Ranger KMS (using a script provided by Ranger KMS)

2] Please check your KMS repo configuration. Looks like you are using kerberos, but the repo config user name is not a valid kerberos user. Please refer the docs here. http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_KMS_Admin_Guide/content/ch02s01s03...

Since KMS repo is already created, username needs to be changed directly in the ranger UI, not in Ambari.

Don't have an account?
Coming from Hortonworks? Activate your account here