Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

User not allowed to do 'DECRYPT_EEK' despite the group to which the user belong have proper access

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-10-2017 12:45 PM

Hi All,

I have created an encryption zone and I am not able to copy data into this encryption zone using USER_1 which belongs to GROUP_1 and getting the below error:

copyFromLocal: User:USER_1 not allowed to do 'DECRYPT_EEK' on 'key1'

In ranger ranger kms policies I have given full access to the group GROUP_1. But still I am facing this issue. Is it like group level policies does not apply for Ranger KMS or is there some configuration I have to tweak to make it work.

Please help me understand this issue and also any clue or suggestion is appreciated.

FYI, the cluster is kerberized.

thanks in advance.

20,881 Views
0 Kudos
26 REPLIES 26

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-24-2017 12:40 PM

HDp is 2.5.3 and ranger is 0.6.0

6,390 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-24-2017 12:44 PM

@sachin gupta

Do you have a setup doc you used for the user , group, and creation of the encrypted zone? or did you follow a standard Horton works example if so which one?

I really want to reproduce as much as possible your environment and test dome solutions

2,876 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-24-2017 03:34 PM

I have created encryption zone using hdfs crypto command only I think thats the hortonworks standard.

2,876 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-24-2017 08:38 PM

@sachin gupta

Have a look at this document I tried to recreate your environment 

HDP 2.6 
Ranger /KMS 0.7.0 
Kerberized
Created opera1 {user_1} 
Created group Operator {group_1}

And the tests were successful !!! Please go through the document and revert. The file can't load because of it big due to screenshots. Here is the link

Please revert if you have any questions

2,876 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎09-04-2017 06:32 AM

I told you in previous comments that I have ranger kms 0.6 and not 0.7, So can you please create your env with ranger kms 0.6 and test ? And again thanks for being helpful so far.

2,876 Views
0 Kudos

avatar
author-rank gregoryyao
New Contributor

Created ‎09-21-2017 02:51 PM

@Geoffrey Shelton Okot;@sachin gupta

Have you found solution for the problem? I have exactly the same issue that kms works for user, but not for group. I did what was suggested in kms-acls.xml but it didn't work either. My ambari 2.5.1, hdp 2.6.1. Thanks.

2,876 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎09-21-2017 05:09 PM

@Gregory YaoI could not find any solution for this. If you find any solution for this please post here I still have this issue in my environment.

2,876 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements