Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

User not allowed to do 'DECRYPT_EEK' despite the group to which the user belong have proper access

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-10-2017 12:45 PM

Hi All,

I have created an encryption zone and I am not able to copy data into this encryption zone using USER_1 which belongs to GROUP_1 and getting the below error:

copyFromLocal: User:USER_1 not allowed to do 'DECRYPT_EEK' on 'key1'

In ranger ranger kms policies I have given full access to the group GROUP_1. But still I am facing this issue. Is it like group level policies does not apply for Ranger KMS or is there some configuration I have to tweak to make it work.

Please help me understand this issue and also any clue or suggestion is appreciated.

FYI, the cluster is kerberized.

thanks in advance.

20,878 Views
0 Kudos
26 REPLIES 26

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-18-2017 05:04 AM

you can see the "Select Group" coloumn right ? Did you try putting some group name there and tested ? If yes please mention, and if not then please try and then mention.

7,291 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-18-2017 09:19 AM

@sachin gupta @webb wang

All the same you should have attached your kms-acls.xml so I could visualize it. Having said that can you add this key value in kms-acls.xml

<name>key.acl.key4USER_1.DECRYPT_EEK</name> 
<value>USER_1 GROUP_1</value>

Keep me posted

7,291 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-18-2017 11:32 AM

If you need it to solve the issue then here's my kms-acls.xml

<configuration>
  <property>
    <name>hadoop.kms.acl.CREATE</name>
    <value>*</value>
    <description>
      ACL for create-key operations.
      If the user is not in the GET ACL, the key material is not returned
      as part of the response.
    </description>
  </property>


  <property>
    <name>hadoop.kms.acl.DELETE</name>
    <value>*</value>
    <description>
      ACL for delete-key operations.
    </description>
  </property>


  <property>
    <name>hadoop.kms.acl.ROLLOVER</name>
    <value>*</value>
    <description>
      ACL for rollover-key operations.
      If the user is not in the GET ACL, the key material is not returned
      as part of the response.
    </description>
  </property>


  <property>
    <name>hadoop.kms.acl.GET</name>
    <value>*</value>
    <description>
      ACL for get-key-version and get-current-key operations.
    </description>
  </property>


  <property>
    <name>hadoop.kms.acl.GET_KEYS</name>
    <value>*</value>
    <description>
      ACL for get-keys operations.
    </description>
  </property>


  <property>
    <name>hadoop.kms.acl.GET_METADATA</name>
    <value>*</value>
    <description>
      ACL for get-key-metadata and get-keys-metadata operations.
    </description>
  </property>


  <property>
    <name>hadoop.kms.acl.SET_KEY_MATERIAL</name>
    <value>*</value>
    <description>
      Complementary ACL for CREATE and ROLLOVER operations to allow the client
      to provide the key material when creating or rolling a key.
    </description>
  </property>


  <property>
    <name>hadoop.kms.acl.GENERATE_EEK</name>
    <value>*</value>
    <description>
      ACL for generateEncryptedKey CryptoExtension operations.
    </description>
  </property>


  <property>
    <name>hadoop.kms.acl.DECRYPT_EEK</name>
    <value>*</value>
    <description>
      ACL for decryptEncryptedKey CryptoExtension operations.
    </description>
  </property>


  <property>
    <name>default.key.acl.MANAGEMENT</name>
    <value>*</value>
    <description>
      default ACL for MANAGEMENT operations for all key acls that are not
      explicitly defined.
    </description>
  </property>


  <property>
    <name>default.key.acl.GENERATE_EEK</name>
    <value>*</value>
    <description>
      default ACL for GENERATE_EEK operations for all key acls that are not
      explicitly defined.
    </description>
  </property>


  <property>
    <name>default.key.acl.DECRYPT_EEK</name>
    <value>*</value>
    <description>
      default ACL for DECRYPT_EEK operations for all key acls that are not
      explicitly defined.
    </description>
  </property>


  <property>
    <name>default.key.acl.READ</name>
    <value>*</value>
    <description>
      default ACL for READ operations for all key acls that are not
      explicitly defined.
    </description>
  </property>




</configuration>
7,291 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-21-2017 11:03 AM

@Geoffrey Shelton Okot did you get some time to visualize the kms-acls.xml file which I attached in previous comments because the solution which you gave did not work. As I am still not able to set the policies on group level. Please let me know if you have something that we can try out.

7,291 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-18-2017 01:19 PM

@sachin gupta

This is the property to change always make a copy of the original file

$cp kms-acls.xml kms-acls.xml.bak

<property>
    <name>default.key.acl.DECRYPT_EEK</name>
    <value>*</value>
    <description>
      default ACL for DECRYPT_EEK operations for all key acls that are not
      explicitly defined.
    </description>
  </property>

Whats the name of key.acl.key /decrypt key USER_1 ?

Assuming its test then you should have an entry like this in your kms-acls.xml

<name>test.DECRYPT_EEK</name>  
<value>USER_1 GROUP_1</value>

Usually advisable to use ambari change any HDP parameter

Please let me know and of course restart the appropriate component for stale configs to take effect

7,291 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-21-2017 11:56 AM

@sachin gupta

I have seen your attached kms-acls.xml.Have you changed the values? If so can you copy and past the specifi entry below? 

 <property>
    <name>hadoop.kms.acl.DECRYPT_EEK</name>
    <value>*</value>
    <description>
      ACL for decryptEncryptedKey CryptoExtension operations.
    </description>
  </property
7,291 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-22-2017 07:30 AM

No @Geoffrey Shelton Okot I did not change anything.

7,291 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-22-2017 08:10 AM

@sachin gupta

Then change it to the USER_1 and GROUP_1 and retest

7,293 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎08-23-2017 06:01 PM

@Geoffrey Shelton Okot do you know any solution in which I don't have specify user name. Is there no solution in which policy can be created on group level by specifying only group name ?

7,292 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-23-2017 06:26 PM

@sachin gupta

Could you tell me your Ranger or HDP version. I could reproduce it and test. Maybe a description of what you have done some setup steps

7,293 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements