Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Webhdfs read file not working with TDE KMS

Highlighted

Webhdfs read file not working with TDE KMS

New Contributor

I'm using HDP 2.5 and I'm experiencing the issue HADOOP-12787 even though it was merged in 2.4.2

To reproduce it first validate you can correctly read a file in an encryption zone:

hdfs dfs -cat /user/me/somefile.txt

now try going through webhdfs:

hdfs dfs -cat webhdfs://hadoop1:50070/user/me/somefile.txt

I get: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

I noticed this because the FileView preview wasn't working with encrypted files

2 REPLIES 2

Re: Webhdfs read file not working with TDE KMS

Hi @Gonzalo Herreros,

Did you try obtaining/renewing Kerberos ticket before trying to run webhdfs?

Also since webhdfs internally uses hdfs user, can you please check the property "hadoop.kms.blacklist.DECRYPT_EEK" present in "dbks-site.xml" (/etc/ranger-kms/<version>/dbks-site.xml) under Ranger-KMS ?? If it has the value -"hdfs", that means, it will not allow hdfs to decrypt the encryption key. In that case, you need to remove "hdfs" and restart RANGER-KMS.

Re: Webhdfs read file not working with TDE KMS

New Contributor

Thanks for your response. I did kinit and can -cat the file correctly if I don't use webhdfs (so all the permissions and policies are correct for that user) I read about the hdfs blacklist in another issue in the forum, changed it restarted everything but still I get the "No valid credentials provided error". Are you able to use File View in Ambari to preview/download encrypted files?