I'm using HDP 2.5 and I'm experiencing the issue HADOOP-12787 even though it was merged in 2.4.2
To reproduce it first validate you can correctly read a file in an encryption zone:
hdfs dfs -cat /user/me/somefile.txt
now try going through webhdfs:
hdfs dfs -cat webhdfs://hadoop1:50070/user/me/somefile.txt
I get: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
I noticed this because the FileView preview wasn't working with encrypted files
Did you try obtaining/renewing Kerberos ticket before trying to run webhdfs?
Also since webhdfs internally uses hdfs user, can you please check the property "hadoop.kms.blacklist.DECRYPT_EEK" present in "dbks-site.xml" (/etc/ranger-kms/<version>/dbks-site.xml) under Ranger-KMS ?? If it has the value -"hdfs", that means, it will not allow hdfs to decrypt the encryption key. In that case, you need to remove "hdfs" and restart RANGER-KMS.
Thanks for your response. I did kinit and can -cat the file correctly if I don't use webhdfs (so all the permissions and policies are correct for that user) I read about the hdfs blacklist in another issue in the forum, changed it restarted everything but still I get the "No valid credentials provided error". Are you able to use File View in Ambari to preview/download encrypted files?