Support Questions

Find answers, ask questions, and share your expertise

Webhdfs read file not working with TDE KMS

I'm using HDP 2.5 and I'm experiencing the issue HADOOP-12787 even though it was merged in 2.4.2

To reproduce it first validate you can correctly read a file in an encryption zone:

hdfs dfs -cat /user/me/somefile.txt

now try going through webhdfs:

hdfs dfs -cat webhdfs://hadoop1:50070/user/me/somefile.txt

I get: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

I noticed this because the FileView preview wasn't working with encrypted files


Hi @Gonzalo Herreros,

Did you try obtaining/renewing Kerberos ticket before trying to run webhdfs?

Also since webhdfs internally uses hdfs user, can you please check the property "hadoop.kms.blacklist.DECRYPT_EEK" present in "dbks-site.xml" (/etc/ranger-kms/<version>/dbks-site.xml) under Ranger-KMS ?? If it has the value -"hdfs", that means, it will not allow hdfs to decrypt the encryption key. In that case, you need to remove "hdfs" and restart RANGER-KMS.

Thanks for your response. I did kinit and can -cat the file correctly if I don't use webhdfs (so all the permissions and policies are correct for that user) I read about the hdfs blacklist in another issue in the forum, changed it restarted everything but still I get the "No valid credentials provided error". Are you able to use File View in Ambari to preview/download encrypted files?