We are running HDP cluster version 3.1.5 with Ranger KMS configured. Ranger is configured to sync with AD for authentication.
I tried creating a local user, named apencruser, on Linux as it is recommended to use a dedicated superuser for encryption. But this user is not synced with Ranger as Ranger is configured to sync users from AD. So, the Ranger KMS permissions cannot be applied to the local user(apencruser).
Because of this, "hdfs crypto -createZone ..." command failed. But then, when we try to login as hdfs user, for which the RangerKMS permissions are defined properly, we still get error that apencruser doesn't have required permissions.
How can force hdfs command to use "hdfs" user instead of "apencruser". We even tried removing the newly created apencruser userid. But still the error is the same.
[hdfs@sigma-02 ~]$ hdfs crypto -createZone -keyName ap_prod_encr_key -path /warehouse/tablespace/managed/hive/sec.db
RemoteException: User:apencruser not allowed to do 'GET_METADATA' on 'ap_prod_encr_key'
Please let me know if you what me to do a walkthrough, in that case, I will ask you to give me an accurate scenario and the version of HDP.
Thanks @Shelton . But as I mentioned earlier, I have set the sync source to LDAP / AD. As per Cloudera customer support, we cannot sync Unix and LDAP / AD at the same time.
For the issue which I faced, I restarted Ranger KMS, and tried again using "hdfs" user. And was able to create the encryption zone.