Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

hdfs crypto -createZone gives error RemoteException: User:**** not allowed to do 'GET_METADATA' on '*****'

Highlighted

hdfs crypto -createZone gives error RemoteException: User:**** not allowed to do 'GET_METADATA' on '*****'

New Contributor

We are running HDP cluster version 3.1.5 with Ranger KMS configured. Ranger is configured to sync with AD for authentication.

 

I tried creating a local user, named apencruser, on Linux as it is recommended to use a dedicated superuser for encryption. But this user is not synced with Ranger as Ranger is configured to sync users from AD. So, the Ranger KMS permissions cannot be applied to the local user(apencruser).

 

Because of this, "hdfs crypto -createZone ..." command failed. But then, when we try to login as hdfs user, for which the RangerKMS permissions are defined properly, we still get error that apencruser doesn't have required permissions.

 

How can force hdfs command to use "hdfs" user instead of "apencruser". We even tried removing the newly created apencruser userid. But still the error is the same.

 

[hdfs@sigma-02 ~]$ hdfs crypto -createZone -keyName ap_prod_encr_key -path /warehouse/tablespace/managed/hive/sec.db
RemoteException: User:apencruser not allowed to do 'GET_METADATA' on 'ap_prod_encr_key'

2 REPLIES 2

Re: hdfs crypto -createZone gives error RemoteException: User:**** not allowed to do 'GET_METADATA' on '*****'

Mentor

@isanas 
I remember writing a long document on the steps either in HWX/Cloudera community. Ranger will automatically sync local users whose USERID is above 500

Please let me know if you what me to do a walkthrough, in that case, I will ask you to give me an accurate scenario and the version of HDP.
Happy hadooping  

Highlighted

Re: hdfs crypto -createZone gives error RemoteException: User:**** not allowed to do 'GET_METADATA' on '*****'

New Contributor

Thanks @Shelton . But as I mentioned earlier, I have set the sync source to LDAP / AD. As per Cloudera customer support, we cannot sync Unix and LDAP / AD at the same time. 

 

For the issue which I faced, I restarted Ranger KMS, and tried again using "hdfs" user. And was able to create the encryption zone.

Don't have an account?
Coming from Hortonworks? Activate your account here