I am little unclear on what the ACL for GENERATE_EEK and GET_METADATA allow.
From a naive understanding of HDFS transparent encryption it seems that GENERATE_EEK would be a request to generate an EDEK for an encryption zone (EZ).
So say supposed I create a key using the keyadmin user called keyforuserA
And create an encryption zone for userA under /ezforuserA given userA read write permissions on that ez.
Next create a policy for that key , keyforuserA and give userA DECRYPT_EEK permissions.
Now this userA can read and write any file to the EZ in /ezforuserA
When a userA wants to perform a write in the EZ the namenode requests KMS to generate and EDEK which is then handed off back to userA and since userA can do a DECRYPT_EEK on keyforuserA he is both able to read and write in the EZ.
when does the GENERATE_EEK come into play ? does the hdfs user need this permission for every key ?
similar question for GET_METADATA .. when does this come into play ?