Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

the role of GENERATE_EEK and GET_METADATA in hdfs transparent encryption

Highlighted

the role of GENERATE_EEK and GET_METADATA in hdfs transparent encryption

Rising Star

I am little unclear on what the ACL for GENERATE_EEK and GET_METADATA allow.

From a naive understanding of HDFS transparent encryption it seems that GENERATE_EEK would be a request to generate an EDEK for an encryption zone (EZ).

So say supposed I create a key using the keyadmin user called keyforuserA

And create an encryption zone for userA under /ezforuserA given userA read write permissions on that ez.

Next create a policy for that key , keyforuserA and give userA DECRYPT_EEK permissions.

Now this userA can read and write any file to the EZ in /ezforuserA

When a userA wants to perform a write in the EZ the namenode requests KMS to generate and EDEK which is then handed off back to userA and since userA can do a DECRYPT_EEK on keyforuserA he is both able to read and write in the EZ.

when does the GENERATE_EEK come into play ? does the hdfs user need this permission for every key ?

similar question for GET_METADATA .. when does this come into play ?

Don't have an account?
Coming from Hortonworks? Activate your account here