Member since
10-28-2016
392
Posts
7
Kudos Received
20
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
2335 | 03-12-2018 02:28 AM | |
3619 | 12-18-2017 11:41 PM | |
2563 | 07-17-2017 07:01 PM | |
1760 | 07-13-2017 07:20 PM | |
5295 | 07-12-2017 08:31 PM |
01-24-2017
02:42 AM
@Carter Everett, @Ali Bajwa- any ideas on this ?
... View more
01-24-2017
02:41 AM
screen-shot-2017-01-23-at-63028-pm.png screen-shot-2017-01-23-at-63106-pm.png hi - i'm evaluating & implementing HDP Data at Rest encryption .. & hdfs user is not able to access file put in HDFS encryption zone. Here is what is done - - created hdfs folder, -> /enczone1 - created key -> testkeyfromcli & encryption zone using the key - added 2 files to encryption zone - /enczone1/myfile.txt & /enczone1/myfile_1.txt - Using Ranger, created policy to provide read/write access to user - hdfs - User Ranger, provided access to key - testkeyfromcli One other step i did was run the following command to ensure super-user does not have access to file myfile.txt-> sudo -u hdfs hadoop fs -setfattr -n security.hdfs.unreadable.by.superuser /enczone1/myfile.txt On running the following commands, i'm unable to access /enczone1/myfile.txt (Expected result) However, i'm not able to access file /enczone1/myfile_1.txt, the error says - user hdfs is not allowed to 'DECRYPT_EEK' on 'testkeyfromcli' However, access is already given to user - hdfs (as seen in file uploaded) Any ideas ? ---------------------------------------------------------------------------------------------------------------- [root@sandbox ~]# sudo -u hdfs hdfs dfs -cat /enczone1/myfile.txt
cat: Access is denied for hdfs since the superuser is not allowed to perform this operation.
[root@sandbox ~]# sudo -u hdfs hdfs dfs -cat /enczone1/myfile_1.txt
cat: User:hdfs not allowed to do 'DECRYPT_EEK' on 'testkeyfromcli' [root@sandbox ~]# sudo -u hdfs hdfs crypto -listZones
/zone_encr key1
/enczone1 testkeyfromcli
/enczone2 testkeyfromcli
/enczone3 key2
... View more
Labels:
01-21-2017
12:24 AM
manually create user - nn, provided access to users 'nn' & 'hdfs' to to fix the issue, reference - https://community.hortonworks.com/questions/41938/creating-encryption-zone-fails-on-a-kerberized-sin.html
... View more
01-20-2017
11:07 PM
@Ali Bajwa , @apappu - any ideas on this ?
... View more
01-20-2017
11:06 PM
hi , here is what i've done - - Installed & setup Ranger KMS - Created encryption key (using superuser - encr) - when i try to create an Encryption zone, it gives 'Remote Exception' shown below. --------------- [encr@sandbox ~]$ hdfs crypto -createZone -keyName key1 -path /zone_encr RemoteException: --------------
Log file (/var/log/ranger/kms/kms.log) shows the following error -> Any ideas on what needs to be done to fix this ?
---------------------------------------------------- 2017-01-20 23:02:23,207 DEBUG PolicyRefresher - PolicyRefresher(serviceName=Sandbox_kms).run(): no update found. lastKnownVersion=6
2017-01-20 23:02:23,207 DEBUG PolicyRefresher - <== PolicyRefresher(serviceName=Sandbox_kms).loadPolicyfromPolicyAdmin()
2017-01-20 23:02:23,207 DEBUG PolicyRefresher - <== PolicyRefresher(serviceName=Sandbox_kms).loadPolicy()
2017-01-20 23:02:24,562 DEBUG LimitLatch - Counting up[http-bio-9292-Acceptor-0] latch=1
2017-01-20 23:02:24,563 DEBUG Http11Processor - Error parsing HTTP request header
java.io.EOFException: Unexpected EOF read on the socket
at org.apache.coyote.http11.Http11Processor.setRequestLineReadTimeout(Http11Processor.java:168)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:982)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2017-01-20 23:02:24,563 DEBUG Http11Protocol - Socket: [org.apache.tomcat.util.net.SocketWrapper@5f356f71:Socket[addr=/10.0.2.15,port=33340,localport=9292]], Status in: [OPEN_READ], State out: [CLOSED]
... View more
Labels:
01-20-2017
01:44 AM
Hi All, I'm trying to set-up HDFS Encryption at Rest - in HDP 2.4 using Ranger KMS. My cluster is Non-Kerberized, do i need to Kerberize the cluster before i can set-up HDFS Encryption ? is that mandatory, or i can setup HDFS encryption in Non-Kerberized cluster also ? Pls. note - the Docs mention kerberos setting (but not that Kerberos is mandatory) https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_Security_Guide/content/ch06s01s01s01.html Pls let me know.
... View more
Labels:
01-20-2017
01:31 AM
@apappu - thanks, i was able to make this work. Another question - per my understanding, i'll be able to install & use Ranger KMS in a non-Kerberized environment also. Can you pls. confirm. Thanks!
... View more
01-20-2017
12:22 AM
Hi. i'm trying to install Ranger KMS on HDP 2.4 (Non-Kerberized cluster), and running into issues. The error i get is shown below (not able to connect to SQL Server using 'root' user) Any ideas on this ? resource_management.core.exceptions.Fail: Execution of 'python /usr/hdp/current/ranger-kms/dba_script.py -q' returned 1. 2017-01-20 00:06:01,280 [I] Running DBA setup script. QuiteMode:True
2017-01-20 00:06:01,280 [I] Using Java:/usr/lib/jvm/java/bin/java
2017-01-20 00:06:01,280 [I] DB FLAVOR:MYSQL
2017-01-20 00:06:01,288 [I] DB Host:sandbox.hortonworks.com
2017-01-20 00:06:01,294 [I] ---------- Verifing DB root password ----------
2017-01-20 00:06:01,296 [I] DBA root user password validated
2017-01-20 00:06:01,299 [I] ---------- Verifing Ranger KMS db user password ----------
2017-01-20 00:06:01,299 [I] KMS user password validated
2017-01-20 00:06:01,301 [I] ---------- Creating Ranger KMS db user ----------
2017-01-20 00:06:01,302 [JISQL] /usr/lib/jvm/java/bin/java -cp /usr/share/java/mysql-connector-java.jar:/usr/hdp/current/ranger-kms/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://sandbox.hortonworks.com/mysql -u root -p '********' -noheader -trim -c \; -query "SELECT version();"
SQLException : SQL state: 28000 java.sql.SQLException: Access denied for user 'root'@'sandbox.hortonworks.com' (using password: YES) ErrorCode: 1045
2017-01-20 00:06:02,196 [E] Can't establish db connection.. Exiting..
... View more
Labels:
01-17-2017
06:50 PM
@Ali Bajwa - thanks, i was able to get it to work based on the missing parameters specified in link https://groups.google.com/forum/#!topic/opentsdb/nZ59_xMaRvo
... View more