Cloudera Community
lhebert
user rank
user rank
Expert Contributor

Re: OpenJDK 1.8 Support in CDH 6

by Expert Contributor Expert Contributor in Support Questions
‎01-18-2019 06:46 AM
‎01-18-2019 06:46 AM
HI,   It's not uncommon for our documentaion team to cross-link pages to avoid duplication within our documentation. However with that said I'll pass your feedback along to our documentation team.  ... View more

Re: Encryption at rest - basic queries

by Expert Contributor Expert Contributor in Support Questions
‎01-16-2019 04:11 PM
‎01-16-2019 04:11 PM
Hello,   The KMS service within the hadoop frame work is responsible for handling key material. The KMS is not responsible for encrypting or decrypting data. The KTS is not connected to access control over data. All encrypted data handling occurs within the DFS client framework.   1.) You will need to review and understand the concepts laid out in our documentation and upstream related to securing the KMS. Cloudera ships a secure by default ACL configuration. New keys are not automatically alotted any access controls. No users are authorized to access new keys which have undefined Acess Controls. The KMS ACL engine is designed to control key release and it is not in any way connected to the underlying HDFS Posix controls. The ACL engine indicately controls access to Encrypted data by controlling access to key material.   https://www.cloudera.com/documentation/enterprise/5-16-x/topics/cdh_sg_kms_acl_config.html   2.) Your question here is moderately confusing. HDFS Encryption is Transparent to the DFS client. If a user is authorized to perform decrypt EEK operations they may view the encrypted data. Raw encrypted data is not normally visible to clients in the capacity I believe you are attempting to describe outside the context of the raw end point exposed to the supergroup users.   3.) You can access the raw data end point as a super user if you would like to verify that the data is encrypted. This information is documented publicly in both upstream and in our documentation.   hdfs dfs -ls /.reserved/raw/   4.) The Generate EEK operation is handled internally by the HDFS service user and is not normally exposed to operators.   If you are a cloudera customer you should reach out to your account team for additional training and details. ... View more

Re: Cloudera Management Service failed to start

by Guru in Support Questions
‎12-11-2018 09:11 AM
‎12-11-2018 09:11 AM
It looks like a connection issue to your mysql db, is it? Also, are you sure that the hostname resolution works in your case correctly? You try mysql from command line without specifying the host (so it connects locally) but in your config there is a FQDN defined. ... View more

Re: No KeyVersion exists for key 'testTLS1'

by Contributor in Support Questions
‎11-16-2018 07:11 AM
1 Kudo
‎11-16-2018 07:11 AM
1 Kudo
var/lib/kms-keytrustee/keytrustee/.keytrustee folder on both the kms hosts should match and unfortunately they do not in our cluster, So if a key create request goes to one kms host and retrieval goes to another kms host the command fails.     [root@host]# md5sum /var/lib/kms-keytrustee/keytrustee/.keytrustee/secring.gpg fec74c82e3da7f04f2acd36a937072b5  /var/lib/kms-keytrustee/keytrustee/.keytrustee/secring.gpg   [root@host]# md5sum /var/lib/kms-keytrustee/keytrustee/.keytrustee/secring.gpg 88483e6a8ee1d245d3c83b740fd43683  /var/lib/kms-keytrustee/keytrustee/.keytrustee/secring.gpg     Used bdr tool to take a back up of encrypted zones in the same cluster, purged all keys, dropped all zones. Used rsync to sync /var/lib/kms-keytrustee/keytrustee/.keytrustee on both kms hosts, created all keys, zones and used bdr to restore the data from backup. Everything looks good now!! ... View more

Re: Migrating from hortonworks eco-system to Cloud...

by Expert Contributor Expert Contributor in Support Questions
‎10-26-2018 04:17 PM
1 Kudo
‎10-26-2018 04:17 PM
1 Kudo
Hi,   Unfortunately service migrations from platform to platform are not exceptionally easy to complete. This type of migration is normally handled by our service teams. The process typically requires a number of steps including but not limited to understanding your active use cases and what services you have in your existing cluster. Please reach out to our sales team or your account team if you are an actively licensed customer for guidance. ... View more

Re: Does CDH support backend database using SSL/TL...

by Rising Star in Support Questions
‎06-19-2018 09:30 AM
‎06-19-2018 09:30 AM
Has this situation improved over the past year?  Is there any public information on how to secure the back-end database connections?   ... View more

Re: External Database Setup: Only Reports Manager ...

by Contributor in Support Questions
‎03-07-2018 07:34 AM
‎03-07-2018 07:34 AM
thanks for explantion ... View more

Re: DNS Resolution , BAD health issue

by Expert Contributor Expert Contributor in Support Questions
‎03-06-2018 12:24 PM
‎03-06-2018 12:24 PM
Hello,   There may be any number of reasons why the system appears to be resolving the hostnames differently. One of the main factors which can affect how DNS resolution occurs on a system is the content of /etc/nsswitch.conf on network enabled calls. Under normal conditions the order listed in this configuration file would be files and then dns but some integration tools or patterns like the use of sssd may alter the ordering of lookups.   If you would like to see what the agent is attempting to report to the Host Monitor service you may use the DnsTest class built directly into the agent code, in addition to any python based test. To do this you can use a command similar to the one shown below though you will need to alter the final file naming class path to match your agent version. Note that the output is formated in JSON.   [root@master-1 ~]# /usr/java/jdk1.7.0_67-cloudera/bin/java -classpath /usr/share/cmf/lib/agent-5.12.0.jar com.cloudera.cmon.agent.DnsTest {"status": "0", "ip": "192.0.2.2", "hostname": "master-1.example.com", "canonicalname": "master-1.example.com", "localhostDuration": "10", "canonicalnameDuration": "1" } ... View more

Re: change from embedded to external database uncl...

by Master Guru Master Guru in Support Questions
‎02-22-2018 11:22 AM
‎02-22-2018 11:22 AM
@GeKas,   You are correct.   Thank you for clarifying that EXTERNAL means NOT EMBEDDED. An external database server can be on the same host as Cloudera Manager.   -Ben ... View more

Re: Unsupported major.minor version 51.0 in CDH 5....

by Explorer in Support Questions
‎01-08-2018 11:36 AM
‎01-08-2018 11:36 AM
Thanks Ben. Also, do we have any updates that are announced by Cloudera in terms of CDH upgrade required for Meltdown or Spectre apart from OS patches. Thanks!! ... View more
Contact Me
Online
Offline
Last Visited
‎01-21-2022 02:39 PM
Community Statistics
Member Since ‎01-05-2015 03:05 PM
Last Visited ‎01-21-2022 02:39 PM
Posts 235
Kudos received 19