Hi, I've been implemeting a preproduction Cloudera environment in order to test HDFS Data at Rest Encryption. I managed to implement a Java KeyStore KMS succesfully (due to a lack of hardware I'm not able to deploy a KeyTrustee KMS testing). Testing my environment, I have come across that the root user will be able to gain access to the encripted data in all zones, although it is not configured as the key admin. So, if by chance someone find out the root credentials, they will be able to gather all the encripted data in clear. These are my findings: User foo is the owner of the /user/foo directory. This directory is a EncryptedZone created using the "key4foo" key [foo@management-1 ~]$ hadoop fs -put payrolls /user/foo [foo@management-1 ~]$ hadoop fs -ls /user/foo Found 2 items drwxrwxrwt - hdfs foo 0 2016-10-06 07:33 /user/foo/.Trash -rw-r--r-- 2 foo foo 51 2016-10-06 09:26 /user/foo/payrolls User foo can read the payrolls file in clear format. That's the normal behavior. [foo@management-1 ~]$ hadoop fs -cat /user/foo/payrolls Charles 1000$ Federico 2000$ Sophie 1111$ Samuel 2020$ But imagine that I'm the sysadmin of the management server and I have root user credentials. So, I would like to check how much money my boss, Charles, is earning. [root@management-1]$ hadoop fs -cat /user/root/nominas cat: User [root] is not authorized to perform [DECRYPT_EEK] on key with ACL name [key4esteban]!! I'm not authorized, normal behavior, so I try to change file permissions. [root@management-1 ~]# hadoop fs -chmod -R 777 /user/food/ chmod: changing permissions of '/user/esteban': Permission denied. user=root is not the owner of inode=esteban Not able. So, I just google for how Hadoop KMS is configured and I come across that there's an ACL files which is named "kms-acls.xml". [root@management-1 ~]# find / -name kms-acls.xml find: ‘/proc/28573’: No such file or directory /run/cloudera-scm-agent/process/366-kms-KMS/kms-acls.xml [root@management-1 ~]# cat /run/cloudera-scm-agent/process/366-kms-KMS/kms-acls.xml | grep foo <name>key.acl.key4foo.DECRYPT_EEK</name> <value>foo</value> So, I just have to modify this file and I'd get acess to foo's encrypted zone on the fly. [root@management-1 ~]# ls -ll /run/cloudera-scm-agent/process/366-kms-KMS/kms-acls.xml -rw-r----- 1 kms kms 3918 Oct 6 09:21 /run/cloudera-scm-agent/process/366-kms-KMS/kms-acls.xm [root@management-1 ~]# cat /run/cloudera-scm-agent/process/366-kms-KMS/kms-acls.xml | grep foo <name>key.acl.key4foo.DECRYPT_EEK</name> <value>foo root</value> [root@management-1 ~]$ hadoop fs -cat /user/foo/payrolls Charles 1000$ Federico 2000$ Sophie 1111$ Samuel 2020$ Is this a security hole or am I missing something? Since this kms-acls.xml will run in the management server, will Server KeyTrustee deployment suffer the same security hole? Any help that you can provide is appreciated. BR, Juan.
... View more