Member since
03-14-2019
1
Post
0
Kudos Received
0
Solutions
03-15-2019
07:21 PM
I have a Java client that talks to two different HDP clusters (one for reading data and the other to write data). I have currently successfully setup Ranger KMS on one of my clusters and I am able to successfully read/write data from my Java client into an encrypted zone in my cluster. Apart from setting the right policies in KMS, all I had to do was update the hdfs-site.xml and core-site.xml to point to my KMS instance. E.g of my hdfs-site.xml changes: <property>
<name>dfs.encrypt.data.transfer.cipher.suites</name>
< value >AES/CTR/NoPadding</ value >
</ property >
< property >
< name >dfs.encryption.key.provider.uri</ name >
< value >kms://http@< KMS_FQDN >:9292/kms</ value >
</ property > However, I want to eventually setup Ranger KMS on both my clusters. Once I do that, my Java client would have to read files from one encrypted zone in cluster #1 and write data to another encrypted zone in cluster #2. They will both be managed as separate KMS instances. How would I set this up? Would I have to include two separate properties in my hdfs-site and core-site? or would the dfs.encryption.key.provider.uri property support a comma separated list of KMS hosts from 2 separate clusters? E.g: < property >
< name >dfs.encryption.key.provider.uri</ name >
< value >kms://http@<CLUSTER_1_ KMS_FQDN >; <CLUSTER_2_ KMS_FQDN > :9292/kms</ value >
</ property > Could someone please help? Thanks, Amit
... View more
Labels: