Lukas, Please check where user “pebradley” has the necessary policy to create and list key? AuthorizationException happens if the user is not allowed to do this.
Thanks, Ramesh From: Lukas Bradley <lukasbrad...@gmail.com<mailto:lukasbrad...@gmail.com>> Reply-To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>> Date: Tuesday, April 25, 2017 at 11:03 AM To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>>, "cohei...@apache.org<mailto:cohei...@apache.org>" <cohei...@apache.org<mailto:cohei...@apache.org>> Subject: Re: Apache Ranger 0.7.0 KMS - Error on Hadoop Key Create Okay, I got a little farther using 1.0.0-SNAPSHOT. Looks like I need to specify keyadmin/keyadmin on the request...? I don't see how that's possible with 'hadoop key'. I also don't see any username/password settings for the "hadoop.security.*" XML config files. Any input? [pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key create lukas5 lukas5 has not been created. org.apache.hadoop.security.authorize.AuthorizationException: User:pebradley not allowed to do 'CREATE_KEY' on 'lukas5' For what it's worth, I'm also unable to list keys: [pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key list Cannot list keys for KeyProvider: KMSClientProvider[http://localhost:9292/kms/v1/]: org.apache.hadoop.security.authorize.AuthorizationException: User:pebradley not allowed to do 'GET_KEYS' On Tue, Apr 25, 2017 at 11:46 AM, Colm O hEigeartaigh <cohei...@apache.org<mailto:cohei...@apache.org>> wrote: What version of Hadoop? Works ok for me with latest 1.0.0-SNAPSHOT kms service + Hadoop 2.7.3. Colm. On Mon, Apr 24, 2017 at 8:43 PM, Lukas Bradley <lukasbrad...@gmail.com<mailto:lukasbrad...@gmail.com>> wrote: Packet dump from request: 15:17:34.387644 IP localhost.localdomain.56098 > localhost.localdomain.armtechdaemon: Flags [P.], seq 1:368, ack 1, win 342, options [nop,nop,TS val 814963529 ecr 2670919199], length 367 E....A@.@............"$L.l.~%.1....V....... 0.[I.2..POST /kms/v1/keys HTTP/1.1 Cookie: hadoop.auth="u=pebradley&p=pebradley&t=simple-dt&e=1493097454254&s=XFsdjOCr/LLEGp+ZhFA3dsUQPcA=" Content-Type: application/json Cache-Control: no-cache Pragma: no-cache User-Agent: Java/1.8.0_121 Host: localhost:9292 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 75 15:17:34.387666 IP localhost.localdomain.armtechdaemon > localhost.localdomain.56098: Flags [.], ack 368, win 350, options [nop,nop,TS val 2670919323 ecr 814963529], length 0 E..4..@.@.).........$L."%.1..l.....^.(..... .2..0.[I 15:17:34.387705 IP localhost.localdomain.56098 > localhost.localdomain.armtechdaemon: Flags [P.], seq 368:443, ack 1, win 342, options [nop,nop,TS val 814963529 ecr 2670919323], length 75 E....B@.@..4........."$L.l..%.1....V.s..... 0.[I.2..{ "cipher" : "AES/CTR/NoPadding", "name" : "lukas2", "length" : 128 } On Mon, Apr 24, 2017 at 3:01 PM, Lukas Bradley <lukasbrad...@gmail.com<mailto:lukasbrad...@gmail.com>> wrote: I have successfully used the Apache Hadoop KMS with HDFS for encryption. I'm now attempting to integrate the Ranger 0.7.0 KMS implementation. I feel I have configured everything correctly, but I'm getting the following exceptions when attempting to create a key. On the command line: [pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key create lukas l has not been created. java.io.IOException: HTTP status [500], message [Internal Server Error] java.io.IOException: HTTP status [500], message [Internal Server Error] at org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:169) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:546) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSClientProvider.java:504) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createKeyInternal(KMSClientProvider.java:677) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createKey(KMSClientProvider.java:685) at org.apache.hadoop.crypto.key.KeyShell$CreateCommand.execute(KeyShell.java:483) at org.apache.hadoop.crypto.key.KeyShell.run(KeyShell.java:79) at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) at org.apache.hadoop.crypto.key.KeyShell.main(KeyShell.java:515) In the KMS Plugin logs within /usr/local/ranger-kms/ews/logs/kms.log: 2017-04-24 14:41:27,473 ERROR [webservices-driver] - Servlet.service() for servlet [webservices-driver] in context with path [/kms] threw exception java.lang.NullPointerException at org.apache.http.client.utils.URLEncodedUtils.parse(URLEncodedUtils.java:235) at org.apache.hadoop.security.token.delegation.web.ServletUtils.getParameter(ServletUtils.java:48) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.managementOperation(DelegationTokenAuthenticationHandler.java:171) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:514) at org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter.doFilter(KMSAuthenticationFilter.java:129) In the very least, the Hadoop command line is communicating with KMS for the operation, but it appears as if something is missing. Any insights? Lukas -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
