This looks to be a Ranger UI issue because I have been able to update my KMS 
policy successfully using the API.

But I still am not sure if it is safe to allow the hdfs user the rights to 
“GENERATE_EEK” on my key?

Thanks.
Dale



From: Dale Bradman [mailto:da...@profusion.com]
Sent: 19 May 2017 15:35
To: user@ranger.apache.org; Sreeni <ksraju...@yahoo.com>
Subject: RE: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

Hi Sreeni,

I have followed this guide previously before I upgraded the cluster from 2.4 to 
2.5 which worked successfully. I’d be keen to get some feedback/suggestions on 
why it no longer works after the upgrade rather than working through it again.

I cannot add any user to my Ranger KMS policy any more. It errors out and can’t 
find the necessary log file to see what is happening – it just says in the red 
box “Error: Error updating policy.”

Thanks.
Dale


From: Sreeni [mailto:ksraju...@yahoo.com]
Sent: 19 May 2017 13:50
To: user@ranger.apache.org<mailto:user@ranger.apache.org>
Subject: Re: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive'

Dale,

Following hortonworks community guide helped me.

How to correctly setup the HDFS encryption using Ranger KMS - 
Hortonworks<https://community.hortonworks.com/content/supportkb/49505/how-to-correctly-setup-the-hdfs-encryption-using-r.html>


How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks




Sreeni

On Friday, May 19, 2017 5:49 AM, Dale Bradman 
<da...@profusion.com<mailto:da...@profusion.com>> wrote:

Hello.

I've recently upgraded the cluster to HDP 2.5.3 as well as Ambari to 2.4.2.0 
however I'm now facing problems running Hive queries.

Each query that invokes Tez (i.e. `insert`) results in the following error:

Caused by: org.apache.hadoop.hive.ql.metadata.HiveException: 
org.apache.hadoop.ipc.RemoteException(java.io.IOException): 
java.util.concurrent.ExecutionException: 
org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not 
allowed to do 'GENERATE_EEK' on 'hive'

Here are my commands:

$ kinit -kt /etc/security/keytabs/automation.keytab
$ beeline -u 
'jdbc:hive2://hiverserver2:10000/default;principal=hive/hiverserver2@ACTIVE.DIRECTORY'
 -f hive_script.hql

This is obviously something that was working before the upgrade.

Why is it running the script as the hdfs user? I have not added the `hdfs` user 
to the 'GENERATE_EEK' property on the Ranger KMS UI as this is not advised (and 
also not permitted).

Are there any settings that need to be adjusted after the upgrade?

Thanks,
Dale


Reply via email to