This looks to be a Ranger UI issue because I have been able to update my KMS policy successfully using the API.
But I still am not sure if it is safe to allow the hdfs user the rights to “GENERATE_EEK” on my key? Thanks. Dale From: Dale Bradman [mailto:da...@profusion.com] Sent: 19 May 2017 15:35 To: user@ranger.apache.org; Sreeni <ksraju...@yahoo.com> Subject: RE: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive' Hi Sreeni, I have followed this guide previously before I upgraded the cluster from 2.4 to 2.5 which worked successfully. I’d be keen to get some feedback/suggestions on why it no longer works after the upgrade rather than working through it again. I cannot add any user to my Ranger KMS policy any more. It errors out and can’t find the necessary log file to see what is happening – it just says in the red box “Error: Error updating policy.” Thanks. Dale From: Sreeni [mailto:ksraju...@yahoo.com] Sent: 19 May 2017 13:50 To: user@ranger.apache.org<mailto:user@ranger.apache.org> Subject: Re: Ranger KMS - hdfs user not allowed to do 'GENERATE_EEK' on 'hive' Dale, Following hortonworks community guide helped me. How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks<https://community.hortonworks.com/content/supportkb/49505/how-to-correctly-setup-the-hdfs-encryption-using-r.html> How to correctly setup the HDFS encryption using Ranger KMS - Hortonworks Sreeni On Friday, May 19, 2017 5:49 AM, Dale Bradman <da...@profusion.com<mailto:da...@profusion.com>> wrote: Hello. I've recently upgraded the cluster to HDP 2.5.3 as well as Ambari to 2.4.2.0 however I'm now facing problems running Hive queries. Each query that invokes Tez (i.e. `insert`) results in the following error: Caused by: org.apache.hadoop.hive.ql.metadata.HiveException: org.apache.hadoop.ipc.RemoteException(java.io.IOException): java.util.concurrent.ExecutionException: org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not allowed to do 'GENERATE_EEK' on 'hive' Here are my commands: $ kinit -kt /etc/security/keytabs/automation.keytab $ beeline -u 'jdbc:hive2://hiverserver2:10000/default;principal=hive/hiverserver2@ACTIVE.DIRECTORY' -f hive_script.hql This is obviously something that was working before the upgrade. Why is it running the script as the hdfs user? I have not added the `hdfs` user to the 'GENERATE_EEK' property on the Ranger KMS UI as this is not advised (and also not permitted). Are there any settings that need to be adjusted after the upgrade? Thanks, Dale
