HDFS user is superuser only for HDFS, for key operations it needs to have permissions. Login to Ranger using keyadmin/keyadmin and see if there are KMS policies giving access to “hdfs” user. If not, grant these permissions.
From: Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Friday, September 16, 2016 at 10:38 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Exception while creating encryption zone As he's the superdamin user, he should be able to do so, right ? If not, how can I test this ? Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-16 16:20 GMT+02:00 Velmurugan Periasamy <vperias...@hortonworks.com<mailto:vperias...@hortonworks.com>>: Loïc: Can you make sure hdfs user has permissions for key operations (especially GENERATE_EEK and GET_METADATA) and try again? Thank you, Vel From: Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Friday, September 16, 2016 at 8:53 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Exception while creating encryption zone Hi all, Using TCPDUMP, I investigated a little bit more, and I found that there isn't any call from the host I make my "hdfs crypto -createZone -keyName test_lchanel -path /user/lchanel" to the port 9292 of the host where Ranger KMS is located. So it seems it is a configuration or runtime problem. Does anyone have an idea about where to investigate next ? Thanks, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-13 11:20 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>>: Hi all, As I was trying to test Ranger KMS, I encountered some troubles. I created a AES-128 key with ranger KMS named test_lchanel, and as I wanted to use it to encrypt my home repository using : hdfs crypto -createZone -keyName test_lchanel -path /user/lchanel, I got the following exception : 16/09/13 11:11:26 WARN retry.RetryInvocationHandler: Exception while invoking ClientNamenodeProtocolTranslatorPB.createEncryptionZone over null. Not retrying because try once and fail. org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.authorize.AuthorizationException): at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1552) at org.apache.hadoop.ipc.Client.call(Client.java:1496) at org.apache.hadoop.ipc.Client.call(Client.java:1396) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233) at com.sun.proxy.$Proxy10.createEncryptionZone(Unknown Source) at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.createEncryptionZone(ClientNamenodeProtocolTranslatorPB.java:1426) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:278) at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:194) at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:176) at com.sun.proxy.$Proxy11.createEncryptionZone(Unknown Source) at org.apache.hadoop.hdfs.DFSClient.createEncryptionZone(DFSClient.java:3337) at org.apache.hadoop.hdfs.DistributedFileSystem.createEncryptionZone(DistributedFileSystem.java:2233) at org.apache.hadoop.hdfs.client.HdfsAdmin.createEncryptionZone(HdfsAdmin.java:307) at org.apache.hadoop.hdfs.tools.CryptoAdmin$CreateZoneCommand.run(CryptoAdmin.java:142) at org.apache.hadoop.hdfs.tools.CryptoAdmin.run(CryptoAdmin.java:73) at org.apache.hadoop.hdfs.tools.CryptoAdmin.main(CryptoAdmin.java:82) RemoteException: As I know CPU must support AES to use such things, I checked on each server's ILO admin interface and it seems my CPU support AES-128. In addition, hadoop checknative returns a correct result : 16/09/13 11:16:48 INFO bzip2.Bzip2Factory: Successfully loaded & initialized native-bzip2 library system-native 16/09/13 11:16:48 INFO zlib.ZlibFactory: Successfully loaded & initialized native-zlib library Native library checking: hadoop: true /usr/hdp/2.5.0.0-1245/hadoop/lib/native/libhadoop.so.1.0.0 zlib: true /lib64/libz.so.1 snappy: true /usr/hdp/2.5.0.0-1245/hadoop/lib/native/libsnappy.so.1 lz4: true revision:99 bzip2: true /lib64/libbz2.so.1 openssl: true /usr/lib64/libcrypto.so Does someone see where my problem might come from ? Thanks, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France)
