Please take this survey to help us learn more about how you use third party tools. Your input is greatly appreciated!

Accessing external files in an encrypted zone on HDFS using webhdfs

poojanpoojan Employee
edited June 2021 in Tips from the Team

If you try to open a file in encrypted zone using curl it fails. As you can see, it is complaining that the 'hdfs' user did not have permission to run DECRYPT_EEK (even though I am using 'test_user' user).

curl -L --negotiate -u : "http://namenode1:9870/webhdfs/v1/tmp/encr/test.txt?op=OPEN"
{"RemoteException":{"exception":"AuthorizationException","javaClassName":"org.apache.hadoop.security.authorize.AuthorizationException","message":"User:hdfs not allowed to do 'DECRYPT_EEK' on 'hdp_cluster_key'"}

Solution is to remove hdfs from the hadoop.kms.blacklist.DECRYPT_EEK property from hdfs-site.xml

curl -L --negotiate -u : "http://namenode1:9870/webhdfs/v1/tmp/encr/test.txt?op=OPEN&user.name=test_user"
a|1
b|2

Vertica's webhdfs uses curl lib underneath the hood to access the webhdfs rest API so removing hdfs from blacklist will also enable Vertica to read from encrypted hdfs zone.

Refer
HWX: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_hdfs_admin_tools/content/webhdfs-hdfs-encr.html
Cloudera: https://www.cloudera.com/documentation/enterprise/5-5-x/topics/cdh_sg_kms_security.html

Tagged:
Sign In or Register to comment.

Can't find what you're looking for? Search the Vertica Documentation, Knowledge Base, or Blog for more information.