We're Moving!

The Vertica Forum is moving to a new OpenText Analytics Database (Vertica) Community.

Join us there to post discussion topics, learn about

product releases, share tips, access the blog, and much more.

Create My New Community Account Now


Accessing external files in an encrypted zone on HDFS using webhdfs — Vertica Forum

Accessing external files in an encrypted zone on HDFS using webhdfs

poojanpoojan Vertica Employee Employee
edited June 2021 in Tips from the Team

If you try to open a file in encrypted zone using curl it fails. As you can see, it is complaining that the 'hdfs' user did not have permission to run DECRYPT_EEK (even though I am using 'test_user' user).

curl -L --negotiate -u : "http://namenode1:9870/webhdfs/v1/tmp/encr/test.txt?op=OPEN"
{"RemoteException":{"exception":"AuthorizationException","javaClassName":"org.apache.hadoop.security.authorize.AuthorizationException","message":"User:hdfs not allowed to do 'DECRYPT_EEK' on 'hdp_cluster_key'"}

Solution is to remove hdfs from the hadoop.kms.blacklist.DECRYPT_EEK property from hdfs-site.xml

curl -L --negotiate -u : "http://namenode1:9870/webhdfs/v1/tmp/encr/test.txt?op=OPEN&user.name=test_user"
a|1
b|2

Vertica's webhdfs uses curl lib underneath the hood to access the webhdfs rest API so removing hdfs from blacklist will also enable Vertica to read from encrypted hdfs zone.

Refer
HWX: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_hdfs_admin_tools/content/webhdfs-hdfs-encr.html
Cloudera: https://www.cloudera.com/documentation/enterprise/5-5-x/topics/cdh_sg_kms_security.html

Tagged:
Sign In or Register to comment.