HDFS User impersonation on encrypted zone | Ranger KMS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

HDFS User impersonation on encrypted zone | Ranger KMS

Ashish Tadose
Hi, 

Does HDFS user impersonation work on HDFS encrypted zone backed by ranger KMS?

Our Hadoop environment configured with Kerberos and also supports creating an encrypted zone in HDFS by ranger KMS.

Specific application id has HDFS user impersonation access to impersonate users of a certain group which works flawlessly on normal HDFS folders, however same not working on encrypted zones.

PFB - Masked log extract

WARN kms.LoadBalancingKMSClientProvider: KMS provider at [<host>/kms/v1/] threw an IOException!! java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: <host>/kms/v1/keyversion/<group>%400/_eek?eek_op=decrypt&doAs=<user1>&user.name=<service-user>, status: 403, message: Forbidden
at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:551)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:831)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:207)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:203)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:95)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:203)
at org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.decryptEncryptedKey(KeyProviderCryptoExtension.java:388)
at org.apache.hadoop.hdfs.DFSClient.decryptEncryptedDataEncryptionKey(DFSClient.java:1393)
at org.apache.hadoop.hdfs.DFSClient.createWrappedInputStream(DFSClient.java:1463)
at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:333)
at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:327)
at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at org.apache.hadoop.hdfs.DistributedFileSystem.open(DistributedFileSystem.java:340)
at com.wandisco.fs.client.ReplicatedFC.open(ReplicatedFC.java:752)
at com.wandisco.fs.client.ReplicatedFC.xlateAndOpen(ReplicatedFC.java:377)
at com.wandisco.fs.client.FusionHdfs.open(FusionHdfs.java:452)
at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:786)
at <masked-package>.EncryptFsTest.readFile(EncryptFsTest.java:118)
at <masked-package>.EncryptFsTest$1.run(EncryptFsTest.java:71)
at <masked-package>.kerberos.EncryptFsTest$1.run(EncryptFsTest.java:69)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)

Thanks in advance.

Regards, 
Ashish

Reply | Threaded
Open this post in threaded view
|

Re: HDFS User impersonation on encrypted zone | Ranger KMS

Wei-Chiu Chuang-2
Hi, this is a supported use case.
Please make sure you configure the KMS proxy user correctly as well (it is separately from HDFS proxy user settings)

On Thu, Aug 2, 2018 at 12:30 PM Ashish Tadose <[hidden email]> wrote:
Hi, 

Does HDFS user impersonation work on HDFS encrypted zone backed by ranger KMS?

Our Hadoop environment configured with Kerberos and also supports creating an encrypted zone in HDFS by ranger KMS.

Specific application id has HDFS user impersonation access to impersonate users of a certain group which works flawlessly on normal HDFS folders, however same not working on encrypted zones.

PFB - Masked log extract

WARN kms.LoadBalancingKMSClientProvider: KMS provider at [<host>/kms/v1/] threw an IOException!! java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: <host>/kms/v1/keyversion/<group>%400/_eek?eek_op=decrypt&doAs=<user1>&user.name=<service-user>, status: 403, message: Forbidden
at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:551)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:831)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:207)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:203)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:95)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:203)
at org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.decryptEncryptedKey(KeyProviderCryptoExtension.java:388)
at org.apache.hadoop.hdfs.DFSClient.decryptEncryptedDataEncryptionKey(DFSClient.java:1393)
at org.apache.hadoop.hdfs.DFSClient.createWrappedInputStream(DFSClient.java:1463)
at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:333)
at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:327)
at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at org.apache.hadoop.hdfs.DistributedFileSystem.open(DistributedFileSystem.java:340)
at com.wandisco.fs.client.ReplicatedFC.open(ReplicatedFC.java:752)
at com.wandisco.fs.client.ReplicatedFC.xlateAndOpen(ReplicatedFC.java:377)
at com.wandisco.fs.client.FusionHdfs.open(FusionHdfs.java:452)
at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:786)
at <masked-package>.EncryptFsTest.readFile(EncryptFsTest.java:118)
at <masked-package>.EncryptFsTest$1.run(EncryptFsTest.java:71)
at <masked-package>.kerberos.EncryptFsTest$1.run(EncryptFsTest.java:69)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)

Thanks in advance.

Regards, 
Ashish

--
A very happy Hadoop contributor
Reply | Threaded
Open this post in threaded view
|

Re: HDFS User impersonation on encrypted zone | Ranger KMS

Ashish Tadose
Thanks a ton, will try this out.

On Fri, 3 Aug 2018 at 1:12 AM, Wei-Chiu Chuang <[hidden email]> wrote:
Hi, this is a supported use case.
Please make sure you configure the KMS proxy user correctly as well (it is separately from HDFS proxy user settings)

On Thu, Aug 2, 2018 at 12:30 PM Ashish Tadose <[hidden email]> wrote:
Hi, 

Does HDFS user impersonation work on HDFS encrypted zone backed by ranger KMS?

Our Hadoop environment configured with Kerberos and also supports creating an encrypted zone in HDFS by ranger KMS.

Specific application id has HDFS user impersonation access to impersonate users of a certain group which works flawlessly on normal HDFS folders, however same not working on encrypted zones.

PFB - Masked log extract

WARN kms.LoadBalancingKMSClientProvider: KMS provider at [<host>/kms/v1/] threw an IOException!! java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: <host>/kms/v1/keyversion/<group>%400/_eek?eek_op=decrypt&doAs=<user1>&user.name=<service-user>, status: 403, message: Forbidden
at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:551)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:831)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:207)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:203)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:95)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:203)
at org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.decryptEncryptedKey(KeyProviderCryptoExtension.java:388)
at org.apache.hadoop.hdfs.DFSClient.decryptEncryptedDataEncryptionKey(DFSClient.java:1393)
at org.apache.hadoop.hdfs.DFSClient.createWrappedInputStream(DFSClient.java:1463)
at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:333)
at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:327)
at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at org.apache.hadoop.hdfs.DistributedFileSystem.open(DistributedFileSystem.java:340)
at com.wandisco.fs.client.ReplicatedFC.open(ReplicatedFC.java:752)
at com.wandisco.fs.client.ReplicatedFC.xlateAndOpen(ReplicatedFC.java:377)
at com.wandisco.fs.client.FusionHdfs.open(FusionHdfs.java:452)
at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:786)
at <masked-package>.EncryptFsTest.readFile(EncryptFsTest.java:118)
at <masked-package>.EncryptFsTest$1.run(EncryptFsTest.java:71)
at <masked-package>.kerberos.EncryptFsTest$1.run(EncryptFsTest.java:69)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)

Thanks in advance.

Regards, 
Ashish


--
A very happy Hadoop contributor
Reply | Threaded
Open this post in threaded view
|

Re: HDFS User impersonation on encrypted zone | Ranger KMS

Sandeep Nemuri
+1 for KMS proxy user settings. 

On Fri, 3 Aug 2018 at 1:42 AM, Ashish Tadose <[hidden email]> wrote:
Thanks a ton, will try this out.

On Fri, 3 Aug 2018 at 1:12 AM, Wei-Chiu Chuang <[hidden email]> wrote:
Hi, this is a supported use case.
Please make sure you configure the KMS proxy user correctly as well (it is separately from HDFS proxy user settings)

On Thu, Aug 2, 2018 at 12:30 PM Ashish Tadose <[hidden email]> wrote:
Hi, 

Does HDFS user impersonation work on HDFS encrypted zone backed by ranger KMS?

Our Hadoop environment configured with Kerberos and also supports creating an encrypted zone in HDFS by ranger KMS.

Specific application id has HDFS user impersonation access to impersonate users of a certain group which works flawlessly on normal HDFS folders, however same not working on encrypted zones.

PFB - Masked log extract

WARN kms.LoadBalancingKMSClientProvider: KMS provider at [<host>/kms/v1/] threw an IOException!! java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: <host>/kms/v1/keyversion/<group>%400/_eek?eek_op=decrypt&doAs=<user1>&user.name=<service-user>, status: 403, message: Forbidden
at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:551)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:831)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:207)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider$5.call(LoadBalancingKMSClientProvider.java:203)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.doOp(LoadBalancingKMSClientProvider.java:95)
at org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider.decryptEncryptedKey(LoadBalancingKMSClientProvider.java:203)
at org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.decryptEncryptedKey(KeyProviderCryptoExtension.java:388)
at org.apache.hadoop.hdfs.DFSClient.decryptEncryptedDataEncryptionKey(DFSClient.java:1393)
at org.apache.hadoop.hdfs.DFSClient.createWrappedInputStream(DFSClient.java:1463)
at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:333)
at org.apache.hadoop.hdfs.DistributedFileSystem$4.doCall(DistributedFileSystem.java:327)
at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at org.apache.hadoop.hdfs.DistributedFileSystem.open(DistributedFileSystem.java:340)
at com.wandisco.fs.client.ReplicatedFC.open(ReplicatedFC.java:752)
at com.wandisco.fs.client.ReplicatedFC.xlateAndOpen(ReplicatedFC.java:377)
at com.wandisco.fs.client.FusionHdfs.open(FusionHdfs.java:452)
at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:786)
at <masked-package>.EncryptFsTest.readFile(EncryptFsTest.java:118)
at <masked-package>.EncryptFsTest$1.run(EncryptFsTest.java:71)
at <masked-package>.kerberos.EncryptFsTest$1.run(EncryptFsTest.java:69)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)

Thanks in advance.

Regards, 
Ashish


--
A very happy Hadoop contributor
--
Sent from iPhone