[
https://issues.apache.org/jira/browse/HADOOP-11479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14278650#comment-14278650
]
Ranadip commented on HADOOP-11479:
----------------------------------
Test ACL config attached.
If hdfs is included in the sections key.acl.ranskey1.GENERATE_EEK and
key.acl.ranskey1.READ, it works.
Without those changes, it just shows RemoteException on the shell with no error
message:
<quote>
[ranadip@server ~]$ hdfs crypto -createZone -keyName ranskey1 -path
/user/ranadip.dir/enc
RemoteException:
</quote>
On KMS log, it shows:
<quote>
2015-01-15 11:49:46,447 WARN org.apache.hadoop.security.UserGroupInformation:
PriviledgedActionException as:hdfs/*masked*@*masked* (auth:KERBEROS)
cause:org.apache.hadoop.security.authorize.AuthorizationException: User [hdfs]
is not authorized to perform [READ] on key with ACL name [ranskey1]!!
</quote>
> hdfs crypto -createZone fails to impersonate the real user in a kerberised
> environment
> --------------------------------------------------------------------------------------
>
> Key: HADOOP-11479
> URL: https://issues.apache.org/jira/browse/HADOOP-11479
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.6.0
> Environment: CentOS
> Reporter: Ranadip
> Attachments: KMS-test-acl.txt
>
>
> The problem occurs when KMS key level acl is created for the key before the
> encryption zone is created. The command tried to create the encryption zone
> using "hdfs" user's identity and not the real user's identity.
> Steps:
> In a kerberised environment:
> 1. Create key level ACL in KMS for a new key.
> 2. Create encryption key now. (Goes through fine)
> 3. Create encryption zone. (Fails)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
