[jira] [Commented] (HADOOP-11479) hdfs crypto -createZone fails to impersonate the real user in a kerberised environment

Fri, 16 Jan 2015 13:45:57 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14280870#comment-14280870
 ] 

Charles Lamb commented on HADOOP-11479:
---------------------------------------

[~ranadip],

I am pretty sure that the READ exception is being thrown when the NN is doing 
getMetadata. Here's the explanation:

There are KMS operation ACLs (hadoop.kms...) and KMS key ACLs 
(default.key.acl...). The KMS key ACLs are more coarse-grained (MANAGEMENT, 
GENERATE_EEK, DECRYPT_EEK, READ, ALL) than the KMS operation ACLs (which cover 
each public KMS method call individually).

So, by default, the HDFS user has READ permission on all keys 
(default.key.acl.READ=*). This gives that user access to the getKeyVersion, 
getKeyVersions, getMetadata, getKeysMetadata and getCurrentKey methods.

But, then, to lock down HDFS user access to key material, you also need to add 
the HDFS user to the blacklist for the following KMS operation ACLs:

CREATE, DELETE, ROLLOVER, GET, GET_KEYS, SET_KEY_MATERIAL, DECRYPT_EEK

(This is what setting the KMS Blacklist property in CM does: it is a shortcut 
to setting these seven KMS operation ACLs)
There is also a specific KMS operation ACL for GET_METADATA, but you don't want 
to set that in this case.

> hdfs crypto -createZone fails to impersonate the real user in a kerberised 
> environment
> --------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11479
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11479
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.6.0
>         Environment: CentOS
>            Reporter: Ranadip
>         Attachments: KMS-test-acl.txt
>
>
> The problem occurs when KMS key level acl is created for the key before the 
> encryption zone is created. The command tried to create the encryption zone 
> using "hdfs" user's identity and not the real user's identity.
> Steps:
> In a kerberised environment:
> 1. Create key level ACL in KMS for a new key.
> 2. Create encryption key now. (Goes through fine)
> 3. Create encryption zone. (Fails)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to