Okay, I got a little farther using 1.0.0-SNAPSHOT. Looks like I need to specify keyadmin/keyadmin on the request...? I don't see how that's possible with 'hadoop key'. I also don't see any username/password settings for the "hadoop.security.*" XML config files. Any input?
[pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key create lukas5 lukas5 has not been created. org.apache.hadoop.security.authorize.AuthorizationException: User:pebradley not allowed to do 'CREATE_KEY' on 'lukas5' For what it's worth, I'm also unable to list keys: [pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key list Cannot list keys for KeyProvider: KMSClientProvider[ http://localhost:9292/kms/v1/]: org.apache.hadoop.security.authorize.AuthorizationException: User:pebradley not allowed to do 'GET_KEYS' On Tue, Apr 25, 2017 at 11:46 AM, Colm O hEigeartaigh <cohei...@apache.org> wrote: > What version of Hadoop? Works ok for me with latest 1.0.0-SNAPSHOT kms > service + Hadoop 2.7.3. > > Colm. > > On Mon, Apr 24, 2017 at 8:43 PM, Lukas Bradley <lukasbrad...@gmail.com> > wrote: > >> Packet dump from request: >> >> 15:17:34.387644 IP localhost.localdomain.56098 > >> localhost.localdomain.armtechdaemon: Flags [P.], seq 1:368, ack 1, win >> 342, options [nop,nop,TS val 814963529 ecr 2670919199], length 367 >> E....A@.@............"$L.l.~%.1....V....... >> 0.[I.2..POST /kms/v1/keys HTTP/1.1 >> Cookie: hadoop.auth="u=pebradley&p=pebradley&t=simple-dt&e=149309745 >> 4254&s=XFsdjOCr/LLEGp+ZhFA3dsUQPcA=" >> Content-Type: application/json >> Cache-Control: no-cache >> Pragma: no-cache >> User-Agent: Java/1.8.0_121 >> Host: localhost:9292 >> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 >> Connection: keep-alive >> Content-Length: 75 >> >> >> 15:17:34.387666 IP localhost.localdomain.armtechdaemon > >> localhost.localdomain.56098: Flags [.], ack 368, win 350, options >> [nop,nop,TS val 2670919323 ecr 814963529], length 0 >> E..4..@.@.).........$L."%.1..l.....^.(..... >> .2..0.[I >> 15:17:34.387705 IP localhost.localdomain.56098 > >> localhost.localdomain.armtechdaemon: Flags [P.], seq 368:443, ack 1, win >> 342, options [nop,nop,TS val 814963529 ecr 2670919323], length 75 >> E....B@.@..4........."$L.l..%.1....V.s..... >> 0.[I.2..{ >> "cipher" : "AES/CTR/NoPadding", >> "name" : "lukas2", >> "length" : 128 >> } >> >> On Mon, Apr 24, 2017 at 3:01 PM, Lukas Bradley <lukasbrad...@gmail.com> >> wrote: >> >>> I have successfully used the Apache Hadoop KMS with HDFS for >>> encryption. I'm now attempting to integrate the Ranger 0.7.0 KMS >>> implementation. I feel I have configured everything correctly, but I'm >>> getting the following exceptions when attempting to create a key. >>> >>> On the command line: >>> >>> [pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key create lukas >>> l has not been created. java.io.IOException: HTTP status [500], message >>> [Internal Server Error] >>> java.io.IOException: HTTP status [500], message [Internal Server Error] >>> at org.apache.hadoop.util.HttpExceptionUtils.validateResponse(H >>> ttpExceptionUtils.java:169) >>> at org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSC >>> lientProvider.java:546) >>> at org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSC >>> lientProvider.java:504) >>> at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createKey >>> Internal(KMSClientProvider.java:677) >>> at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createKey >>> (KMSClientProvider.java:685) >>> at org.apache.hadoop.crypto.key.KeyShell$CreateCommand.execute( >>> KeyShell.java:483) >>> at org.apache.hadoop.crypto.key.KeyShell.run(KeyShell.java:79) >>> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) >>> at org.apache.hadoop.crypto.key.KeyShell.main(KeyShell.java:515) >>> >>> In the KMS Plugin logs within /usr/local/ranger-kms/ews/logs/kms.log: >>> >>> 2017-04-24 14:41:27,473 ERROR [webservices-driver] - Servlet.service() >>> for servlet [webservices-driver] in context with path [/kms] threw exception >>> java.lang.NullPointerException >>> at org.apache.http.client.utils.URLEncodedUtils.parse(URLEncode >>> dUtils.java:235) >>> at org.apache.hadoop.security.token.delegation.web.ServletUtils >>> .getParameter(ServletUtils.java:48) >>> at org.apache.hadoop.security.token.delegation.web.DelegationTo >>> kenAuthenticationHandler.managementOperation(DelegationToken >>> AuthenticationHandler.java:171) >>> at org.apache.hadoop.security.authentication.server.Authenticat >>> ionFilter.doFilter(AuthenticationFilter.java:514) >>> at org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFil >>> ter.doFilter(KMSAuthenticationFilter.java:129) >>> >>> In the very least, the Hadoop command line is communicating with KMS for >>> the operation, but it appears as if something is missing. >>> >>> Any insights? >>> >>> Lukas >>> >>> >>> >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
