I realize that is why the request is failing. Is it possible to DISABLE
user authentication on the KMS, just so I can see that it works?
On Tue, Apr 25, 2017 at 7:33 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
> Lukas,
>
> Please check where user “pebradley” has the necessary policy to create
> and list key? AuthorizationException happens if the user is not allowed to
> do this.
>
> Thanks,
> Ramesh
>
>
> From: Lukas Bradley <lukasbrad...@gmail.com>
> Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
> Date: Tuesday, April 25, 2017 at 11:03 AM
> To: "user@ranger.apache.org" <user@ranger.apache.org>, "
> cohei...@apache.org" <cohei...@apache.org>
> Subject: Re: Apache Ranger 0.7.0 KMS - Error on Hadoop Key Create
>
> Okay, I got a little farther using 1.0.0-SNAPSHOT. Looks like I need to
> specify keyadmin/keyadmin on the request...? I don't see how that's
> possible with 'hadoop key'. I also don't see any username/password
> settings for the "hadoop.security.*" XML config files. Any input?
>
> [pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key create lukas5
> lukas5 has not been created.
> org.apache.hadoop.security.authorize.AuthorizationException:
> User:pebradley not allowed to do 'CREATE_KEY' on 'lukas5'
>
> For what it's worth, I'm also unable to list keys:
>
> [pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key list
> Cannot list keys for KeyProvider: KMSClientProvider[http://
> localhost:9292/kms/v1/]:
> org.apache.hadoop.security.authorize.AuthorizationException:
> User:pebradley not allowed to do 'GET_KEYS'
>
>
> On Tue, Apr 25, 2017 at 11:46 AM, Colm O hEigeartaigh <cohei...@apache.org
> > wrote:
>
>> What version of Hadoop? Works ok for me with latest 1.0.0-SNAPSHOT kms
>> service + Hadoop 2.7.3.
>>
>> Colm.
>>
>> On Mon, Apr 24, 2017 at 8:43 PM, Lukas Bradley <lukasbrad...@gmail.com>
>> wrote:
>>
>>> Packet dump from request:
>>>
>>> 15:17:34.387644 IP localhost.localdomain.56098 >
>>> localhost.localdomain.armtechdaemon: Flags [P.], seq 1:368, ack 1, win
>>> 342, options [nop,nop,TS val 814963529 ecr 2670919199], length 367
>>> E....A@.@............"$L.l.~%.1....V.......
>>> 0.[I.2..POST /kms/v1/keys HTTP/1.1
>>> Cookie: hadoop.auth="u=pebradley&p=pebradley&t=simple-dt&e=149309745
>>> 4254&s=XFsdjOCr/LLEGp+ZhFA3dsUQPcA="
>>> Content-Type: application/json
>>> Cache-Control: no-cache
>>> Pragma: no-cache
>>> User-Agent: Java/1.8.0_121
>>> Host: localhost:9292
>>> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
>>> Connection: keep-alive
>>> Content-Length: 75
>>>
>>>
>>> 15:17:34.387666 IP localhost.localdomain.armtechdaemon >
>>> localhost.localdomain.56098: Flags [.], ack 368, win 350, options
>>> [nop,nop,TS val 2670919323 ecr 814963529], length 0
>>> E..4..@.@.).........$L."%.1..l.....^.(.....
>>> .2..0.[I
>>> 15:17:34.387705 IP localhost.localdomain.56098 >
>>> localhost.localdomain.armtechdaemon: Flags [P.], seq 368:443, ack 1,
>>> win 342, options [nop,nop,TS val 814963529 ecr 2670919323], length 75
>>> E....B@.@..4........."$L.l..%.1....V.s.....
>>> 0.[I.2..{
>>> "cipher" : "AES/CTR/NoPadding",
>>> "name" : "lukas2",
>>> "length" : 128
>>> }
>>>
>>> On Mon, Apr 24, 2017 at 3:01 PM, Lukas Bradley <lukasbrad...@gmail.com>
>>> wrote:
>>>
>>>> I have successfully used the Apache Hadoop KMS with HDFS for
>>>> encryption. I'm now attempting to integrate the Ranger 0.7.0 KMS
>>>> implementation. I feel I have configured everything correctly, but I'm
>>>> getting the following exceptions when attempting to create a key.
>>>>
>>>> On the command line:
>>>>
>>>> [pebradley@cognosprod hadoop-2.7.3]$ bin/hadoop key create lukas
>>>> l has not been created. java.io.IOException: HTTP status [500], message
>>>> [Internal Server Error]
>>>> java.io.IOException: HTTP status [500], message [Internal Server Error]
>>>> at org.apache.hadoop.util.HttpExceptionUtils.validateResponse(H
>>>> ttpExceptionUtils.java:169)
>>>> at org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSC
>>>> lientProvider.java:546)
>>>> at org.apache.hadoop.crypto.key.kms.KMSClientProvider.call(KMSC
>>>> lientProvider.java:504)
>>>> at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createKey
>>>> Internal(KMSClientProvider.java:677)
>>>> at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createKey
>>>> (KMSClientProvider.java:685)
>>>> at org.apache.hadoop.crypto.key.KeyShell$CreateCommand.execute(
>>>> KeyShell.java:483)
>>>> at org.apache.hadoop.crypto.key.KeyShell.run(KeyShell.java:79)
>>>> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
>>>> at org.apache.hadoop.crypto.key.KeyShell.main(KeyShell.java:515)
>>>>
>>>> In the KMS Plugin logs within /usr/local/ranger-kms/ews/logs/kms.log:
>>>>
>>>> 2017-04-24 14:41:27,473 ERROR [webservices-driver] - Servlet.service()
>>>> for servlet [webservices-driver] in context with path [/kms] threw
>>>> exception
>>>> java.lang.NullPointerException
>>>> at org.apache.http.client.utils.URLEncodedUtils.parse(URLEncode
>>>> dUtils.java:235)
>>>> at org.apache.hadoop.security.token.delegation.web.ServletUtils
>>>> .getParameter(ServletUtils.java:48)
>>>> at org.apache.hadoop.security.token.delegation.web.DelegationTo
>>>> kenAuthenticationHandler.managementOperation(DelegationToken
>>>> AuthenticationHandler.java:171)
>>>> at org.apache.hadoop.security.authentication.server.Authenticat
>>>> ionFilter.doFilter(AuthenticationFilter.java:514)
>>>> at org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFil
>>>> ter.doFilter(KMSAuthenticationFilter.java:129)
>>>>
>>>> In the very least, the Hadoop command line is communicating with KMS
>>>> for the operation, but it appears as if something is missing.
>>>>
>>>> Any insights?
>>>>
>>>> Lukas
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
