I'm trying to setup HDFS encryption with Ranger KMS on HDP 2.4.
I was able to deploy and configure the KMS service. I've created a key and an access policy to grant all permissions to hdfs user for operating with this key.
I'm able to create an encrypted zone with
sudo -uhdfs hdfs mkdir /data_enc
sudo -uhdfs hdfs crypto -createZone -keyName hdfskey -path /data_enc
However when I try to put a file into the directory, I get this error:
sudo -uhdfs hdfs dfs -put /tmp/file.txt /data_enc/
...
User:hdfs not allowed to do 'DECRYPT_EEK' on 'hdfskey'
hdfs user has all permissions for this key, including DECRYPT_EEK. Does anyone knows what could go wrong?
hdfs user is blacklisted by default for decrypt operations in Ranger.
It is possible that this blacklisting is overriding the DECRYPT_EEK permission given to the key.
Edit the property hadoop.kms.blacklist.DECRYPT_EEK in either Advanced dbks-site Menu in Ranger or in dbks-site.xml.