./hadoop key create key1 -provider <provider-path>
For example:
hadoop key create key5 -provider kms://http@ambari100-c.test.isilon.com:9090/kms
If you do not want to add the
-provider option to the necessary
hadoop key <operation> command, find your environment below and set the
hadoop.security.key.provider.path property.
Table 1. KMS SpecificationsThe following table displays the specifications for each KMS.
KMS
|
HDP < 2.6.x
|
HDP >= 3.0.1
|
Ranger KMS
|
When you add the Ranger KMS, you will be prompted with the recommended settings for the KMS provider. The property is set automatically in
HDFS > Configs > Advanced > Advanced core-site. If the property is not configured automatically, add it to the
custom core-site.xml file. Set the property in
HDFS > Configs > Advanced > Custom core-site.
|
Set property in
Ambari > Services > OneFS > Configs > Advanced > Custom core-site
|
Other KMS
|
Set the property in
HDFS > Configs > Advanced > Custom core-site. If the property is not configured automatically, add it to the
custom core-site.xml file.
|
Set property in
Ambari > Services > OneFS > Configs > Advanced > Custom core-site
|
Steps:
HDP version < 2.6.x -- not using Ranger KMS
- Navigate to
HDFS > Configs > Advanced > Custom core-site.
- Click
Add Property.
- Enter the property as:
hadoop.security.key.provider.path=kms://<kms-url>/kms
For example,
hadoop.security.key.provider.path=kms://http@m105.solarch.lab.emc.com:1688/kms
- Click
Add.
- Save settings.
HDP version 3.0.1 or later -- any KMS
- Navigate to
Ambari > Services > OneFS > Configs > Advanced > Custom core-site.
- Click
Add Property.
- Enter the property as:
hadoop.security.key.provider.path=kms://<kms-url>/kms
For example,
hadoop.security.key.provider.path=kms://http@m105.solarch.lab.emc.com:9292/kms
- Click
Add.
- Save settings.
Authorization Exception Errors
The OneFS Key Management Server configuration is configured per zone. If you receive an Authorization Exception error similar to the following:
key1 has not been created. org.apache.hadoop.security.authorize.AuthorizationException: User:hdfs not allowed to do 'CREATE_KEY' on 'key1'
then log into Ranger as the
keyadmin user and perform the following step. Note that the default password is
keyadmin.
- Click on the KMS instance and edit the user you want to allow key administration privileges and then save the changes.
Note that this example uses the Ranger KMS server. Follow similar procedures for other KMS servers to fix user authorization issues.