Hadoop Security Guide
Also available as:
loading table of contents...



WebHDFS is supported for writing and reading files to and from encryption zones.


To access encrypted files via WebHDFS, complete the following steps:

  1. To enable WebHDFS in hdfs-site.xml, set the dfs.webhdfs.enabled property to true:

  2. Make sure that you have separate HDFS administrative and service users, as described in Creating an HDFS Admin User.

  3. KMS supports a blacklist and a whitelist for key access (through kms-acls.xml).

    By default the hdfs service user is included in the blacklist for decrypt_eek operations. To support WebHDFS, the HDFS service user must not be on the key access blacklist. Remove the HDFS service user from the blacklist:

    1. To edit the blacklist using Ambari, go to Ranger KMS -> Configs, and search for "blacklist" or open the Advanced dbks-site list.

    2. Remove hdfs from the hadoop.kms.blacklist.DECRYPT_EEK property:

    3. Restart Ranger KMS.

  4. The HDFS service user must have GENERATE_EEK and DECRYPT_EEK permissions. To add the permissions using the Ranger Web UI, select the Access Manager tab-> Resource Based Policies (the default Access Manager view). Select the key store, select the policy, and click the edit icon. In the Permissions column click the edit icon and check the boxes for GenerateEEK and DecryptEEK. Then click Save.

  5. Because the HDFS service user will have access to all keys, the HDFS service user should not be the administrative user. Specify a different administrative user in hdfs-site.xml for the administrative user.

For more information about operational tasks using Ranger KMS, see the Ranger KMS Administration Guide.