Configuring Apache HDFS Encryption
Also available as:
PDF
loading table of contents...

Configure WebHDFS for HDFS Encryption

How to configure HBase for WebHDFS encryption.

Recommendations

WebHDFS is supported for writing and reading files to and from encryption zones.

To access encrypted files via WebHDFS, complete the following steps:

  1. To enable WebHDFS in hdfs-site.xml, set the dfs.webhdfs.enabled property to true:
    <property>
       <name>dfs.webhdfs.enabled</name>
       <value>true</value>
    </property>
  2. Make sure that you have separate HDFS administrative and service users, as described in “Create an HDFS Admin User”.
  3. Remove the HDFS service user from the blacklist:
    KMS supports a blacklist and a whitelist for key access (through kms-acls.xml). By default the hdfs service user is included in the blacklist for decrypt_eek operations. To support WebHDFS, the HDFS service user must not be on the key access blacklist.
    1. To edit the blacklist using Ambari, go to Ranger KMS -> Configs, and search for "blacklist" or open the Advanced dbks-site list.
    2. Remove hdfs from the hadoop.kms.blacklist.DECRYPT_EEK property:
    3. Restart Ranger KMS.
  4. The HDFS service user must have GENERATE_EEK and DECRYPT_EEK permissions. To add the permissions using the Ranger Web UI, select the Access Manager tab-> Resource Based Policies (the default Access Manager view). Select the key store, select the policy, and click the edit icon. In the Permissions column click the edit icon and check the boxes for GenerateEEK and DecryptEEK. Then click Save.

  5. Because the HDFS service user will have access to all keys, the HDFS service user should not be the administrative user. Specify a different administrative user in hdfs-site.xml for the administrative user.