Transparent Encryption Recommendations for Hue
Make /user/hue
an encryption zone because Oozie workflows and other
Hue-specific data are stored there by default. When you create the encryption zone, name the key
hue-key
to take advantage of auto-generated KMS ACLs.
Steps
On a cluster without Hue currently installed, create the
/user/hue
directory and make it an encryption
zone.
On a cluster with Hue already installed:
- Create an empty
/user/hue-tmp
directory. - Make
/user/hue-tmp
an encryption zone. - DistCp all data from
/user/hue
into/user/hue-tmp
. - Remove
/user/hue
and rename/user/hue-tmp
to/user/hue
.
KMS ACL Configuration for Hue
In the KMS ACLs, grant the hue
and oozie
users and groups
DECRYPT_EEK
permission for the Hue key:
<property>
<name>key.acl.hue-key.DECRYPT_EEK</name>
<value>oozie,hue oozie,hue</value>
</property>