Transparent Encryption Recommendations for Cloudera Data Explorer (Hue)
Make /user/hue an encryption zone because Oozie workflows and other
Data Explorer-specific data are stored
there by default. When you create the encryption zone, name the key hue-key to
take advantage of auto-generated KMS ACLs.
Steps
On a cluster without Data Explorer
currently installed, create the /user/hue directory and make it an
encryption zone.
On a cluster with Data Explorer already installed:
- Create an empty
/user/hue-tmpdirectory. - Make
/user/hue-tmpan encryption zone. - DistCp all data from
/user/hueinto/user/hue-tmp. - Remove
/user/hueand rename/user/hue-tmpto/user/hue.
KMS ACL Configuration for Cloudera Data Explorer (Hue)
In the KMS ACLs, grant the hue and oozie users and groups
DECRYPT_EEK permission for the Data Explorer key:
<property>
<name>key.acl.hue-key.DECRYPT_EEK</name>
<value>oozie,hue oozie,hue</value>
</property>