CDH KMS 測試
0、用戶說明
- [x] keyAdminUser用戶是key admin user
- [x] hdfs 用 戶是 hdfs super user
- [x] user_a 、 user_b 是HDFS普通用戶
1、創建keytab
按照下面的辦法創建keytab
addprinc -randkey ourui
xst -norandkey -k ourui.keytab ourui
2、到key admin 用戶創建給user_a的 key
kinit -kt keyAdminUser.keytab keyAdminUser
hadoop key create user_a_key2
結果如下:
[root@**** ~]# kinit -kt keyAdminUser.keytab keyAdminUser
[root@**** ~]# hadoop key create user_a_key2
user_a_key2 has been successfully created with options Options{cipher='AES/CTR/NoPadding', bitLength=128, description='null', attributes=null}.
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@6221a451 has been updated.
3、到hdfs用戶給user_a 創建目錄並賦權、創建zone
kinit -kt hdfs.keytab hdfs
hadoop fs -mkdir /tmp/user_a_kms4test
hadoop fs -chown user_a:analysis_group /tmp/user_a_kms4test
hdfs crypto -createZone -keyName user_a_key2 -path /tmp/user_a_kms4test
結果如下
[root@**** ~]# kinit -kt hdfs.keytab hdfs
[root@**** ~]# hadoop fs -mkdir /tmp/user_a_kms4test
[root@**** ~]# hadoop fs -chown user_a:idc_analysis_group /tmp/user_a_kms4test
[root@**** ~]# hdfs crypto -createZone -keyName user_a_key2 -path /tmp/user_a_kms4test
Added encryption zone /tmp/user_a_kms4test
4、到user_a用戶上傳文件、並測試可讀性
kinit -kt user_a.keytab user_a
echo "Hello World" > /tmp/helloWorld.txt
hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test
hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt
rm /tmp/helloWorld.txt
結果如下:
[root@**** ~]# hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test
17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://lpsllfdrcn1.lfidcwanda.cn:16000/kms/v1/] threw an IOException [User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!!
17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://lpsllfdrcn2.lfidcwanda.cn:16000/kms/v1/] threw an IOException [User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!!
17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !!
put: User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!
17/04/11 18:18:45 ERROR hdfs.DFSClient: Failed to close inode 1404823
從結果看2 user_a對user_a_key2沒有 DECRYPT_EEK權限,這時候就設計到可以的白名單設置了。下面我們到kms-acl.xml文件裏面配置該key的權限
<property>
<name>key.acl.user_a_key2.DECRYPT_EEK</name>
<value>user_a</value>
<description>
ACL for decryptEncryptedKey operations.
</description>
</property>
滾動重啓KMS server,
我們繼續寫入數據
[root@**** ~]# hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test
[root@**** ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user_a@a.b.NET
Valid starting Expires Service principal
04/11/2017 18:18:18 04/12/2017 18:18:18 krbtgt/a.b.NET@a.b.NET
renew until 04/18/2017 18:18:18
數據寫入成功,測試讀數據
[root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt
Hello World
讀數據成功。
5、到user_b用戶讀取上傳數據
[root@**** ~]# kinit -kt user_b.keytab user_b
[root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt
17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn1.lfidcwan.cn:16000/kms/v1/] threw an IOException [User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!!
17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn2.lfidcwan.cn:16000/kms/v1/] threw an IOException [User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!!
17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !!
cat: User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!
6、到hdfs用戶讀取上傳數據
[root@**** ~]# kinit -kt hdfs.keytab hdfs
[root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt
17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn1.lfidcwan.cn:16000/kms/v1/] threw an IOException [User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2']!!
17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn2.lfidcwan.cn:16000/kms/v1/] threw an IOException [User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2']!!
17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !!
cat: User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2'