CDH5.7.1 Hadoop2.6 HDFS Encryption KMS 實戰之功能測試

CDH KMS 測試

0、用戶說明

• [x] keyAdminUser用戶是key admin user
• [x] hdfs 用 戶是 hdfs super user
• [x] user_a 、 user_b 是HDFS普通用戶

1、創建keytab

按照下面的辦法創建keytab

addprinc -randkey ourui
xst -norandkey -k ourui.keytab ourui

2、到key admin 用戶創建給user_a的 key

kinit -kt keyAdminUser.keytab   keyAdminUser
hadoop key create user_a_key2

結果如下：

[root@**** ~]# kinit -kt keyAdminUser.keytab   keyAdminUser
[root@**** ~]# hadoop key create user_a_key2
user_a_key2 has been successfully created with options Options{cipher='AES/CTR/NoPadding', bitLength=128, description='null', attributes=null}.
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@6221a451 has been updated.

3、到hdfs用戶給user_a 創建目錄並賦權、創建zone

kinit  -kt hdfs.keytab  hdfs
hadoop  fs -mkdir /tmp/user_a_kms4test
hadoop  fs -chown user_a:analysis_group /tmp/user_a_kms4test
hdfs crypto -createZone -keyName user_a_key2 -path /tmp/user_a_kms4test

結果如下

[root@**** ~]# kinit  -kt hdfs.keytab  hdfs
[root@**** ~]# hadoop  fs -mkdir /tmp/user_a_kms4test
[root@**** ~]# hadoop  fs -chown user_a:idc_analysis_group /tmp/user_a_kms4test
[root@**** ~]# hdfs crypto -createZone -keyName user_a_key2 -path /tmp/user_a_kms4test
Added encryption zone /tmp/user_a_kms4test

4、到user_a用戶上傳文件、並測試可讀性

kinit -kt user_a.keytab user_a
echo "Hello World" > /tmp/helloWorld.txt
hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test
hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt
rm /tmp/helloWorld.txt

結果如下：

[root@**** ~]# hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test
17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://lpsllfdrcn1.lfidcwanda.cn:16000/kms/v1/] threw an IOException [User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!!
17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://lpsllfdrcn2.lfidcwanda.cn:16000/kms/v1/] threw an IOException [User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!!
17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !!
put: User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!
17/04/11 18:18:45 ERROR hdfs.DFSClient: Failed to close inode 1404823

從結果看2 user_a對user_a_key2沒有 DECRYPT_EEK權限，這時候就設計到可以的白名單設置了。下面我們到kms-acl.xml文件裏面配置該key的權限

<property>
    <name>key.acl.user_a_key2.DECRYPT_EEK</name>
    <value>user_a</value>
    <description>
      ACL for decryptEncryptedKey operations.
    </description>
  </property>

滾動重啓KMS server，
我們繼續寫入數據

[root@**** ~]# hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test
[root@**** ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user_a@a.b.NET

Valid starting       Expires              Service principal
04/11/2017 18:18:18  04/12/2017 18:18:18  krbtgt/a.b.NET@a.b.NET
        renew until 04/18/2017 18:18:18

數據寫入成功，測試讀數據

[root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt                    
Hello World

讀數據成功。

5、到user_b用戶讀取上傳數據

[root@**** ~]# kinit -kt user_b.keytab user_b
[root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt 
17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn1.lfidcwan.cn:16000/kms/v1/] threw an IOException [User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!!
17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn2.lfidcwan.cn:16000/kms/v1/] threw an IOException [User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!!
17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !!
cat: User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!

6、到hdfs用戶讀取上傳數據

[root@**** ~]# kinit -kt hdfs.keytab hdfs
[root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt 
17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn1.lfidcwan.cn:16000/kms/v1/] threw an IOException [User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2']!!
17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn2.lfidcwan.cn:16000/kms/v1/] threw an IOException [User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2']!!
17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !!
cat: User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2'