CDH5.7.1 Hadoop2.6 HDFS Encryption KMS 实战之功能测试
2017-04-11 16:41
316 查看
CDH KMS 测试
0、用户说明
[x] keyAdminUser用户是key admin user[x] hdfs 用 户是 hdfs super user
[x] user_a 、 user_b 是HDFS普通用户
1、创建keytab
按照下面的办法创建keytabaddprinc -randkey ourui xst -norandkey -k ourui.keytab ourui
2、到key admin 用户创建给user_a的 key
kinit -kt keyAdminUser.keytab keyAdminUser hadoop key create user_a_key2
结果如下:
[root@**** ~]# kinit -kt keyAdminUser.keytab keyAdminUser [root@**** ~]# hadoop key create user_a_key2 user_a_key2 has been successfully created with options Options{cipher='AES/CTR/NoPadding', bitLength=128, description='null', attributes=null}. org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@6221a451 has been updated.
3、到hdfs用户给user_a 创建目录并赋权、创建zone
kinit -kt hdfs.keytab hdfs hadoop fs -mkdir /tmp/user_a_kms4test hadoop fs -chown user_a:analysis_group /tmp/user_a_kms4test hdfs crypto -createZone -keyName user_a_key2 -path /tmp/user_a_kms4test
结果如下
[root@**** ~]# kinit -kt hdfs.keytab hdfs [root@**** ~]# hadoop fs -mkdir /tmp/user_a_kms4test [root@**** ~]# hadoop fs -chown user_a:idc_analysis_group /tmp/user_a_kms4test [root@**** ~]# hdfs crypto -createZone -keyName user_a_key2 -path /tmp/user_a_kms4test Added encryption zone /tmp/user_a_kms4test
4、到user_a用户上传文件、并测试可读性
kinit -kt user_a.keytab user_a echo "Hello World" > /tmp/helloWorld.txt hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt rm /tmp/helloWorld.txt
结果如下:
[root@**** ~]# hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test 17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://lpsllfdrcn1.lfidcwanda.cn:16000/kms/v1/] threw an IOException [User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!! 17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://lpsllfdrcn2.lfidcwanda.cn:16000/kms/v1/] threw an IOException [User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!! 17/04/11 18:18:45 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !! put: User [user_a] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!! 17/04/11 18:18:45 ERROR hdfs.DFSClient: Failed to close inode 1404823
从结果看2 user_a对user_a_key2没有 DECRYPT_EEK权限,这时候就设计到可以的白名单设置了。下面我们到kms-acl.xml文件里面配置该key的权限
<property> <name>key.acl.user_a_key2.DECRYPT_EEK</name> <value>user_a</value> <description> ACL for decryptEncryptedKey operations. </description> </property>
滚动重启KMS server,
我们继续写入数据
[root@**** ~]# hadoop fs -put /tmp/helloWorld.txt /tmp/user_a_kms4test [root@**** ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user_a@a.b.NET Valid starting Expires Service principal 04/11/2017 18:18:18 04/12/2017 18:18:18 krbtgt/a.b.NET@a.b.NET renew until 04/18/2017 18:18:18
数据写入成功,测试读数据
[root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt Hello World
读数据成功。
5、到user_b用户读取上传数据
[root@**** ~]# kinit -kt user_b.keytab user_b [root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt 17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn1.lfidcwan.cn:16000/kms/v1/] threw an IOException [User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!! 17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn2.lfidcwan.cn:16000/kms/v1/] threw an IOException [User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!]!! 17/04/11 18:40:10 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !! cat: User [user_b] is not authorized to perform [DECRYPT_EEK] on key with ACL name [user_a_key2]!!
6、到hdfs用户读取上传数据
[root@**** ~]# kinit -kt hdfs.keytab hdfs [root@**** ~]# hadoop fs -cat /tmp/user_a_kms4test/helloWorld.txt 17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn1.lfidcwan.cn:16000/kms/v1/] threw an IOException [User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2']!! 17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://ipdrcn2.lfidcwan.cn:16000/kms/v1/] threw an IOException [User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2']!! 17/04/11 18:40:31 WARN kms.LoadBalancingKMSClientProvider: Aborting since the Request has failed with all KMS providers in the group. !! cat: User:hdfs not allowed to do 'DECRYPT_EEK' on 'user_a_key2'
相关文章推荐
- 小白学习大数据测试之hadoop hdfs和MapReduce小实战
- 小白学习大数据测试之hadoop hdfs和MapReduce小实战
- 王家林 云计算分布式大数据Hadoop实战高手之路第七讲Hadoop图文训练课程:通过HDFS的心跳来测试replication具体的工作机制和流程
- 小白学习大数据测试之hadoop hdfs和MapReduce小实战
- hadoop2.2.0 分布式存储hdfs完全分布式搭建及功能测试记录(一)----架构及原理介绍
- [测试] 试用Hadoop 2.2中的HDFS NFS
- Hadoop实战-初级部分 之 HDFS API
- hadoop学习之hadoop集群功能简单测试验证
- hadoop学习笔记(10)-HDFS I/O性能测试
- Rails测试《七》实战功能测试functional test
- hadoop之HDFS:数据块恢复与文件上传测试
- 云计算分布式大数据Hadoop实战高手之路第七讲Hadoop图文训练课程:通过HDFS的心跳来测试replication具体的工作机制和流程
- 测试Hadoop的hdfs的问题?
- hadoop的一个hdfs测试程序
- Hadoop实战-初级部分 之 HDFS
- Hadoop实战-初级部分 之 HDFS API
- Hadoop实战-中高级部分 之 HDFS原理 架构和副本机制
- Hadoop JAVA程序-files功能测试
- hadoop分析之三org.apache.hadoop.hdfs.server.namenode各个类的功能与角色
- Hadoop学习之Hadoop集群功能简单测试验证