Skip to main content

Ranger KMS Encryption

 Ranger KMS Encryption

Range KMS is used to encrypt the HDFS (data at rest). This is very important for your cluster and customer to encrypt your data. It gives more security to your data.

Ranger provides centralized administration of the key management server through the Ranger admin portal.

There are 3 main functions provided by Ranger KMS.

1.    Key Management: It provided you facility to create/update/delete keys using UI interface. Using keyadmin username and password.

2.    Access Control Policies: through this you can manage the permission of your keys.

3.    Audit: this helps you to track the activities on your Ranger KMS.

Ranger KMS with hdfs encryption is recommended to use in all env. To secure the key storage using database.

KMS is also scalable and you can use multiple versions of KMS behind the load balancer.

This blog page depicts the Process of Creating the Encryption Zone.

Process:

Step 1: Create the directory structure on your hdfs which you want to encrypt.
Note: you cannot encrypt the existing hdfs path which already consisting data.
[techzone@node01 ~]$ hdfs dfs –mkdir <hdfs path>

Step 2: Assign 000 Permission on directory
[techzone@node01 ~]$ hdfs dfs –chmod 000 <hdfs path>

Step 3: Create the KMS key. Login to the ranger using kmsadmin as user.

Step 4: Select Encryption Key manager Select Service  service name Add New key

Step 5: Enter the Key name of the directory using (-) as separator ,Length: set the key length 256 and Save the

Step 6: Once the key is created, verify if the key is listed in dashboard.

Step 7: Select Access Manger service name Add New Policy

1. Policy Creation Details
2.  Policy name: name of the directory.
3.    Key name: name of the created KMS Key
4.    Select group: select the appropriate group to provide access
5.    Permission: provide the Decrypt EEK and Encrypt EEK Permission

Provide the delegate admin access to privileged user group.

Step 8: Logout from keyadmin user and Login with you EID to create the ranger policy for hdfs directory. Under the HDFS select the file  Add New Policy
Policy Creation Info
1. Policy Name: name of the directory-Encryption-Zone
2. source Path: path of the directory
3. select Group: Provide the group name to access the path
4.  Permission: select All (Execute,Read,Write)

Save the Policy.

Step 9: Login to the Command line. Destroy the currect user creds and kinit with user 

Step 10: Use the below command to create the encryption zone.

[techzone@node-01 ~]$ hdfs crypto -createZone -keyName <keynameyoucreated> -path
<pathonwhichEncryptiontoapply>

Step 11: After creating the key successfully you will receive the output as key created. Verify the newly created key using below command.
[techzone@node01 ~]$ hdfs crypto –listZones (it will list the all created keys)

Please let me know if comment section if you face any issue while performing above steps. I will try my best to help you.

 Thank you !!! 
 
 

Thank you !! Example HTML page Pleaes provide your valuable feedback.
Labels:

Comments

Post a Comment

Popular posts from this blog

Script To Monitor disk Usage

Hello All, Many times we have a requirement to automate few of the tasks, and one of the important task is to delete old log files from log destination. We usually get the conditions where we have to delete the log from particular directory when it reaches to some thresh hold value. Now a day the requirement of automation is highly increased where we are seeing most of the day to day tasks are getting automated using different scripting languages. Its always a good idea to automate your daily tasks which will save your working hours and will increase your productivity. Most of the time log destination gets full and due to which we face other issues like application down or particular service stop working. And manual deleting of log is hectic process so below script will help you to delete your log data when it meets your condition, and also it will trigger mail to recipient after deletion of logs. You can schedule this script in your crontab according to your feasible ti...
7 comments
Read more

Connect SparkThriftServer with Tableau/PowerBI

  Connect SparkThriftServer with Tableau/PowerBI REFERENCE : https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-apache-spark-use-bi-tools Use Power BI for Spark data visualization Note This section is applicable only for Spark 1.6 on HDInsight 3.4 and Spark 2.0 on HDInsight 3.5.   Once you have saved the data as a table, you can use Power BI to connect to the data and visualize it to create reports, dashboards, etc.   1.       Make sure you have access to Power BI. You can get a free preview subscription of Power BI from http://www.powerbi.com/ . 2.       Sign in to Power BI . 3.       From the bottom of the left pane, click Get Data . 4.       On the Get Data page, under Import or Connect to Data , for Databases , click Get . 5.       On the next screen, click Spark on Azure HDInsight and then click Connect . When prompted, enter th...
Post a Comment
Read more

Azure Storage

Azure Storage is Microsoft's cloud storage solution for modern data storage scenarios.    Why Azure Storage: Durable and Highly Available: ·        Data is safe during hardware failure. ·        Replicate data across data centres. ·        In local catastrophe or natural disaster data replicated to other data centres remains highly available. Secure: ·        Data encrypted by Azure service Storage Service encryption (SSE) for data at rest. ·        Completed control over who access your data. Scalable: ·        Designed to massive scale. Managed: ·        Azure handles maintenance, updates and critical issues. Accessible: ·        Accessible from anywhere in the world. ·        You can access using http, https,...
Post a Comment
Read more

Azure Active Directory

  What is Azure Active Directory? Azure Active Directory is Microsoft’s multi-tenant, cloud-based directory and identity management service. For an organization, Azure AD helps employees sign up to multiple services and access them anywhere over the cloud with a single set of login credentials. Azure Active Directory Concept: It is important to understand these Azure AD concepts. Identity . An object that can get authenticated. An identity can be a user with a username and password. Account . An identity that has data associated with it. You can't have an account without an identity. Azure subscription . Used to pay for Azure cloud services. You can have many subscriptions and they're linked to a credit card. Azure tenant/directory . A dedicated and trusted instance of Azure AD, a Tenant is automatically created when your organization signs up for a Microsoft cloud service subscription. More instances of Azure AD can be created. Azure AD is the underlying product ...
1 comment
Read more

Kubernetes-Update

                                                    https://kubernetes.io/ Kubernetes (K8s)  is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery. Kubernetes builds upon  15 years of experience of running production workloads at Google , combined with best-of-breed ideas and practices from the community. Latest Verion:-  1.19 Kubernetes Objects Kubernetes defines a set of building blocks ("primitives"), which collectively provide mechanisms that deploy, maintain, and scale applications based on CPU, memory or custom metrics. Kubernetes is loosely coupled and extensible to meet different workloads. This extensibility is provided in large part by the Kubernetes API, which is used by int...
Post a Comment
Read more