Skip to main content

Ranger KMS Encryption

 Ranger KMS Encryption

Range KMS is used to encrypt the HDFS (data at rest). This is very important for your cluster and customer to encrypt your data. It gives more security to your data.

Ranger provides centralized administration of the key management server through the Ranger admin portal.

There are 3 main functions provided by Ranger KMS.

1.    Key Management: It provided you facility to create/update/delete keys using UI interface. Using keyadmin username and password.

2.    Access Control Policies: through this you can manage the permission of your keys.

3.    Audit: this helps you to track the activities on your Ranger KMS.

Ranger KMS with hdfs encryption is recommended to use in all env. To secure the key storage using database.

KMS is also scalable and you can use multiple versions of KMS behind the load balancer.

This blog page depicts the Process of Creating the Encryption Zone.

Process:

Step 1: Create the directory structure on your hdfs which you want to encrypt.
Note: you cannot encrypt the existing hdfs path which already consisting data.
[techzone@node01 ~]$ hdfs dfs –mkdir <hdfs path>

Step 2: Assign 000 Permission on directory
[techzone@node01 ~]$ hdfs dfs –chmod 000 <hdfs path>

Step 3: Create the KMS key. Login to the ranger using kmsadmin as user.

Step 4: Select Encryption Key manager Select Service  service name Add New key

Step 5: Enter the Key name of the directory using (-) as separator ,Length: set the key length 256 and Save the

Step 6: Once the key is created, verify if the key is listed in dashboard.

Step 7: Select Access Manger service name Add New Policy

1. Policy Creation Details
2.  Policy name: name of the directory.
3.    Key name: name of the created KMS Key
4.    Select group: select the appropriate group to provide access
5.    Permission: provide the Decrypt EEK and Encrypt EEK Permission

Provide the delegate admin access to privileged user group.

Step 8: Logout from keyadmin user and Login with you EID to create the ranger policy for hdfs directory. Under the HDFS select the file  Add New Policy
Policy Creation Info
1. Policy Name: name of the directory-Encryption-Zone
2. source Path: path of the directory
3. select Group: Provide the group name to access the path
4.  Permission: select All (Execute,Read,Write)

Save the Policy.

Step 9: Login to the Command line. Destroy the currect user creds and kinit with user 

Step 10: Use the below command to create the encryption zone.

[techzone@node-01 ~]$ hdfs crypto -createZone -keyName <keynameyoucreated> -path
<pathonwhichEncryptiontoapply>

Step 11: After creating the key successfully you will receive the output as key created. Verify the newly created key using below command.
[techzone@node01 ~]$ hdfs crypto –listZones (it will list the all created keys)

Please let me know if comment section if you face any issue while performing above steps. I will try my best to help you.

 Thank you !!! 
 
 

Thank you !! Example HTML page Pleaes provide your valuable feedback.
Labels:

Comments

Post a Comment

Popular posts from this blog

Connect SparkThriftServer with Tableau/PowerBI

  Connect SparkThriftServer with Tableau/PowerBI REFERENCE : https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-apache-spark-use-bi-tools Use Power BI for Spark data visualization Note This section is applicable only for Spark 1.6 on HDInsight 3.4 and Spark 2.0 on HDInsight 3.5.   Once you have saved the data as a table, you can use Power BI to connect to the data and visualize it to create reports, dashboards, etc.   1.       Make sure you have access to Power BI. You can get a free preview subscription of Power BI from http://www.powerbi.com/ . 2.       Sign in to Power BI . 3.       From the bottom of the left pane, click Get Data . 4.       On the Get Data page, under Import or Connect to Data , for Databases , click Get . 5.       On the next screen, click Spark on Azure HDInsight and then click Connect . When prompted, enter th...
Post a Comment
Read more

Docker In Details

  Course Contents:- 1. Overview of Docker 2. Difference between Virtualization & Containerization 3. Installation & Configuration of Docker Runtime on Linux & Windows 4. Practice on Docker commands 5. launch a Webserver in a container 6. Launch public & official images of application like Jenkins, Nginx, DB etc.. 7. Launch a base OS Container 8. How to save changes inside the container & create a fresh image(commit) 9. How to ship image & container from one hardware to another. 10. How to remove stop/rm multiple container/images 11. Docker Registry 12. Docker Networking       Check current docker network                  Docker Network Bridge                     Docker Network Weaving                  Launch our own Docker Cluster with our defined Network             ...
Post a Comment
Read more

Roadmap to DevOps

    DevOps is nothing but the combination of process and philosophies which contains four basic component culture, collaboration, tools, and practices. In return, this gives a good automated system and infrastructure which helps an organisation to deliver a quality and reliable build. The beauty of this culture is it enables a quality for organizations to better serve their customers and compete more effectively in the market and also add some promised benefits which include confidence and trust, faster software releases, ability to solve critical issues quickly, and better manage unplanned work.   1. What are the tasks of a DevOps Engineer? Design, build, test and deploy scalable, distributed systems from development through production Manage the code repository(such as Git, SVN, BitBucket, etc.) including code merging and integrating, branching and maintenance and remote repository management Manage, configure and maintain infra...
Post a Comment
Read more

Azure Storage

Azure Storage is Microsoft's cloud storage solution for modern data storage scenarios.    Why Azure Storage: Durable and Highly Available: ·        Data is safe during hardware failure. ·        Replicate data across data centres. ·        In local catastrophe or natural disaster data replicated to other data centres remains highly available. Secure: ·        Data encrypted by Azure service Storage Service encryption (SSE) for data at rest. ·        Completed control over who access your data. Scalable: ·        Designed to massive scale. Managed: ·        Azure handles maintenance, updates and critical issues. Accessible: ·        Accessible from anywhere in the world. ·        You can access using http, https,...
Post a Comment
Read more

Azure VM Snapshot

  Create a VM from a VHD by using the Azure portal Create a snapshot and then create a disk from the snapshot. This strategy allows you to keep the original VHD as a fallback: 1.       From the  Azure portal , on the left menu, select  All services . 2.       In the  All services  search box, enter  disks  and then select  Disks  to display the list of available disks. 3.       Select the disk that you would like to use. The  Disk  page for that disk appears. 4.       From the menu at the top, select  Create snapshot . 5.       Enter a  Name  for the snapshot. 6.       Choose a  Resource group  for the snapshot. You can use either an existing resource group or create a new one. 7.       For  Account type , choose ei...
Post a Comment
Read more