Set up Hadoop KMS

Question

I tried to set up Hadoop KMS server and client.

below is my kms.site.xml

<property>
   <name>hadoop.kms.key.provider.uri</name>
   <value>jceks://file@/${user.home}/kms.keystore</value>
   <description>
      URI of the backing KeyProvider for the KMS.
   </description>
</property>

<property>
   <name>hadoop.security.keystore.java-keystore-provider.password-file</name>
   <value>kms.keystore.password</value>
   <description>
     If using the JavaKeyStoreProvider, the file name for the keystore password.
   </description>
</property>

In core-site.xml added below

<property>
    <name>dfs.encryption.key.provider.uri</name>
    <value>kms://http@mydomain:16000/kms</value>
</property>

in hdfs-site added below

<property>
    <name>dfs.encryption.key.provider.uri</name>
    <value>kms://http@mydomain:16000/kms</value>
</property>

Then restarted hadoop and used ./kms.sh start to start kms

But when i m trying to generate a key using below command

hadoop key create key_demo -size 256

i m getting below message , am i missing anything ?

There are no valid (non-transient) providers configured.
No action has been taken. Use the -provider option to specify
a provider. If you want to use a transient provider then you
MUST use the -provider argument.

score 0 · Answer 1 · answered Dec 19 '21 at 11:04

I am using hadoop 3.3.1

this is my kms-site.xml:

<property> 
    <name>hadoop.kms.key.provider.uri</name> 
    <value>jceks://file@/${user.home}/kms.keystore</value> 
</property> 

<property> 
    <name>hadoop.security.keystore.java-keystore-provider.password-file</name> 
    <value>kms.keystore.password</value> 
</property>

this is my core-site.xml:

<property> 
    <name>hadoop.security.key.provider.path</name>
    <value>kms://http@localhost:9600/kms</value>
    <description> 
        The KeyProvider to use when interacting with encryption keys used 
        when reading and writing to an encryption zone. 
    </description> 
</property>

Before adding those to my core-site.xml, I also get the same message as yours. I think you are using hadoop v2, so your port number for keyProvider are still 16000, I use v3. I also see that you are still using JavaKeyStoreProvider like the example in hadoop documentation (so am I), if you don't provide "password file" which is kms.keystore.password the KMS will terminate immediately after starting up. So, you would need to place an empty file in your classpath, which is in /hadoop_home/etc/

I know i arrive quite late, hope it help.

Set up Hadoop KMS

1 Answers1