<span style=”font-family: ‘Helvetica Neue’, Helvetica, Arial, ‘Open Sans’, ‘Lucida Grande’, sans-serif; font-size: 14.4px; line-height: 21.6px; background-color: #fbfbfb;”>The instructions doc is missing this very important step.</span>
<span style=”font-family: ‘Helvetica Neue’, Helvetica, Arial, ‘Open Sans’, ‘Lucida Grande’, sans-serif; font-size: 14.4px; line-height: 21.6px; background-color: #fbfbfb;”>Default value of </span><span style=”font-family: ‘Helvetica Neue’, Helvetica, Arial, ‘Open Sans’, ‘Lucida Grande’, sans-serif; font-size: 14.4px; line-height: 21.6px; background-color: #fbfbfb;”>hadoop.kms.acl.DECRYPT_EEK is * in sandbox’s file</span><span style=”font-family: ‘Helvetica Neue’, Helvetica, Arial, ‘Open Sans’, ‘Lucida Grande’, sans-serif; font-size: 14.4px; line-height: 21.6px; background-color: #fbfbfb;”> /usr/kms-demo/hadoop/etc/hadoop/kms-acls.xml. So if we don’t change this setting from * to specific users, any user can see the contents of the file which is placed in encrypted zone.</span>
My Another confusion:
if root user or <span style=”font-family: ‘Helvetica Neue’, Helvetica, Arial, ‘Open Sans’, ‘Lucida Grande’, sans-serif; font-size: 14.4px; line-height: 21.6px; background-color: #fbfbfb;”>kms-acls.xml</span><span style=”line-height: 1.5;”> file is compromised, then that’s it, any encryption zone files are accessible by any updated user in </span><strong style=”font-family: ‘Helvetica Neue’, Helvetica, Arial, ‘Open Sans’, ‘Lucida Grande’, sans-serif; font-size: 14.4px; line-height: 21.6px;”>hadoop.kms.acl.DECRYPT_EEK.