The instructions doc is missing this very important step.
Default value of hadoop.kms.acl.DECRYPT_EEK is * in sandbox’s file /usr/kms-demo/hadoop/etc/hadoop/kms-acls.xml. So if we don’t change this setting from * to specific users, any user can see the contents of the file which is placed in encrypted zone.
My Another worrying point is,
if root user or kms-acls.xml file is compromised, then that’s it, any encryption zone files are accessible by any updated user for the property hadoop.kms.acl.DECRYPT_EEK.
So, where is exactly the point of considering encryption strategy for data protection, if ACL is controlling every files and zones.