Help Center/ MapReduce Service/ Component Operation Guide (LTS) (Ankara Region)/ Using CDL/ Encrypting Data
Updated on 2024-11-29 GMT+08:00
View PDF
Share

Encrypting Data

Scenario

During CDL data synchronization, data can be flushed to disks for encryption. Data sources that support data encryption include MySQL, PostgreSQl, Oracle, ThirdParty-kafka, and openGauss.

Prerequisites

  • The CDL component and the RangerKMS instance of Ranger have been installed in the MRS cluster and are running properly.
  • A user with CDL management operation permissions has been created by referring to Creating a CDL User for the cluster with Kerberos authentication enabled.

Procedure

  1. Log in to FusionInsight Manager as user admin and choose Cluster > Services > Ranger.
  2. On the Dashboard page, click the hyperlink on the right of Ranger web UI. Click in the upper right corner of the page and choose Log out to switch the user.
  3. Log in to the system again as user rangerkms or keyadmin. Change the password upon the first login.

    For details about the username and default password, contact the MRS cluster administrator.

  4. Create a key.

    1. On the Ranger web UI, click Encryption, select kmsdev from the Select Service drop-down list, and click Add New Key on the right to create a key.
    1. Enter the key name in the Key Name text box, for example, test_key, retain the default values for other parameters, and click Save.

  5. Set user permissions.

    1. On the Access Manager page, click kmsdev in the KMS area. In the upper right corner of the page, click Add New Policy to add a policy.
    2. Set the following parameters on the Create Policy page:
      • Enter a policy name in the Policy Name text box, for example, test_policy.
      • Select the key created in 4 for Key Name.
      • In the Allow Conditions area, select the Hudi, cdl, and cdl/cluster domain name user in the Select User column, click the add button in the Permissions column, and select Get Metadata, Generate EEK, and Decrypt EEK permissions.
    3. Click Add.

  6. Log in to FusionInsight Manager as a user with CDL management operation permissions or as user admin (for clusters with Kerberos authentication disabled), and choose Cluster > Services > CDL.
  7. Click the link on the right of CDLService UI to access the CDLService web UI, and configure CDL tasks. For details, see Preparing for Creating a CDL Job and Creating a CDL Data Synchronization Job.

    When you configure source job parameters, set Enable Data Encryption to Yes and Key Name to the name of the encryption key.

  8. Start the CDL tasks, update data in the source database, and check whether Hudi data can be synchronized.
  9. Log in to FusionInsight Manager as user admin, choose Cluster > Service > Kafka, and click the KafkaTopic Monitor tab. Search for the topic name configured in Topic Table Mapping of the CDL job, and check whether the topic configuration contains encryption.eek information.
Parent topic: Using CDL