accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <josh.el...@gmail.com>
Subject Re: Kerberos and Compactions
Date Mon, 17 Nov 2014 17:28:54 GMT
So, this is something that's a bit confusing WRT how kerberos
authentication currently works inside Accumulo (it needs to be fixed).
The servers login using a keytab (as you saw int he logs); however,
there's presently no support to allow client authentication via some
kerberos ticket (cached ticket or a keytab).

I'm guessing the error that you're seeing is related to the internal
authentication of the Tracer user for serializing distributed traces
to the 'trace' table. By default, the credentials are 'root' and
'secret' via 'trace.user' and 'trace.token.property.password' in
accumulo-site.xml, respectively.

Fixing the client authentication to properly use the kerberos
credentials is something that's on my radar.

On Mon, Nov 17, 2014 at 12:09 PM, David Lyle <dlyle65535@gmail.com> wrote:
> I have installed Accumulo 1.5.1.2.1.7.0-784 on a kerberized vm for
> testing purposes following the instructions in the readme. It looked
> good (create table/scan, monitor page, etc) but then it started
> throwing ThriftSecurityExceptions in the TServer logs. Looks like the
> tserver process hasn't authenticated to the accumulo service user.
>
> When I look at the tserver log I see these near at the top:
>
> 2014-11-15 16:38:39,063 [server.Accumulo] INFO :
> general.kerberos.keytab =
> /etc/security/keytabs/accumulo.service.keytab
> 2014-11-15 16:38:39,063 [server.Accumulo] INFO :
> general.kerberos.principal = accumulo/hwx1.lyleco.com@LYLECO.COM
>
> ...snip...
>
> 2014-11-15 16:38:39,911 [security.UserGroupInformation] INFO : Login
> successful for user accumulo/hwx1.lyleco.com@LYLECO.COM using keytab
> file /etc/security/keytabs/accumulo.service.keytab
> 2014-11-15 16:38:39,911 [security.SecurityUtil] INFO : Succesfully
> logged in as user accumulo/hwx1.lyleco.com@LYLECO.COM
> 2014-11-15 16:38:40,464 [tabletserver.TabletServer] INFO : port = 9997
> 2014-11-15 16:38:48,232 [tabletserver.TabletServer] INFO : Loading
> tablet !0;!0<<
> 2014-11-15 16:38:48,253 [tabletserver.TabletServer] INFO :
> localhost/127.0.0.1:9997: got assignment from master: !0;!0<<
> 2014-11-15 16:38:48,351 [util.MetadataTable] INFO : Scanning logging
> entries for !0;!0<<
> 2014-11-15 16:38:48,351 [util.MetadataTable] INFO : Getting logs for
> root tablet from zookeeper
> 2014-11-15 16:38:48,354 [util.MetadataTable] INFO : Returning logs []
> for extent !0;!0<<
> 2014-11-15 16:38:48,576 [client.ClientServiceHandler] ERROR:
> ThriftSecurityException(user:root, code:BAD_CREDENTIALS)
>
> /user/accumulo is chowned to accumulo:hdfs and I can see the metadata
> rfiles when I kinit to the accumulo account and browse the filesystem.
>
> Any notion what I've done wrong?
>
> Thanks!
>
> -David...

Mime
View raw message