Return-Path: X-Original-To: apmail-accumulo-user-archive@www.apache.org Delivered-To: apmail-accumulo-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 383B110C10 for ; Sat, 6 Jun 2015 18:19:42 +0000 (UTC) Received: (qmail 15554 invoked by uid 500); 6 Jun 2015 18:19:42 -0000 Delivered-To: apmail-accumulo-user-archive@accumulo.apache.org Received: (qmail 15501 invoked by uid 500); 6 Jun 2015 18:19:42 -0000 Mailing-List: contact user-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@accumulo.apache.org Delivered-To: mailing list user@accumulo.apache.org Received: (qmail 15490 invoked by uid 99); 6 Jun 2015 18:19:41 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 06 Jun 2015 18:19:41 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 7B1191819B2 for ; Sat, 6 Jun 2015 18:19:41 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.12 X-Spam-Level: X-Spam-Status: No, score=-0.12 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id iSp9xHnzsPM2 for ; Sat, 6 Jun 2015 18:19:34 +0000 (UTC) Received: from mail-qc0-f176.google.com (mail-qc0-f176.google.com [209.85.216.176]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 6622827617 for ; Sat, 6 Jun 2015 18:19:34 +0000 (UTC) Received: by qczw4 with SMTP id w4so39751242qcz.2 for ; Sat, 06 Jun 2015 11:19:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=EyrtBMci/ZogoQ7NdXXoSMiGM7BGK0Zx1TgFVjLAlUE=; b=aOr0oq49uvhyMh49JcBbzTanGoo3hQ7ijbSVbLSUhbXTJKFjC1uCSLAds+F8EBSXCZ sTAdfyOyZGSQsMOTpxqErGUQEjFmt7t+Yo3nrZtJsymz20Ms84GzlKPZX+n3vlX/Tknl eUAQHGC7/HAPI2k6+GEzZ9SPSihX3AbM6Jx8aJ9m6Pbj9U4CLlMDIGdQluO9peWz68Tl +2hQ+DtnGuIAh9FKh9YlatPaxrC431zHfxak9zLmCn2YYP/W3oLfOUGqU/JGZBLeT280 8sgNen0W85t0lzItW6qzzChz9hWuFU7yW+I7+kARx2wrWXvtkeiWz0otzy9XeV3gUDHo ANhw== X-Received: by 10.55.42.130 with SMTP id q2mr18031185qkq.20.1433614773668; Sat, 06 Jun 2015 11:19:33 -0700 (PDT) Received: from hw10447.local (pool-68-134-10-53.bltmmd.fios.verizon.net. [68.134.10.53]) by mx.google.com with ESMTPSA id 17sm5598956qhd.45.2015.06.06.11.19.32 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 06 Jun 2015 11:19:32 -0700 (PDT) Message-ID: <557339B3.9080108@gmail.com> Date: Sat, 06 Jun 2015 14:19:31 -0400 From: Josh Elser User-Agent: Postbox 3.0.11 (Macintosh/20140602) MIME-Version: 1.0 To: user@accumulo.apache.org Subject: Re: kerberos auth, getDelegationToken References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Make sure you read the JavaDoc on DelegationToken: Obtain a delegation token by calling {@link SecurityOperations#getDelegationToken(org.apache.accumulo.core.client.admin.DelegationTokenConfig)} You cannot create a usable DelegationToken as the client itself. Anyways, DelegationTokens are only relevant in cases where the client Kerberos credentials are unavailable. The most common case is running MapReduce jobs. If you are just interacting with Accumulo through the Java API, the KerberosToken is all you need to use. The user-manual likely just needs to be updated. I believe the DelegationTokenConfig was added after I wrote the initial documentation. Xu (Simon) Chen wrote: > Hi folks, > > The latest kerberos doc seems to indicate that getDelegationToken can be > called without any parameters: > https://github.com/apache/accumulo/blob/1.7/docs/src/main/asciidoc/chapters/kerberos.txt#L410 > > Yet the source code indicates a DelegationTokenConfig object must be > passed in: > https://github.com/apache/accumulo/blob/1.7/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperations.java#L359 > > Any ideas on how I should construct the DelegationTokenConfig object? > > For context, I've been trying to get geomesa to work on my accumulo 1.7 > with kerberos turned on. Right now, the code is somewhat tied to > password auth: > https://github.com/locationtech/geomesa/blob/rc7_a1.7_h2.5/geomesa-core/src/main/scala/org/locationtech/geomesa/core/data/AccumuloDataStoreFactory.scala#L177 > My thought is that I should get a KerberosToken first, and then try > generate a DelegationToken, which is passed back for later interactions > between geomesa and accumulo. > > Thanks. > -Simon