Return-Path: 
 <user-return-5464-apmail-accumulo-user-archive=accumulo.apache.org@accumulo.apache.org>
X-Original-To: apmail-accumulo-user-archive@www.apache.org
Delivered-To: apmail-accumulo-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2780F10FB5
	for <apmail-accumulo-user-archive@www.apache.org>;
 Sat,  6 Jun 2015 21:23:32 +0000 (UTC)
Received: (qmail 8348 invoked by uid 500); 6 Jun 2015 21:23:31 -0000
Delivered-To: apmail-accumulo-user-archive@accumulo.apache.org
Received: (qmail 8302 invoked by uid 500); 6 Jun 2015 21:23:31 -0000
Mailing-List: contact user-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@accumulo.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@accumulo.apache.org>
List-Post: <mailto:user@accumulo.apache.org>
List-Id: <user.accumulo.apache.org>
Reply-To: user@accumulo.apache.org
Delivered-To: mailing list user@accumulo.apache.org
Received: (qmail 8292 invoked by uid 99); 6 Jun 2015 21:23:31 -0000
Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 06 Jun 2015 21:23:31 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org)
 with ESMTP id 1EA361A4719
	for <user@accumulo.apache.org>; Sat,  6 Jun 2015 21:23:31 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.12
X-Spam-Level: 
X-Spam-Status: No, score=-0.12 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
	URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new,
 port 10024)
	with ESMTP id Abo8ay4oK_vs for <user@accumulo.apache.org>;
	Sat,  6 Jun 2015 21:23:27 +0000 (UTC)
Received: from mail-vn0-f48.google.com (mail-vn0-f48.google.com
 [209.85.216.48])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 ESMTPS id 3B18324F8D
	for <user@accumulo.apache.org>; Sat,  6 Jun 2015 21:23:26 +0000 (UTC)
Received: by vnbf190 with SMTP id f190so12990146vnb.5
        for <user@accumulo.apache.org>; Sat, 06 Jun 2015 14:23:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=hITCcQQCsQKpUYU42psyolQKNIKO5+etezQcqaQ54xk=;
        b=qxiqXyC6cGjaqjXUmyJIkwT4Wk6KRBkg2hyXV1U5D5D1K5Bp2KdEyYY+1DGX/rmGZo
         LBtJuzXbI2elcwjymBVd2LzeqNxYq4wpJq+44AXNUhBHNcO1om6gEGULRuM60ez7Nsg/
         IOfNnCTpbVNznIM/7NDTR8VwUDlVL2mclVT2Qlrhrf9E0vEWveZMiqhmUYugPi+m5KaY
         EA1xc8Qu4tgSg59BEYQT4s5VaCTzQHEibDn/SqzxA7ipKohNrZIlUZaSsVFTdV60Ynx3
         INx0InLzpndrnrci6cFssyMn5u3MBWEDK+LomXvA9fk6NAcPRC97DwAfycvstvE8Woeb
         NLPw==
MIME-Version: 1.0
X-Received: by 10.52.171.199 with SMTP id aw7mr18301027vdc.87.1433625805091;
 Sat, 06 Jun 2015 14:23:25 -0700 (PDT)
Received: by 10.52.190.230 with HTTP; Sat, 6 Jun 2015 14:23:25 -0700 (PDT)
In-Reply-To: <55736054.8060109@gmail.com>
References: 
 <CAGNyuhWv57dsrp_RWu2sin7pLdsqp0qNo9Zfpe+CL-sJ0G6J6A@mail.gmail.com>
	<557339B3.9080108@gmail.com>
	<CAGNyuhWE9J5NQzj_WQsLEoC5LGv_uOqXUce-6b+R7c4HibwELw@mail.gmail.com>
	<55736054.8060109@gmail.com>
Date: Sat, 6 Jun 2015 17:23:25 -0400
Message-ID: 
 <CAGNyuhV1PiGpq5bMgsaGAmxUb5DzBjBEhie649ucptoH2MX1gg@mail.gmail.com>
Subject: Re: kerberos auth, getDelegationToken
From: "Xu (Simon) Chen" <xchenum@gmail.com>
To: user@accumulo.apache.org
Content-Type: text/plain; charset=UTF-8

Josh,

You're right again.. Thanks!

My ansible play actually pushed client.conf to all the server config
directories, but didn't do anything for the clients, and that's my
problem. Now kerberos is working great for me.

Thanks again!
-Simon

On Sat, Jun 6, 2015 at 5:04 PM, Josh Elser <josh.elser@gmail.com> wrote:
> Simon,
>
> Did you create a client configuration file (~/.accumulo/config or
> $ACCUMULO_CONF_DIR/client.conf)? You need to configure Accumulo clients to
> actually use SASL when you're trying to use Kerberos authentication. Your
> server is expecting that, but I would venture a guess that your client
> isn't.
>
> See
> http://accumulo.apache.org/1.7/accumulo_user_manual.html#_configuration_3
>
>
> Xu (Simon) Chen wrote:
>>
>> Josh,
>>
>> Thanks. It makes sense...
>>
>> I used a KerberosToken, but my program got stuck when running the
>> following:
>> new ZooKeeperInstance(instance, zookeepers).getConnector(user, krbToken)
>>
>> It looks like my client is stuck here:
>>
>> https://github.com/apache/accumulo/blob/master/core/src/main/java/org/apache/accumulo/core/client/impl/ConnectorImpl.java#L70
>> failing in the receive part of
>>
>> org.apache.accumulo.core.client.impl.thrift.ClientService.Client.authenticate().
>>
>> On my tservers, I see the following:
>>
>> 2015-06-06 18:58:19,616 [server.TThreadPoolServer] ERROR: Error
>> occurred during processing of message.
>> java.lang.RuntimeException:
>> org.apache.thrift.transport.TTransportException:
>> java.net.SocketTimeoutException: Read timed out
>>          at
>> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
>>          at
>> org.apache.accumulo.core.rpc.UGIAssumingTransportFactory$1.run(UGIAssumingTransportFactory.java:51)
>>          at
>> org.apache.accumulo.core.rpc.UGIAssumingTransportFactory$1.run(UGIAssumingTransportFactory.java:48)
>>          at java.security.AccessController.doPrivileged(Native Method)
>>          at javax.security.auth.Subject.doAs(Subject.java:356)
>>          at
>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1622)
>>          at
>> org.apache.accumulo.core.rpc.UGIAssumingTransportFactory.getTransport(UGIAssumingTransportFactory.java:48)
>>          at
>> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:208)
>>          at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>          at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>          at
>> org.apache.accumulo.fate.util.LoggingRunnable.run(LoggingRunnable.java:35)
>>          at java.lang.Thread.run(Thread.java:745)
>> Caused by: org.apache.thrift.transport.TTransportException:
>> java.net.SocketTimeoutException: Read timed out
>>          at
>> org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:129)
>>          at
>> org.apache.thrift.transport.TTransport.readAll(TTransport.java:84)
>>          at
>> org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:182)
>>          at
>> org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125)
>>          at
>> org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
>>          at
>> org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
>>          at
>> org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
>>          ... 11 more
>> Caused by: java.net.SocketTimeoutException: Read timed out
>>          at java.net.SocketInputStream.socketRead0(Native Method)
>>          at java.net.SocketInputStream.read(SocketInputStream.java:152)
>>          at java.net.SocketInputStream.read(SocketInputStream.java:122)
>>          at
>> java.io.BufferedInputStream.read1(BufferedInputStream.java:273)
>>          at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
>>          at
>> org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:127)
>>          ... 17 more
>>
>> Any ideas why?
>>
>> Thanks.
>> -Simon
>>
>>
>>
>>
>> On Sat, Jun 6, 2015 at 2:19 PM, Josh Elser<josh.elser@gmail.com>  wrote:
>>>
>>> Make sure you read the JavaDoc on DelegationToken:
>>>
>>> <snip>
>>> Obtain a delegation token by calling {@link
>>>
>>> SecurityOperations#getDelegationToken(org.apache.accumulo.core.client.admin.DelegationTokenConfig)}
>>> </snip>
>>>
>>> You cannot create a usable DelegationToken as the client itself.
>>>
>>> Anyways, DelegationTokens are only relevant in cases where the client
>>> Kerberos credentials are unavailable. The most common case is running
>>> MapReduce jobs. If you are just interacting with Accumulo through the
>>> Java
>>> API, the KerberosToken is all you need to use.
>>>
>>> The user-manual likely just needs to be updated. I believe the
>>> DelegationTokenConfig was added after I wrote the initial documentation.
>>>
>>>
>>> Xu (Simon) Chen wrote:
>>>>
>>>> Hi folks,
>>>>
>>>> The latest kerberos doc seems to indicate that getDelegationToken can be
>>>> called without any parameters:
>>>>
>>>>
>>>> https://github.com/apache/accumulo/blob/1.7/docs/src/main/asciidoc/chapters/kerberos.txt#L410
>>>>
>>>> Yet the source code indicates a DelegationTokenConfig object must be
>>>> passed in:
>>>>
>>>>
>>>> https://github.com/apache/accumulo/blob/1.7/core/src/main/java/org/apache/accumulo/core/client/admin/SecurityOperations.java#L359
>>>>
>>>> Any ideas on how I should construct the DelegationTokenConfig object?
>>>>
>>>> For context, I've been trying to get geomesa to work on my accumulo 1.7
>>>> with kerberos turned on. Right now, the code is somewhat tied to
>>>> password auth:
>>>>
>>>>
>>>> https://github.com/locationtech/geomesa/blob/rc7_a1.7_h2.5/geomesa-core/src/main/scala/org/locationtech/geomesa/core/data/AccumuloDataStoreFactory.scala#L177
>>>> My thought is that I should get a KerberosToken first, and then try
>>>> generate a DelegationToken, which is passed back for later interactions
>>>> between geomesa and accumulo.
>>>>
>>>> Thanks.
>>>> -Simon