Return-Path: <user-return-7030-archive-asf-public=cust-asf.ponee.io@accumulo.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 922DB200C8A
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Sun, 21 May 2017 02:38:28 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 90A55160BCD; Sun, 21 May 2017 00:38:28 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id D565C160BBE
	for <archive-asf-public@cust-asf.ponee.io>; Sun, 21 May 2017 02:38:27 +0200 (CEST)
Received: (qmail 75256 invoked by uid 500); 21 May 2017 00:38:26 -0000
Mailing-List: contact user-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@accumulo.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@accumulo.apache.org>
List-Post: <mailto:user@accumulo.apache.org>
List-Id: <user.accumulo.apache.org>
Reply-To: user@accumulo.apache.org
Delivered-To: mailing list user@accumulo.apache.org
Received: (qmail 75246 invoked by uid 99); 21 May 2017 00:38:26 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 21 May 2017 00:38:26 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 86A74C0FD6
	for <user@accumulo.apache.org>; Sun, 21 May 2017 00:38:26 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -2.397
X-Spam-Level: 
X-Spam-Status: No, score=-2.397 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796,
	RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id 5i0fD39A2Zvg for <user@accumulo.apache.org>;
	Sun, 21 May 2017 00:38:24 +0000 (UTC)
Received: from mail-pf0-f174.google.com (mail-pf0-f174.google.com [209.85.192.174])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 5A9C75F2AE
	for <user@accumulo.apache.org>; Sun, 21 May 2017 00:38:23 +0000 (UTC)
Received: by mail-pf0-f174.google.com with SMTP id m17so55462190pfg.3
        for <user@accumulo.apache.org>; Sat, 20 May 2017 17:38:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-transfer-encoding;
        bh=HUb3dQG9GKl7Fh7IXrVUIAXF6Bjpg8jl9S/GlmBozoU=;
        b=EuTiX+5FxNqiO+ub7XY0bqur6G6D/rBauV5HDyuiz6ZWGjuU1TQw9G7bBJXgmJMmJN
         doh78N4DDadb8OoF23wqpZFnNGW7wIQNiMvN6HathqcocH+W4RDZd42GvgwUljTRT9bD
         n0hIMtI2BFwcNDebzWAPr82rMsIECz2tKF3LITHOu4ppT17yJekL1LONUyUUQUAgTJNf
         LnLAxEMB0+y/HsncOoaQiDkaDMDytPpwkGTJ/sbRjPraTGVSYK4ESYFBAfYyQnMaWt0x
         GzMObrHGxPWLE3VdEXeVPbANyAIAji7/5R5P0/WqjNx/fxTW+J33CFvXXPKmF/CfQbyz
         fphA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :subject:references:in-reply-to:content-transfer-encoding;
        bh=HUb3dQG9GKl7Fh7IXrVUIAXF6Bjpg8jl9S/GlmBozoU=;
        b=FR4/jUG48tc9SPGwCFbJjJItlOLOtx/SMpUl4m2NRlWpz1wqluqSm+j+EPAIjHvFKM
         zV1BHQL6jdHwxpn1xsTyOpVlUG04mGLovKFT/AhjwdFcn6OBEkGAkFfP5X2XCcISuCn9
         Ss+di5C6ba18f6ANGKhP8x0E3Gh8hgNTbVWKjQq4hTtbUZivjlpySh71poOQjGg/17Ik
         TM0vewFLZ8FgNmCjjKNyToKIdh/QsZyRD/B7lcvQI+/d0MiEEjgXPuCb89uubEpcyI0U
         Oc55qYelRifxf65ULk/zguilaTetlF9GEK+HWtxRCSbYT5bP9ChjPmvgrcuub8KR3Zsi
         GCuw==
X-Gm-Message-State: AODbwcBSMUCCOuzgDIvRhDeCFl27et9vZOmBPtZIpuOtyOk+Q+aLLxtS
	qP4L5JnCXvoC9mY7huI=
X-Received: by 10.98.236.150 with SMTP id e22mr17778653pfm.48.1495327096253;
        Sat, 20 May 2017 17:38:16 -0700 (PDT)
Received: from hw10447.local (outbound.hortonworks.com. [192.175.27.2])
        by smtp.googlemail.com with ESMTPSA id o76sm26933503pfi.119.2017.05.20.17.38.14
        for <user@accumulo.apache.org>
        (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Sat, 20 May 2017 17:38:15 -0700 (PDT)
Message-ID: <5920E174.1050802@gmail.com>
Date: Sat, 20 May 2017 20:38:12 -0400
From: Josh Elser <josh.elser@gmail.com>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: user@accumulo.apache.org
Subject: Re: ClientConfiguration using Kerberos & MapReduce
References: <CAGSDCmuaidujPkPu_Jki-U+zrTwbuuRJofhVcCgLDFTcuQ-g+Q@mail.gmail.com> <CAGSDCmsySYOPNbgphmaqod8iEP9U-a-Wa+Sf-XjX_FCMc=6uaQ@mail.gmail.com> <CAGSDCmvB5UgdKvpuOcRAeTXYhTwySn2+1tCkQjzOTJW-g4gMMQ@mail.gmail.com> <591E1006.7040003@gmail.com> <CAGSDCmuZSbRiTyJkT5SkyRUuA0bbHFtgMt9xW8JaU9Yd2SnOGw@mail.gmail.com> <591F5BF7.9080600@gmail.com> <CAGSDCmshGUwvHTtH+hkhzswu+mtSJVNM1vgNYAYNJPZFJooOMA@mail.gmail.com> <CAGSDCmuXu37UfA7uYC6B7fvxneT8ru-Bu_c9VLdMrUsAqVYtCg@mail.gmail.com>
In-Reply-To: <CAGSDCmuXu37UfA7uYC6B7fvxneT8ru-Bu_c9VLdMrUsAqVYtCg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
archived-at: Sun, 21 May 2017 00:38:28 -0000



James Srinivasan wrote:
>>> Delegation tokens are serialized into the Job's "credentials" section and
>>> distributed securely that way.
>> Ah, that's my problem. Will probably have to update the GeoMesa code
>> to wok with Jobs rather than Configurations, so that the Credentials
>> aren't lost.
>
> Hmm, not so easy it seems. My callstack which triggers the exception
> when the credentials are missing from the Job is this:
>
> java.lang.NullPointerException
>    at org.apache.accumulo.core.client.mapreduce.lib.impl.ConfiguratorBase.unwrapAuthenticationToken(ConfiguratorBase.java:493)
>    at org.apache.accumulo.core.client.mapreduce.AbstractInputFormat.validateOptions(AbstractInputFormat.java:390)
>    at org.apache.accumulo.core.client.mapreduce.AbstractInputFormat.getSplits(AbstractInputFormat.java:668)
>    at org.locationtech.geomesa.jobs.mapreduce.GeoMesaAccumuloInputFormat.getSplits(GeoMesaAccumuloInputFormat.scala:174)
>    at org.apache.spark.rdd.NewHadoopRDD.getPartitions(NewHadoopRDD.scala:121)
> ...
>
> Now org.apache.spark.rdd.NewHadoopRDD.getPartitions does this:
>
>    val jobContext = new JobContextImpl(_conf, jobId)
>
> So doesn't seem to support tokens (Jobs) being supplied, just Configurations.
>
> I can't call AccumuloInputFormat.setConnectorInfo again since it has
> already been called, and I presume adding the serialised token to the
> Configuration would be insecure?

Yeah, the configuration can't protect sensitive information. 
MapReduce/YARN has special handling to make sure those tokens serialized 
in the Job's credentials are only readable by you (the job submitter).

The thing I don't entirely follow is how you've gotten into this 
situation to begin with. The adding of the delegation tokens to the 
Job's credentials should be done by Accumulo's MR code on your behalf 
(just like it's obtaining the delegation token, it would automatically 
add it to the job for ya).

Any chance you can provide an end-to-end example? I am also pretty 
Spark-ignorant -- so maybe I just don't understand what is possible and 
what isn't..

> Yours in puzzlement,
>
> James