You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@accumulo.apache.org by "Joey Echeverria (Commented) (JIRA)" <ji...@apache.org> on 2012/02/16 23:33:00 UTC
[jira] [Commented] (ACCUMULO-404) Support running on-top of
Kerberos-enabled HDFS
[ https://issues.apache.org/jira/browse/ACCUMULO-404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209821#comment-13209821 ]
Joey Echeverria commented on ACCUMULO-404:
------------------------------------------
As a current workaround for this issue, you can do the following:
Create accumulo principals for each host:
{noformat}kadmin.local -q "addprinc -randkey accumulo/<host.domain.name>"{noformat}
where <host.domain.name> is replaced by a fully qualified domain name.
Export all of the accumulo principals to a key tab file:
{noformat}kadmin.local -q "xst -k accumulo.keytab -glob accumulo*"{noformat}
Put the key tab file in the $ACCUMULO_HOME/conf directory on each host. Make sure it's owned by the accumulo user and only readable by the owner.
Add the following to accumulo-env.sh:
{noformat}kinit -kt $ACCUMULO_HOME/conf/accumulo.keytab accumulo/`hostname -f`{noformat}
Add the following to the accumulo user's crontab on all hosts:
{noformat}0 5 * * * kinit -kt $ACCUMULO_HOME/conf/accumulo.keytab accumulo/`hostname -f`{noformat}
In $ACCUMULO_HOME/conf/monitor.security.policy:
Change:
{noformat}permission java.util.PropertyPermission "*", "read";{noformat}
To:
{noformat}permission java.util.PropertyPermission "*", "read,write";{noformat}
Add these lines to the end:
{noformat}
permission javax.security.auth.AuthPermission "createLoginContext.hadoop-user-kerberos";
permission java.lang.RuntimePermission "createSecurityManager";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "getPolicy";
permission java.security.SecurityPermission "createAccessControlContext";
permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner";
permission java.lang.RuntimePermission "getProtectionDomain";
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket javax.security.auth.kerberos.KerberosPrincipal \"*\"", "read";
permission javax.security.auth.kerberos.ServicePermission "krbtgt/<REALM>@<REALM>", "initiate";
permission javax.security.auth.kerberos.ServicePermission "hdfs/<namenode.domain.name>@<REALM>", "initiate";
permission javax.security.auth.kerberos.ServicePermission "mapred/<jobtracker.domain.name>@<REALM>", "initiate";
{noformat}
Where <REALM> is replaced with the kerberos realm for the Hadoop cluster, <namenode.domain.name> is replaced with the fully qualified domain name of the server running the namenode and <jobtracker.domain.name> is replaced with the fully qualified domain name of the server running the job tracker.
> Support running on-top of Kerberos-enabled HDFS
> -----------------------------------------------
>
> Key: ACCUMULO-404
> URL: https://issues.apache.org/jira/browse/ACCUMULO-404
> Project: Accumulo
> Issue Type: New Feature
> Reporter: Joey Echeverria
> Fix For: 1.4.1
>
>
> Hadoop 0.20.20x, 1.0.x and 0.23.x all support requiring kerberos for strong authentication in order to talk to HDFS. It would be useful if Accumulo could be configured with keytab files for the TabletServers, Master, etc. so that it can be run on a Kerberos-enabled cluster.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira