You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@accumulo.apache.org by James Srinivasan <ja...@gmail.com> on 2019/12/09 15:24:43 UTC

KerberosToken & proxy authentication

Hiya,

I'm on Accumulo 1.7.0 (ish, HDP3) with a Kerberized cluster. I've got
some code which works fine when run as a user logged in directly with
Kerberos authentication, but fails when the Kerberized user is
proxying another user (for user impersonation with Spark/Zeppelin).
Here's where I've got:

org.apache.hadoop.security.UserGroupInformation.getCurrentUser:
org.apache.hadoop.security.UserGroupInformation =
srinivasanj@XXX.YYY.LOCAL (auth:PROXY) via zeppelin-hdp@XXX.YYY.LOCAL
(auth:KERBEROS)

val kt = new org.apache.accumulo.core.client.security.tokens.KerberosToken():
java.lang.IllegalArgumentException: Subject is not logged in via Kerberos at
org.locationtech.geomesa.accumulo.shaded.com.google.common.base.Preconditions.checkArgument(Preconditions.java:125)
at
org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:56)
at
org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:110)

Looking at the 1.7.0 source and javadoc, while the doc says that Proxy
auth is supported, the code only seems to consider subjects logged in
directly using Kerberos (this was fixed in
ACCUMULO-4665/ACCUMULO-4666). Other than bugging our vendor to upgrade
the version of Accumulo they ship, is there anything else I can do to
work around it?

I'm thinking of using the Accumulo 1.9 client libs, but there may be a
libthrift 0.9.1 vs 0.9.3 incompatibility

I've also tried to use the KerberosToken ctor which takes a keytab,
unfortunately this doesn't seem to replace the current user (it does
when not using Proxy auth).

Any suggestions would be much appreciated,

James

Re: KerberosToken & proxy authentication

Posted by Christopher <ct...@apache.org>.

I don't know of a workaround for this, but if, as you say, we've
already fixed the bug upstream, then the best thing you can do is
update to the newer version. Since you get your Accumulo from a
vendor, and they don't have an update, you might be able to backport
the fix yourself, if they provide the source for their vendor-provided
version.

You should be aware that version 1.7.0 is quite old, and there may be
many more bugs and numerous issues fixed by us since 1.7.0 that you
are likely to encounter. Version 1.9.x and 2.x are the only versions
currently being maintained upstream, so any new bugs found are
extremely unlikely to be patched by us in older versions. But, feel
free to continue to solicit assistance from other users on this
mailing list... somebody here may be able to help you. If you need
support for a vendor-specific version, though, you're probably going
to have better luck contacting that vendor directly.

On Mon, Dec 9, 2019 at 10:25 AM James Srinivasan
<ja...@gmail.com> wrote:
>
> Hiya,
>
> I'm on Accumulo 1.7.0 (ish, HDP3) with a Kerberized cluster. I've got
> some code which works fine when run as a user logged in directly with
> Kerberos authentication, but fails when the Kerberized user is
> proxying another user (for user impersonation with Spark/Zeppelin).
> Here's where I've got:
>
> org.apache.hadoop.security.UserGroupInformation.getCurrentUser:
> org.apache.hadoop.security.UserGroupInformation =
> srinivasanj@XXX.YYY.LOCAL (auth:PROXY) via zeppelin-hdp@XXX.YYY.LOCAL
> (auth:KERBEROS)
>
> val kt = new org.apache.accumulo.core.client.security.tokens.KerberosToken():
> java.lang.IllegalArgumentException: Subject is not logged in via Kerberos at
> org.locationtech.geomesa.accumulo.shaded.com.google.common.base.Preconditions.checkArgument(Preconditions.java:125)
> at
> org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:56)
> at
> org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:110)
>
> Looking at the 1.7.0 source and javadoc, while the doc says that Proxy
> auth is supported, the code only seems to consider subjects logged in
> directly using Kerberos (this was fixed in
> ACCUMULO-4665/ACCUMULO-4666). Other than bugging our vendor to upgrade
> the version of Accumulo they ship, is there anything else I can do to
> work around it?
>
> I'm thinking of using the Accumulo 1.9 client libs, but there may be a
> libthrift 0.9.1 vs 0.9.3 incompatibility
>
> I've also tried to use the KerberosToken ctor which takes a keytab,
> unfortunately this doesn't seem to replace the current user (it does
> when not using Proxy auth).
>
> Any suggestions would be much appreciated,
>
> James