You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@accumulo.apache.org by Tristen Georgiou <tg...@phemi.com> on 2016/01/26 03:52:09 UTC

Kerberos and the Accumulo Proxy

I'm using Ambari 2.1.2.1, HDP 2.3.2 (so Accumulo 1.7.0) and I'm trying to
get a Kerberized Accumulo proxy up and running; I can successully start the
proxy, but I am having trouble connecting with it.

Here is my Accumulo proxy properties file (I've censored my actual FQDN's):

useMockInstance=false
useMiniAccumulo=false
protocolFactory=org.apache.thrift.protocol.TCompactProtocol$Factory
tokenClass=org.apache.accumulo.core.client.security.tokens.KerberosToken
port=42425
maxFrameSize=16M
thriftServerType=sasl
kerberosPrincipal=accumulo/mas3.example.com@EXAMPLE.COM
kerberosKeytab=/etc/security/keytabs/accumulo.service.keytab
instance=agile_accumulo
zookeepers=mas1.example.com:2181,mas2.example.com:2181,mas3.example.com:2181

The proxy starts up fine, and then via Python I am doing the following:

transport = TTransport.TSaslClientTransport(TSocket.TSocket('
mas3.example.com', 42425), 'mas3.example.com', 'accumulo', QOP='auth')
protocol = TCompactProtocol.TCompactProtocol(transport)
client = AccumuloProxy.Client(protocol)
transport.open()
login = client.login('central@EXAMPLE.COM', {})

Where I've created the principal central@EXAMPLE.COM and have run kinit on
the server where I am trying to connect to the proxy from (not from mas3)

The proxy log responds with this:

2016-01-25 21:42:01,294 [proxy.ProxyServer] ERROR: Failed to login
org.apache.accumulo.core.client.AccumuloSecurityException: Error
BAD_CREDENTIALS for user Principal in credentials object should match
kerberos principal. Expected 'accumulo/mas3.example.com@example.COM' but
was 'central@EXAMPLE.COM' - Username or Password is Invalid
at
org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:63)
at
org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67)
at
org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248)
at org.apache.accumulo.proxy.ProxyServer.getConnector(ProxyServer.java:232)
at org.apache.accumulo.proxy.ProxyServer.login(ProxyServer.java:1574)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.apache.accumulo.core.trace.wrappers.RpcServerInvocationHandler.invoke(RpcServerInvocationHandler.java:39)
at org.apache.accumulo.server.rpc.RpcWrapper$1.invoke(RpcWrapper.java:47)
at com.sun.proxy.$Proxy14.login(Unknown Source)
at
org.apache.accumulo.proxy.thrift.AccumuloProxy$Processor$login.getResult(AccumuloProxy.java:5723)
at
org.apache.accumulo.proxy.thrift.AccumuloProxy$Processor$login.getResult(AccumuloProxy.java:5707)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at
org.apache.accumulo.server.rpc.UGIAssumingProcessor.process(UGIAssumingProcessor.java:102)
at
org.apache.accumulo.server.rpc.TimedProcessor.process(TimedProcessor.java:63)
at
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:225)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.accumulo.fate.util.LoggingRunnable.run(LoggingRunnable.java:35)
at java.lang.Thread.run(Thread.java:745)
Caused by: ThriftSecurityException(user:Principal in credentials object
should match kerberos principal. Expected 'accumulo/
mas3.example.com@EXAMPLE.COM' but was 'central@EXAMPLE.COM',
code:BAD_CREDENTIALS)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result$authenticate_resultStandardScheme.read(ClientService.java:15613)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result$authenticate_resultStandardScheme.read(ClientService.java:15591)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result.read(ClientService.java:15535)
at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$Client.recv_authenticate(ClientService.java:500)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$Client.authenticate(ClientService.java:486)
at
org.apache.accumulo.core.client.impl.ConnectorImpl$1.execute(ConnectorImpl.java:70)
at
org.apache.accumulo.core.client.impl.ConnectorImpl$1.execute(ConnectorImpl.java:67)
at
org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:98)
at
org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61)
... 22 more

I've tried to update my configuration for impersonation but have had no
luck; my colleague did send out an email to this list about questions to do
with impersonation, so perhaps that is the problem.

Otherwise, anyone see anything obviously wrong with what I'm doing? Could
it be related to this: https://issues.apache.org/jira/browse/ACCUMULO-3849

Fwd: Kerberos and the Accumulo Proxy

Posted by Tristen Georgiou <tg...@phemi.com>.

Forgot to cc the user list, sorry for the forward:

Thanks for the response, and yes, the explanation makes sense and
de-mystifies the process. I was trying to get the impersonation working,
but as Russ pointed out we were unable to set impersonation key's through
Ambari since it rejects various characters like forward slashes and @
symbols.

The impersonation documentation (
https://accumulo.apache.org/1.7/accumulo_user_manual.html#_impersonation)
does explain the concept, but I struggled a bit with what the keys should
look like; IMHO a real-world example would go a long way (I ended up
looking at the proxy code to figure out how it was actually reading the
principal from the key).

Using the example I gave, then (correct me if I'm wrong) I would need to
set the following properties:

instance.rpc.sasl.impersonation.accumulo/mas3.example.com@EXAMPLE.COM.users
= central@EXAMPLE.COM
instance.rpc.sasl.impersonation.accumulo/mas3.example.com@EXAMPLE.COM.hosts
= foo.example.com

Getting this working isn't a priority at this point; I'm just doing some
investigation into securing our clusters, but eventually we will need to
set these keys. It sounds like Russ has had a chat with you, so I'll catch
up with him tomorrow.

Thanks!

Tristen



On Mon, Jan 25, 2016 at 8:08 PM, Josh Elser <jo...@gmail.com> wrote:

> Hi Tristen,
>
> I'm glad you found that issue. As much as I griped about it, I had
> completely forgotten about the issue. Sadly, it looks like that fix is
> already contained in 2.3.2.0[1] Your client code does look correct as well
> (compared to the tests for this[2]). There are some good Kerberos tests in
> the codebase if you know to look for 'em.
>
> The error message is a bit confusing since it's a client (your python)
> talking to a client (the proxy) talking to the servers (Accumulo services).
> I think this error message is saying that the Proxy is failing to
> authenticate to Accumulo. This is about to get lengthy.
>
> A little bit of background on how this is supposed to work which hinges on
> this fact: A Kerberos client's "secret" information is not made available
> to the server. This means that your client keytab is not made available to
> the Proxy server. The implications this creates for the use case you
> outline is that the Proxy server *cannot* make a connection to Accumulo on
> your behalf because Kerberos knows that the Proxy isn't actually you! (this
> is actually cool if you think about it).
>
> This is where the Proxy impersonation configuration that Russ recently
> asked about comes into play. The common approach (e.g. Hive, HBase) is to
> configure Accumulo to "trust" the Proxy (identified by the Kerberos
> principal) to "act" as a different user. In other words, impersonation
> allows a client to authenticate to Accumulo as a different user than the
> client's Kerberos credentials says it is.
>
> So, client <-> Proxy works like a normal connection. However, proxy <->
> {tserver,master} has the connection set up as the Proxy's Kerberos
> identity, but Accumulo *allows* the Proxy to actually say that it is your
> client.
>
> As such, your code is 100% correct, but it isn't going to work in the way
> you're trying to use it. If you want a centralized Proxy server instance,
> you'll need to set up impersonation. The other option is (which, I think it
> better since we don't have a good multi-tenancy story for the Proxy) is to
> run a Proxy server instance with your client Kerberos credentials instead
> of the "accumulo" principal. This gets around the problem because both the
> client and the Proxy act as "client" and you don't get the mismatch.
>
> This got really long, and I'm sorry for that :). Let me know, I'd be happy
> to put some of this into the user manual if it's lacking.
>
> - Josh
>
> [1]
> https://github.com/hortonworks/accumulo-release/blob/HDP-2.3.2.0-tag/proxy/src/main/java/org/apache/accumulo/proxy/Proxy.java#L245-L248
> [2]
> https://github.com/hortonworks/accumulo-release/blob/HDP-2.3.2.0-tag/proxy/src/main/java/org/apache/accumulo/proxy/TestProxyClient.java
>
> Tristen Georgiou wrote:
>
>> I'm using Ambari 2.1.2.1, HDP 2.3.2 (so Accumulo 1.7.0) and I'm trying
>> to get a Kerberized Accumulo proxy up and running; I can successully
>> start the proxy, but I am having trouble connecting with it.
>>
>> Here is my Accumulo proxy properties file (I've censored my actual
>> FQDN's):
>>
>> useMockInstance=false
>> useMiniAccumulo=false
>> protocolFactory=org.apache.thrift.protocol.TCompactProtocol$Factory
>> tokenClass=org.apache.accumulo.core.client.security.tokens.KerberosToken
>> port=42425
>> maxFrameSize=16M
>> thriftServerType=sasl
>> kerberosPrincipal=accumulo/mas3.example.com@EXAMPLE.COM
>> <ma...@EXAMPLE.COM>
>> kerberosKeytab=/etc/security/keytabs/accumulo.service.keytab
>> instance=agile_accumulo
>> zookeepers=mas1.example.com:2181
>> <http://mas1.example.com:2181/>,mas2.example.com:2181
>> <http://mas2.example.com:2181/>,mas3.example.com:2181
>> <http://mas3.example.com:2181/>
>>
>> The proxy starts up fine, and then via Python I am doing the following:
>>
>> transport =
>> TTransport.TSaslClientTransport(TSocket.TSocket('mas3.example.com
>> <http://mas3.example.com/>', 42425), 'mas3.example.com
>> <http://mas3.example.com/>', 'accumulo', QOP='auth')
>> protocol = TCompactProtocol.TCompactProtocol(transport)
>> client = AccumuloProxy.Client(protocol)
>> transport.open()
>> login = client.login('central@EXAMPLE.COM <ma...@EXAMPLE.COM>',
>> {})
>>
>> Where I've created the principal central@EXAMPLE.COM
>> <ma...@EXAMPLE.COM> and have run kinit on the server where I am
>> trying to connect to the proxy from (not from mas3)
>>
>> The proxy log responds with this:
>>
>> 2016-01-25 21:42:01,294 [proxy.ProxyServer] ERROR: Failed to login
>> org.apache.accumulo.core.client.AccumuloSecurityException: Error
>> BAD_CREDENTIALS for user Principal in credentials object should match
>> kerberos principal. Expected 'accumulo/mas3.example.com@example.COM' but
>> was 'central@EXAMPLE.COM <ma...@EXAMPLE.COM>' - Username or
>>
>> Password is Invalid
>> at
>>
>> org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:63)
>> at
>>
>> org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67)
>> at
>>
>> org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248)
>> at
>> org.apache.accumulo.proxy.ProxyServer.getConnector(ProxyServer.java:232)
>> at org.apache.accumulo.proxy.ProxyServer.login(ProxyServer.java:1574)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:497)
>> at
>>
>> org.apache.accumulo.core.trace.wrappers.RpcServerInvocationHandler.invoke(RpcServerInvocationHandler.java:39)
>> at org.apache.accumulo.server.rpc.RpcWrapper$1.invoke(RpcWrapper.java:47)
>> at com.sun.proxy.$Proxy14.login(Unknown Source)
>> at
>>
>> org.apache.accumulo.proxy.thrift.AccumuloProxy$Processor$login.getResult(AccumuloProxy.java:5723)
>> at
>>
>> org.apache.accumulo.proxy.thrift.AccumuloProxy$Processor$login.getResult(AccumuloProxy.java:5707)
>> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
>> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
>> at
>>
>> org.apache.accumulo.server.rpc.UGIAssumingProcessor.process(UGIAssumingProcessor.java:102)
>> at
>>
>> org.apache.accumulo.server.rpc.TimedProcessor.process(TimedProcessor.java:63)
>> at
>>
>> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:225)
>> at
>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at
>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at
>> org.apache.accumulo.fate.util.LoggingRunnable.run(LoggingRunnable.java:35)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: ThriftSecurityException(user:Principal in credentials object
>> should match kerberos principal. Expected
>> 'accumulo/mas3.example.com@EXAMPLE.COM
>> <ma...@EXAMPLE.COM>' but was 'central@EXAMPLE.COM
>> <ma...@EXAMPLE.COM>', code:BAD_CREDENTIALS)
>>
>> at
>>
>> org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result$authenticate_resultStandardScheme.read(ClientService.java:15613)
>> at
>>
>> org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result$authenticate_resultStandardScheme.read(ClientService.java:15591)
>> at
>>
>> org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result.read(ClientService.java:15535)
>> at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78)
>> at
>>
>> org.apache.accumulo.core.client.impl.thrift.ClientService$Client.recv_authenticate(ClientService.java:500)
>> at
>>
>> org.apache.accumulo.core.client.impl.thrift.ClientService$Client.authenticate(ClientService.java:486)
>> at
>>
>> org.apache.accumulo.core.client.impl.ConnectorImpl$1.execute(ConnectorImpl.java:70)
>> at
>>
>> org.apache.accumulo.core.client.impl.ConnectorImpl$1.execute(ConnectorImpl.java:67)
>> at
>>
>> org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:98)
>> at
>>
>> org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61)
>> ... 22 more
>>
>> I've tried to update my configuration for impersonation but have had no
>> luck; my colleague did send out an email to this list about questions to
>> do with impersonation, so perhaps that is the problem.
>>
>> Otherwise, anyone see anything obviously wrong with what I'm doing?
>> Could it be related to this:
>> https://issues.apache.org/jira/browse/ACCUMULO-3849
>>
>

Re: Kerberos and the Accumulo Proxy

Posted by Josh Elser <jo...@gmail.com>.

Hi Tristen,

I'm glad you found that issue. As much as I griped about it, I had 
completely forgotten about the issue. Sadly, it looks like that fix is 
already contained in 2.3.2.0[1] Your client code does look correct as 
well (compared to the tests for this[2]). There are some good Kerberos 
tests in the codebase if you know to look for 'em.

The error message is a bit confusing since it's a client (your python) 
talking to a client (the proxy) talking to the servers (Accumulo 
services). I think this error message is saying that the Proxy is 
failing to authenticate to Accumulo. This is about to get lengthy.

A little bit of background on how this is supposed to work which hinges 
on this fact: A Kerberos client's "secret" information is not made 
available to the server. This means that your client keytab is not made 
available to the Proxy server. The implications this creates for the use 
case you outline is that the Proxy server *cannot* make a connection to 
Accumulo on your behalf because Kerberos knows that the Proxy isn't 
actually you! (this is actually cool if you think about it).

This is where the Proxy impersonation configuration that Russ recently 
asked about comes into play. The common approach (e.g. Hive, HBase) is 
to configure Accumulo to "trust" the Proxy (identified by the Kerberos 
principal) to "act" as a different user. In other words, impersonation 
allows a client to authenticate to Accumulo as a different user than the 
client's Kerberos credentials says it is.

So, client <-> Proxy works like a normal connection. However, proxy <-> 
{tserver,master} has the connection set up as the Proxy's Kerberos 
identity, but Accumulo *allows* the Proxy to actually say that it is 
your client.

As such, your code is 100% correct, but it isn't going to work in the 
way you're trying to use it. If you want a centralized Proxy server 
instance, you'll need to set up impersonation. The other option is 
(which, I think it better since we don't have a good multi-tenancy story 
for the Proxy) is to run a Proxy server instance with your client 
Kerberos credentials instead of the "accumulo" principal. This gets 
around the problem because both the client and the Proxy act as "client" 
and you don't get the mismatch.

This got really long, and I'm sorry for that :). Let me know, I'd be 
happy to put some of this into the user manual if it's lacking.

- Josh

[1] 
https://github.com/hortonworks/accumulo-release/blob/HDP-2.3.2.0-tag/proxy/src/main/java/org/apache/accumulo/proxy/Proxy.java#L245-L248
[2] 
https://github.com/hortonworks/accumulo-release/blob/HDP-2.3.2.0-tag/proxy/src/main/java/org/apache/accumulo/proxy/TestProxyClient.java

Tristen Georgiou wrote:
> I'm using Ambari 2.1.2.1, HDP 2.3.2 (so Accumulo 1.7.0) and I'm trying
> to get a Kerberized Accumulo proxy up and running; I can successully
> start the proxy, but I am having trouble connecting with it.
>
> Here is my Accumulo proxy properties file (I've censored my actual FQDN's):
>
> useMockInstance=false
> useMiniAccumulo=false
> protocolFactory=org.apache.thrift.protocol.TCompactProtocol$Factory
> tokenClass=org.apache.accumulo.core.client.security.tokens.KerberosToken
> port=42425
> maxFrameSize=16M
> thriftServerType=sasl
> kerberosPrincipal=accumulo/mas3.example.com@EXAMPLE.COM
> <ma...@EXAMPLE.COM>
> kerberosKeytab=/etc/security/keytabs/accumulo.service.keytab
> instance=agile_accumulo
> zookeepers=mas1.example.com:2181
> <http://mas1.example.com:2181/>,mas2.example.com:2181
> <http://mas2.example.com:2181/>,mas3.example.com:2181
> <http://mas3.example.com:2181/>
>
> The proxy starts up fine, and then via Python I am doing the following:
>
> transport =
> TTransport.TSaslClientTransport(TSocket.TSocket('mas3.example.com
> <http://mas3.example.com/>', 42425), 'mas3.example.com
> <http://mas3.example.com/>', 'accumulo', QOP='auth')
> protocol = TCompactProtocol.TCompactProtocol(transport)
> client = AccumuloProxy.Client(protocol)
> transport.open()
> login = client.login('central@EXAMPLE.COM <ma...@EXAMPLE.COM>', {})
>
> Where I've created the principal central@EXAMPLE.COM
> <ma...@EXAMPLE.COM> and have run kinit on the server where I am
> trying to connect to the proxy from (not from mas3)
>
> The proxy log responds with this:
>
> 2016-01-25 21:42:01,294 [proxy.ProxyServer] ERROR: Failed to login
> org.apache.accumulo.core.client.AccumuloSecurityException: Error
> BAD_CREDENTIALS for user Principal in credentials object should match
> kerberos principal. Expected 'accumulo/mas3.example.com@example.COM' but
> was 'central@EXAMPLE.COM <ma...@EXAMPLE.COM>' - Username or
> Password is Invalid
> at
> org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:63)
> at
> org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67)
> at
> org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248)
> at org.apache.accumulo.proxy.ProxyServer.getConnector(ProxyServer.java:232)
> at org.apache.accumulo.proxy.ProxyServer.login(ProxyServer.java:1574)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at
> org.apache.accumulo.core.trace.wrappers.RpcServerInvocationHandler.invoke(RpcServerInvocationHandler.java:39)
> at org.apache.accumulo.server.rpc.RpcWrapper$1.invoke(RpcWrapper.java:47)
> at com.sun.proxy.$Proxy14.login(Unknown Source)
> at
> org.apache.accumulo.proxy.thrift.AccumuloProxy$Processor$login.getResult(AccumuloProxy.java:5723)
> at
> org.apache.accumulo.proxy.thrift.AccumuloProxy$Processor$login.getResult(AccumuloProxy.java:5707)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at
> org.apache.accumulo.server.rpc.UGIAssumingProcessor.process(UGIAssumingProcessor.java:102)
> at
> org.apache.accumulo.server.rpc.TimedProcessor.process(TimedProcessor.java:63)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:225)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at
> org.apache.accumulo.fate.util.LoggingRunnable.run(LoggingRunnable.java:35)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: ThriftSecurityException(user:Principal in credentials object
> should match kerberos principal. Expected
> 'accumulo/mas3.example.com@EXAMPLE.COM
> <ma...@EXAMPLE.COM>' but was 'central@EXAMPLE.COM
> <ma...@EXAMPLE.COM>', code:BAD_CREDENTIALS)
> at
> org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result$authenticate_resultStandardScheme.read(ClientService.java:15613)
> at
> org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result$authenticate_resultStandardScheme.read(ClientService.java:15591)
> at
> org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result.read(ClientService.java:15535)
> at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78)
> at
> org.apache.accumulo.core.client.impl.thrift.ClientService$Client.recv_authenticate(ClientService.java:500)
> at
> org.apache.accumulo.core.client.impl.thrift.ClientService$Client.authenticate(ClientService.java:486)
> at
> org.apache.accumulo.core.client.impl.ConnectorImpl$1.execute(ConnectorImpl.java:70)
> at
> org.apache.accumulo.core.client.impl.ConnectorImpl$1.execute(ConnectorImpl.java:67)
> at
> org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:98)
> at
> org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61)
> ... 22 more
>
> I've tried to update my configuration for impersonation but have had no
> luck; my colleague did send out an email to this list about questions to
> do with impersonation, so perhaps that is the problem.
>
> Otherwise, anyone see anything obviously wrong with what I'm doing?
> Could it be related to this:
> https://issues.apache.org/jira/browse/ACCUMULO-3849