Accumulo
  1. Accumulo
  2. ACCUMULO-404

Support running on-top of Kerberos-enabled HDFS

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.4.1, 1.5.0
    • Component/s: None
    • Labels:
      None

      Description

      Hadoop 0.20.20x, 1.0.x and 0.23.x all support requiring kerberos for strong authentication in order to talk to HDFS. It would be useful if Accumulo could be configured with keytab files for the TabletServers, Master, etc. so that it can be run on a Kerberos-enabled cluster.

        Issue Links

          Activity

          Joey Echeverria created issue -
          Keith Turner made changes -
          Field Original Value New Value
          Fix Version/s 1.4.1 [ 12319882 ]
          Hide
          Joey Echeverria added a comment -

          As a current workaround for this issue, you can do the following:

          Create accumulo principals for each host:

          kadmin.local -q "addprinc -randkey accumulo/<host.domain.name>"

          where <host.domain.name> is replaced by a fully qualified domain name.

          Export all of the accumulo principals to a key tab file:

          kadmin.local -q "xst -k accumulo.keytab -glob accumulo*"

          Put the key tab file in the $ACCUMULO_HOME/conf directory on each host. Make sure it's owned by the accumulo user and only readable by the owner.

          Add the following to accumulo-env.sh:

          kinit -kt $ACCUMULO_HOME/conf/accumulo.keytab accumulo/`hostname -f`

          Add the following to the accumulo user's crontab on all hosts:

          0 5 * * * kinit -kt $ACCUMULO_HOME/conf/accumulo.keytab accumulo/`hostname -f`

          In $ACCUMULO_HOME/conf/monitor.security.policy:

          Change:

          permission java.util.PropertyPermission "*", "read";

          To:

          permission java.util.PropertyPermission "*", "read,write";

          Add these lines to the end:

          permission javax.security.auth.AuthPermission "createLoginContext.hadoop-user-kerberos";
          permission java.lang.RuntimePermission "createSecurityManager";
          permission javax.security.auth.AuthPermission "doAs";
          permission javax.security.auth.AuthPermission "getPolicy";
          permission java.security.SecurityPermission "createAccessControlContext";
          permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner";
          permission java.lang.RuntimePermission "getProtectionDomain";
          permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
          permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket javax.security.auth.kerberos.KerberosPrincipal \"*\"", "read";
          permission javax.security.auth.kerberos.ServicePermission "krbtgt/<REALM>@<REALM>", "initiate";
          permission javax.security.auth.kerberos.ServicePermission "hdfs/<namenode.domain.name>@<REALM>", "initiate";
          permission javax.security.auth.kerberos.ServicePermission "mapred/<jobtracker.domain.name>@<REALM>", "initiate";
          

          Where <REALM> is replaced with the kerberos realm for the Hadoop cluster, <namenode.domain.name> is replaced with the fully qualified domain name of the server running the namenode and <jobtracker.domain.name> is replaced with the fully qualified domain name of the server running the job tracker.

          Show
          Joey Echeverria added a comment - As a current workaround for this issue, you can do the following: Create accumulo principals for each host: kadmin.local -q "addprinc -randkey accumulo/<host.domain.name>" where <host.domain.name> is replaced by a fully qualified domain name. Export all of the accumulo principals to a key tab file: kadmin.local -q "xst -k accumulo.keytab -glob accumulo*" Put the key tab file in the $ACCUMULO_HOME/conf directory on each host. Make sure it's owned by the accumulo user and only readable by the owner. Add the following to accumulo-env.sh: kinit -kt $ACCUMULO_HOME/conf/accumulo.keytab accumulo/`hostname -f` Add the following to the accumulo user's crontab on all hosts: 0 5 * * * kinit -kt $ACCUMULO_HOME/conf/accumulo.keytab accumulo/`hostname -f` In $ACCUMULO_HOME/conf/monitor.security.policy: Change: permission java.util.PropertyPermission "*", "read"; To: permission java.util.PropertyPermission "*", "read,write"; Add these lines to the end: permission javax.security.auth.AuthPermission "createLoginContext.hadoop-user-kerberos"; permission java.lang.RuntimePermission "createSecurityManager"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.security.SecurityPermission "createAccessControlContext"; permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner"; permission java.lang.RuntimePermission "getProtectionDomain"; permission javax.security.auth.AuthPermission "modifyPrivateCredentials"; permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket javax.security.auth.kerberos.KerberosPrincipal \"*\"", "read"; permission javax.security.auth.kerberos.ServicePermission "krbtgt/<REALM>@<REALM>", "initiate"; permission javax.security.auth.kerberos.ServicePermission "hdfs/<namenode.domain.name>@<REALM>", "initiate"; permission javax.security.auth.kerberos.ServicePermission "mapred/<jobtracker.domain.name>@<REALM>", "initiate"; Where <REALM> is replaced with the kerberos realm for the Hadoop cluster, <namenode.domain.name> is replaced with the fully qualified domain name of the server running the namenode and <jobtracker.domain.name> is replaced with the fully qualified domain name of the server running the job tracker.
          jv made changes -
          Assignee John Vines [ jvines ]
          Joey Echeverria made changes -
          Link This issue is related to HBASE-3582 [ HBASE-3582 ]
          Hide
          Joey Echeverria added a comment -

          Attaching the HBase issue which implemented support for logging in with keytab files.

          Show
          Joey Echeverria added a comment - Attaching the HBase issue which implemented support for logging in with keytab files.
          jv made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          jv added a comment -

          Attached is a patch which should implement support for running kerberos over hdfs. I have tested it over regular hdfs, as well as in a single node instance with kerberoized hdfs. I am having issues getting kerberos and hdfs to play nice in a multi-node environment, so I'm going to throw it up here if there is someone who can test it in this condition faster than I can.

          Show
          jv added a comment - Attached is a patch which should implement support for running kerberos over hdfs. I have tested it over regular hdfs, as well as in a single node instance with kerberoized hdfs. I am having issues getting kerberos and hdfs to play nice in a multi-node environment, so I'm going to throw it up here if there is someone who can test it in this condition faster than I can.
          jv made changes -
          Attachment Accumulo-404.patch [ 12521385 ]
          Hide
          jv added a comment -

          Merged

          Show
          jv added a comment - Merged
          jv made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Fix Version/s 1.5.0 [ 12318645 ]
          Resolution Fixed [ 1 ]
          Gavin made changes -
          Workflow no-reopen-closed, patch-avail [ 12653435 ] patch-available, re-open possible [ 12671729 ]
          Christopher Tubbs made changes -
          Assignee jv [ jvines ]

            People

            • Assignee:
              Unassigned
              Reporter:
              Joey Echeverria
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development