[
https://issues.apache.org/jira/browse/ACCUMULO-404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209821#comment-13209821
]
Joey Echeverria commented on ACCUMULO-404:
------------------------------------------
As a current workaround for this issue, you can do the following:
Create accumulo principals for each host:
{noformat}kadmin.local -q "addprinc -randkey
accumulo/<host.domain.name>"{noformat}
where <host.domain.name> is replaced by a fully qualified domain name.
Export all of the accumulo principals to a key tab file:
{noformat}kadmin.local -q "xst -k accumulo.keytab -glob accumulo*"{noformat}
Put the key tab file in the $ACCUMULO_HOME/conf directory on each host. Make
sure it's owned by the accumulo user and only readable by the owner.
Add the following to accumulo-env.sh:
{noformat}kinit -kt $ACCUMULO_HOME/conf/accumulo.keytab accumulo/`hostname
-f`{noformat}
Add the following to the accumulo user's crontab on all hosts:
{noformat}0 5 * * * kinit -kt $ACCUMULO_HOME/conf/accumulo.keytab
accumulo/`hostname -f`{noformat}
In $ACCUMULO_HOME/conf/monitor.security.policy:
Change:
{noformat}permission java.util.PropertyPermission "*", "read";{noformat}
To:
{noformat}permission java.util.PropertyPermission "*", "read,write";{noformat}
Add these lines to the end:
{noformat}
permission javax.security.auth.AuthPermission
"createLoginContext.hadoop-user-kerberos";
permission java.lang.RuntimePermission "createSecurityManager";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "getPolicy";
permission java.security.SecurityPermission "createAccessControlContext";
permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner";
permission java.lang.RuntimePermission "getProtectionDomain";
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission javax.security.auth.PrivateCredentialPermission
"javax.security.auth.kerberos.KerberosTicket
javax.security.auth.kerberos.KerberosPrincipal \"*\"", "read";
permission javax.security.auth.kerberos.ServicePermission
"krbtgt/<REALM>@<REALM>", "initiate";
permission javax.security.auth.kerberos.ServicePermission
"hdfs/<namenode.domain.name>@<REALM>", "initiate";
permission javax.security.auth.kerberos.ServicePermission
"mapred/<jobtracker.domain.name>@<REALM>", "initiate";
{noformat}
Where <REALM> is replaced with the kerberos realm for the Hadoop cluster,
<namenode.domain.name> is replaced with the fully qualified domain name of the
server running the namenode and <jobtracker.domain.name> is replaced with the
fully qualified domain name of the server running the job tracker.
> Support running on-top of Kerberos-enabled HDFS
> -----------------------------------------------
>
> Key: ACCUMULO-404
> URL: https://issues.apache.org/jira/browse/ACCUMULO-404
> Project: Accumulo
> Issue Type: New Feature
> Reporter: Joey Echeverria
> Fix For: 1.4.1
>
>
> Hadoop 0.20.20x, 1.0.x and 0.23.x all support requiring kerberos for strong
> authentication in order to talk to HDFS. It would be useful if Accumulo could
> be configured with keytab files for the TabletServers, Master, etc. so that
> it can be run on a Kerberos-enabled cluster.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
