[jira] [Comment Edited] (ACCUMULO-3513) Ensure MapReduce functionality with Kerberos enabled

Tue, 27 Jan 2015 14:38:55 -0800 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-3513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14294327#comment-14294327
 ] 

Josh Elser edited comment on ACCUMULO-3513 at 1/27/15 10:38 PM:
----------------------------------------------------------------

For later if needed: the actual failure seen if you try to run a MR job now.

{noformat}
Error: java.io.IOException: java.lang.IllegalArgumentException: Cannot 
instantiate org.apache.accumulo.core.client.security.tokens.KerberosToken
        at 
org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getRecordWriter(AccumuloOutputFormat.java:559)
        at 
org.apache.hadoop.mapred.MapTask$NewDirectOutputCollector.<init>(MapTask.java:647)
        at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:767)
        at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
        at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:163)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:158)
Caused by: java.lang.IllegalArgumentException: Cannot instantiate 
org.apache.accumulo.core.client.security.tokens.KerberosToken
        at 
org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:65)
        at 
org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:98)
        at 
org.apache.accumulo.core.client.mapreduce.lib.impl.ConfiguratorBase.getAuthenticationToken(ConfiguratorBase.java:229)
        at 
org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getAuthenticationToken(AccumuloOutputFormat.java:172)
        at 
org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat$AccumuloRecordWriter.<init>(AccumuloOutputFormat.java:403)
        at 
org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getRecordWriter(AccumuloOutputFormat.java:557)
        ... 8 more
Caused by: java.lang.IllegalArgumentException: Subject is not logged in via 
Kerberos
        at 
com.google.common.base.Preconditions.checkArgument(Preconditions.java:88)
        at 
org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:53)
        at 
org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:65)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        at java.lang.Class.newInstance(Class.java:379)
        at 
org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:63)
        ... 13 more
{noformat}


was (Author: elserj):
For later if needed: the actual failure seen if you try to run a MR job now.

{{noformat}}
Error: java.io.IOException: java.lang.IllegalArgumentException: Cannot 
instantiate org.apache.accumulo.core.client.security.tokens.KerberosToken
        at 
org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getRecordWriter(AccumuloOutputFormat.java:559)
        at 
org.apache.hadoop.mapred.MapTask$NewDirectOutputCollector.<init>(MapTask.java:647)
        at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:767)
        at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
        at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:163)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:158)
Caused by: java.lang.IllegalArgumentException: Cannot instantiate 
org.apache.accumulo.core.client.security.tokens.KerberosToken
        at 
org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:65)
        at 
org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:98)
        at 
org.apache.accumulo.core.client.mapreduce.lib.impl.ConfiguratorBase.getAuthenticationToken(ConfiguratorBase.java:229)
        at 
org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getAuthenticationToken(AccumuloOutputFormat.java:172)
        at 
org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat$AccumuloRecordWriter.<init>(AccumuloOutputFormat.java:403)
        at 
org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getRecordWriter(AccumuloOutputFormat.java:557)
        ... 8 more
Caused by: java.lang.IllegalArgumentException: Subject is not logged in via 
Kerberos
        at 
com.google.common.base.Preconditions.checkArgument(Preconditions.java:88)
        at 
org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:53)
        at 
org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:65)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        at java.lang.Class.newInstance(Class.java:379)
        at 
org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:63)
        ... 13 more
{{noformat}}

> Ensure MapReduce functionality with Kerberos enabled
> ----------------------------------------------------
>
>                 Key: ACCUMULO-3513
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3513
>             Project: Accumulo
>          Issue Type: Bug
>          Components: client
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>             Fix For: 1.7.0
>
>
> I talked to [~devaraj] today about MapReduce support running on secure Hadoop 
> to help get a picture about what extra might be needed to make this work.
> Generally, in Hadoop and HBase, the client must have valid credentials to 
> submit a job, then the notion of delegation tokens is used by for further 
> communication since the servers do not have access to the client's sensitive 
> information. A centralized service manages creation of a delegation token 
> which is a record which contains certain information (such as the submitting 
> user name) necessary to securely identify the holder of the delegation token.
> The general idea is that we would need to build support into the master to 
> manage delegation tokens to node managers to acquire and use to run jobs. 
> Hadoop and HBase both contain code which implements this general idea, but we 
> will need to apply them Accumulo and verify that it is M/R jobs still work on 
> a kerberized environment.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to