[ https://issues.apache.org/jira/browse/ACCUMULO-3513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14294327#comment-14294327 ]
Josh Elser edited comment on ACCUMULO-3513 at 1/27/15 10:38 PM: ---------------------------------------------------------------- For later if needed: the actual failure seen if you try to run a MR job now. {noformat} Error: java.io.IOException: java.lang.IllegalArgumentException: Cannot instantiate org.apache.accumulo.core.client.security.tokens.KerberosToken at org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getRecordWriter(AccumuloOutputFormat.java:559) at org.apache.hadoop.mapred.MapTask$NewDirectOutputCollector.<init>(MapTask.java:647) at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:767) at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341) at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:163) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657) at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:158) Caused by: java.lang.IllegalArgumentException: Cannot instantiate org.apache.accumulo.core.client.security.tokens.KerberosToken at org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:65) at org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:98) at org.apache.accumulo.core.client.mapreduce.lib.impl.ConfiguratorBase.getAuthenticationToken(ConfiguratorBase.java:229) at org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getAuthenticationToken(AccumuloOutputFormat.java:172) at org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat$AccumuloRecordWriter.<init>(AccumuloOutputFormat.java:403) at org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getRecordWriter(AccumuloOutputFormat.java:557) ... 8 more Caused by: java.lang.IllegalArgumentException: Subject is not logged in via Kerberos at com.google.common.base.Preconditions.checkArgument(Preconditions.java:88) at org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:53) at org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:65) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at java.lang.Class.newInstance(Class.java:379) at org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:63) ... 13 more {noformat} was (Author: elserj): For later if needed: the actual failure seen if you try to run a MR job now. {{noformat}} Error: java.io.IOException: java.lang.IllegalArgumentException: Cannot instantiate org.apache.accumulo.core.client.security.tokens.KerberosToken at org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getRecordWriter(AccumuloOutputFormat.java:559) at org.apache.hadoop.mapred.MapTask$NewDirectOutputCollector.<init>(MapTask.java:647) at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:767) at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341) at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:163) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657) at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:158) Caused by: java.lang.IllegalArgumentException: Cannot instantiate org.apache.accumulo.core.client.security.tokens.KerberosToken at org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:65) at org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:98) at org.apache.accumulo.core.client.mapreduce.lib.impl.ConfiguratorBase.getAuthenticationToken(ConfiguratorBase.java:229) at org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getAuthenticationToken(AccumuloOutputFormat.java:172) at org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat$AccumuloRecordWriter.<init>(AccumuloOutputFormat.java:403) at org.apache.accumulo.core.client.mapreduce.AccumuloOutputFormat.getRecordWriter(AccumuloOutputFormat.java:557) ... 8 more Caused by: java.lang.IllegalArgumentException: Subject is not logged in via Kerberos at com.google.common.base.Preconditions.checkArgument(Preconditions.java:88) at org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:53) at org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:65) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at java.lang.Class.newInstance(Class.java:379) at org.apache.accumulo.core.client.security.tokens.AuthenticationToken$AuthenticationTokenSerializer.deserialize(AuthenticationToken.java:63) ... 13 more {{noformat}} > Ensure MapReduce functionality with Kerberos enabled > ---------------------------------------------------- > > Key: ACCUMULO-3513 > URL: https://issues.apache.org/jira/browse/ACCUMULO-3513 > Project: Accumulo > Issue Type: Bug > Components: client > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Blocker > Fix For: 1.7.0 > > > I talked to [~devaraj] today about MapReduce support running on secure Hadoop > to help get a picture about what extra might be needed to make this work. > Generally, in Hadoop and HBase, the client must have valid credentials to > submit a job, then the notion of delegation tokens is used by for further > communication since the servers do not have access to the client's sensitive > information. A centralized service manages creation of a delegation token > which is a record which contains certain information (such as the submitting > user name) necessary to securely identify the holder of the delegation token. > The general idea is that we would need to build support into the master to > manage delegation tokens to node managers to acquire and use to run jobs. > Hadoop and HBase both contain code which implements this general idea, but we > will need to apply them Accumulo and verify that it is M/R jobs still work on > a kerberized environment. -- This message was sent by Atlassian JIRA (v6.3.4#6332)