Hiya, I'm on Accumulo 1.7.0 (ish, HDP3) with a Kerberized cluster. I've got some code which works fine when run as a user logged in directly with Kerberos authentication, but fails when the Kerberized user is proxying another user (for user impersonation with Spark/Zeppelin). Here's where I've got:
org.apache.hadoop.security.UserGroupInformation.getCurrentUser: org.apache.hadoop.security.UserGroupInformation = [email protected] (auth:PROXY) via [email protected] (auth:KERBEROS) val kt = new org.apache.accumulo.core.client.security.tokens.KerberosToken(): java.lang.IllegalArgumentException: Subject is not logged in via Kerberos at org.locationtech.geomesa.accumulo.shaded.com.google.common.base.Preconditions.checkArgument(Preconditions.java:125) at org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:56) at org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:110) Looking at the 1.7.0 source and javadoc, while the doc says that Proxy auth is supported, the code only seems to consider subjects logged in directly using Kerberos (this was fixed in ACCUMULO-4665/ACCUMULO-4666). Other than bugging our vendor to upgrade the version of Accumulo they ship, is there anything else I can do to work around it? I'm thinking of using the Accumulo 1.9 client libs, but there may be a libthrift 0.9.1 vs 0.9.3 incompatibility I've also tried to use the KerberosToken ctor which takes a keytab, unfortunately this doesn't seem to replace the current user (it does when not using Proxy auth). Any suggestions would be much appreciated, James
