I don't know of a workaround for this, but if, as you say, we've already fixed the bug upstream, then the best thing you can do is update to the newer version. Since you get your Accumulo from a vendor, and they don't have an update, you might be able to backport the fix yourself, if they provide the source for their vendor-provided version.
You should be aware that version 1.7.0 is quite old, and there may be many more bugs and numerous issues fixed by us since 1.7.0 that you are likely to encounter. Version 1.9.x and 2.x are the only versions currently being maintained upstream, so any new bugs found are extremely unlikely to be patched by us in older versions. But, feel free to continue to solicit assistance from other users on this mailing list... somebody here may be able to help you. If you need support for a vendor-specific version, though, you're probably going to have better luck contacting that vendor directly. On Mon, Dec 9, 2019 at 10:25 AM James Srinivasan <[email protected]> wrote: > > Hiya, > > I'm on Accumulo 1.7.0 (ish, HDP3) with a Kerberized cluster. I've got > some code which works fine when run as a user logged in directly with > Kerberos authentication, but fails when the Kerberized user is > proxying another user (for user impersonation with Spark/Zeppelin). > Here's where I've got: > > org.apache.hadoop.security.UserGroupInformation.getCurrentUser: > org.apache.hadoop.security.UserGroupInformation = > [email protected] (auth:PROXY) via [email protected] > (auth:KERBEROS) > > val kt = new org.apache.accumulo.core.client.security.tokens.KerberosToken(): > java.lang.IllegalArgumentException: Subject is not logged in via Kerberos at > org.locationtech.geomesa.accumulo.shaded.com.google.common.base.Preconditions.checkArgument(Preconditions.java:125) > at > org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:56) > at > org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:110) > > Looking at the 1.7.0 source and javadoc, while the doc says that Proxy > auth is supported, the code only seems to consider subjects logged in > directly using Kerberos (this was fixed in > ACCUMULO-4665/ACCUMULO-4666). Other than bugging our vendor to upgrade > the version of Accumulo they ship, is there anything else I can do to > work around it? > > I'm thinking of using the Accumulo 1.9 client libs, but there may be a > libthrift 0.9.1 vs 0.9.3 incompatibility > > I've also tried to use the KerberosToken ctor which takes a keytab, > unfortunately this doesn't seem to replace the current user (it does > when not using Proxy auth). > > Any suggestions would be much appreciated, > > James
