So, this is something that's a bit confusing WRT how kerberos authentication currently works inside Accumulo (it needs to be fixed). The servers login using a keytab (as you saw int he logs); however, there's presently no support to allow client authentication via some kerberos ticket (cached ticket or a keytab).
I'm guessing the error that you're seeing is related to the internal authentication of the Tracer user for serializing distributed traces to the 'trace' table. By default, the credentials are 'root' and 'secret' via 'trace.user' and 'trace.token.property.password' in accumulo-site.xml, respectively. Fixing the client authentication to properly use the kerberos credentials is something that's on my radar. On Mon, Nov 17, 2014 at 12:09 PM, David Lyle <[email protected]> wrote: > I have installed Accumulo 1.5.1.2.1.7.0-784 on a kerberized vm for > testing purposes following the instructions in the readme. It looked > good (create table/scan, monitor page, etc) but then it started > throwing ThriftSecurityExceptions in the TServer logs. Looks like the > tserver process hasn't authenticated to the accumulo service user. > > When I look at the tserver log I see these near at the top: > > 2014-11-15 16:38:39,063 [server.Accumulo] INFO : > general.kerberos.keytab = > /etc/security/keytabs/accumulo.service.keytab > 2014-11-15 16:38:39,063 [server.Accumulo] INFO : > general.kerberos.principal = accumulo/[email protected] > > ...snip... > > 2014-11-15 16:38:39,911 [security.UserGroupInformation] INFO : Login > successful for user accumulo/[email protected] using keytab > file /etc/security/keytabs/accumulo.service.keytab > 2014-11-15 16:38:39,911 [security.SecurityUtil] INFO : Succesfully > logged in as user accumulo/[email protected] > 2014-11-15 16:38:40,464 [tabletserver.TabletServer] INFO : port = 9997 > 2014-11-15 16:38:48,232 [tabletserver.TabletServer] INFO : Loading > tablet !0;!0<< > 2014-11-15 16:38:48,253 [tabletserver.TabletServer] INFO : > localhost/127.0.0.1:9997: got assignment from master: !0;!0<< > 2014-11-15 16:38:48,351 [util.MetadataTable] INFO : Scanning logging > entries for !0;!0<< > 2014-11-15 16:38:48,351 [util.MetadataTable] INFO : Getting logs for > root tablet from zookeeper > 2014-11-15 16:38:48,354 [util.MetadataTable] INFO : Returning logs [] > for extent !0;!0<< > 2014-11-15 16:38:48,576 [client.ClientServiceHandler] ERROR: > ThriftSecurityException(user:root, code:BAD_CREDENTIALS) > > /user/accumulo is chowned to accumulo:hdfs and I can see the metadata > rfiles when I kinit to the accumulo account and browse the filesystem. > > Any notion what I've done wrong? > > Thanks! > > -David...
