Kerberos and the Accumulo Proxy

[Tristen Georgiou]

I'm using Ambari 2.1.2.1, HDP 2.3.2 (so Accumulo 1.7.0) and I'm trying to
get a Kerberized Accumulo proxy up and running; I can successully start the
proxy, but I am having trouble connecting with it.

Here is my Accumulo proxy properties file (I've censored my actual FQDN's):

useMockInstance=false
useMiniAccumulo=false
protocolFactory=org.apache.thrift.protocol.TCompactProtocol$Factory
tokenClass=org.apache.accumulo.core.client.security.tokens.KerberosToken
port=42425
maxFrameSize=16M
thriftServerType=sasl
kerberosPrincipal=accumulo/mas3.example....@example.com
kerberosKeytab=/etc/security/keytabs/accumulo.service.keytab
instance=agile_accumulo
zookeepers=mas1.example.com:2181,mas2.example.com:2181,mas3.example.com:2181

The proxy starts up fine, and then via Python I am doing the following:

transport = TTransport.TSaslClientTransport(TSocket.TSocket('
mas3.example.com', 42425), 'mas3.example.com', 'accumulo', QOP='auth')
protocol = TCompactProtocol.TCompactProtocol(transport)
client = AccumuloProxy.Client(protocol)
transport.open()
login = client.login('cent...@example.com', {})

Where I've created the principal cent...@example.com and have run kinit on
the server where I am trying to connect to the proxy from (not from mas3)

The proxy log responds with this:

2016-01-25 21:42:01,294 [proxy.ProxyServer] ERROR: Failed to login
org.apache.accumulo.core.client.AccumuloSecurityException: Error
BAD_CREDENTIALS for user Principal in credentials object should match
kerberos principal. Expected 'accumulo/mas3.example....@example.com' but
was 'cent...@example.com' - Username or Password is Invalid
at
org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:63)
at
org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67)
at
org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248)
at org.apache.accumulo.proxy.ProxyServer.getConnector(ProxyServer.java:232)
at org.apache.accumulo.proxy.ProxyServer.login(ProxyServer.java:1574)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.apache.accumulo.core.trace.wrappers.RpcServerInvocationHandler.invoke(RpcServerInvocationHandler.java:39)
at org.apache.accumulo.server.rpc.RpcWrapper$1.invoke(RpcWrapper.java:47)
at com.sun.proxy.$Proxy14.login(Unknown Source)
at
org.apache.accumulo.proxy.thrift.AccumuloProxy$Processor$login.getResult(AccumuloProxy.java:5723)
at
org.apache.accumulo.proxy.thrift.AccumuloProxy$Processor$login.getResult(AccumuloProxy.java:5707)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at
org.apache.accumulo.server.rpc.UGIAssumingProcessor.process(UGIAssumingProcessor.java:102)
at
org.apache.accumulo.server.rpc.TimedProcessor.process(TimedProcessor.java:63)
at
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:225)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.accumulo.fate.util.LoggingRunnable.run(LoggingRunnable.java:35)
at java.lang.Thread.run(Thread.java:745)
Caused by: ThriftSecurityException(user:Principal in credentials object
should match kerberos principal. Expected 'accumulo/
mas3.example....@example.com' but was 'cent...@example.com',
code:BAD_CREDENTIALS)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result$authenticate_resultStandardScheme.read(ClientService.java:15613)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result$authenticate_resultStandardScheme.read(ClientService.java:15591)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$authenticate_result.read(ClientService.java:15535)
at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$Client.recv_authenticate(ClientService.java:500)
at
org.apache.accumulo.core.client.impl.thrift.ClientService$Client.authenticate(ClientService.java:486)
at
org.apache.accumulo.core.client.impl.ConnectorImpl$1.execute(ConnectorImpl.java:70)
at
org.apache.accumulo.core.client.impl.ConnectorImpl$1.execute(ConnectorImpl.java:67)
at
org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:98)
at
org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61)
... 22 more

I've tried to update my configuration for impersonation but have had no
luck; my colleague did send out an email to this list about questions to do
with impersonation, so perhaps that is the problem.

Otherwise, anyone see anything obviously wrong with what I'm doing? Could
it be related to this: https://issues.apache.org/jira/browse/ACCUMULO-3849