Accumulo/Zookeeper Kerberos Integration

[Jones, Oliver]

Hello all,

I sent this in a couple of months ago, but I'm not sure if I was subscribed to 
the mailing list correctly and didn't see any replies - so I thought I'd try 
again.

I'm having trouble getting Kerberos authentication to work between Zookeeper 
and Accumulo. I am not using any supporting platforms (e.g. Cloudera, 
Hortonworks) - this is all being done using Docker with single Accumulo 
(1.8.1), Zookeeper (3.4.10) and Hadoop (2.8.2) containers running within their 
own Docker network. My KDC is running on a separate CentOS machine, but can be 
reached by all of them. I have already managed to integrate Kerberos 
authentication with Hadoop and Accumulo, but cannot add Zookeeper client into 
the mix.


*        The Zookeeper container has this configuration:

/conf/zoo.cfg

# Kerberos Configuration
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
requireClientAuthScheme=sasl
jaasLoginRenew=3600000

/conf/zookeeper_jaas_server.conf

Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/zookeeper-server.keytab"
principal="zookeeper/zk-kerberos.accumulo-krb-netw...@example.com<mailto:zookeeper/zk-kerberos.accumulo-krb-netw...@example.com>";
};

export 
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/conf/zookeeper_jaas_server.conf

/conf/zookeeper_jaas_client.conf

Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/zookeeper-client.keytab"
principal="zookeeper-client/zk-kerberos.accumulo-krb-netw...@example.com<mailto:zookeeper-client/zk-kerberos.accumulo-krb-netw...@example.com>";
};

export 
CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/conf/zookeeper_jaas_client.conf


*        And I've added this configuration to Accumulo:

/usr/local/zookeeper/conf/zookeeper_jaas_client.conf

Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/accumulo.keytab"
principal="zookeeper-client/zk-kerberos.accumulo-krb-netw...@example.com<mailto:zookeeper-client/zk-kerberos.accumulo-krb-netw...@example.com>";
};

export ACCUMULO_JAAS_CONF="$ZOOKEEPER_HOME/conf/zookeeper_jaas_client.conf"

This means that Zookeeper server starts by authenticating as principle 
zookeeper/zk-kerberos.accumulo-krb-netw...@example.com<mailto:zookeeper/zk-kerberos.accumulo-krb-netw...@example.com>
 and Accumulo (a Zookeeper client) authenticates with Zookeeper using the 
zookeeper-client/zk-kerberos.accumulo-krb-netw...@example.com<mailto:zookeeper-client/zk-kerberos.accumulo-krb-netw...@example.com>
 principle.

When starting Accumulo for the first time and running through an 
initialisation, this authentication works fine and Accumulo starts as expected. 
But when you restart Accumulo, the master fails to start with this error:

2019-02-07 10:52:42,856 [delegation.ZooAuthenticationKeyDistributor] ERROR: Saw 
more than one ACL on the node
2019-02-07 10:52:42,858 [delegation.ZooAuthenticationKeyDistributor] ERROR: 
Expected /accumulo/ee2ddad6-9df3-43a0-84d4-e9713ae9058c/delegation_token_keys 
to have ACLs [31,s{'auth,'} ] but was [31,s{'sasl,'zookeeper-client} , 
31,s{'digest,'accumulo:diZNqb4D71cy0fGxC3meE2ZYWyE=}
]
2019-02-07 10:52:42,858 [master.Master] ERROR: Unexpected exception, exiting
java.lang.IllegalStateException: Delegation token secret key node in ZooKeeper 
is not protected.
        at 
org.apache.accumulo.server.security.delegation.ZooAuthenticationKeyDistributor.initialize(ZooAuthenticationKeyDistributor.java:86)
        at org.apache.accumulo.master.Master.run(Master.java:1223)
        at org.apache.accumulo.master.Master.main(Master.java:1434)
        at 
org.apache.accumulo.master.MasterExecutable.execute(MasterExecutable.java:33)
        at org.apache.accumulo.start.Main$1.run(Main.java:120)
        at java.lang.Thread.run(Thread.java:748)

It looks like the information that Accumulo writes to Zookeeper during the 
initialisation has two ACLs associated to it - one for the zookeeper-client 
Kerberos principle (sasl) and one for the Accumulo secret (digest). These two 
ACLs seem to fail one of the master's start-up checks and causes it to exit.

Is there anyway of disabling the Accumulo secret so that I only have the 
Kerberos ACL? Or is there something wrong with the way I've tried to implement 
this that would cause this problem?

I'd be very appreciative of any assistance.

Many thanks,

Oliver Jones