Support Questions

farbman · ‎11-08-2017

I've had trouble granting administrator permissions for Accumulo to a kerberos user on the HDP 2.6.1 VirtualBox sandbox.

I stop all Accumulo services from Ambari and run the following command.

$ sudo -u accumulo ACCUMULO_CONF_DIR=/etc/accumulo/conf/server accumulo init --reset-security -u me@EXAMPLE.COM

I enter the passwords as blank since it's a kerberized cluster.

The command outputs:

2017-11-07 09:46:26,012 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.KerberosAuthorizor
2017-11-07 09:46:26,023 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.KerberosAuthenticator
2017-11-07 09:46:26,031 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.KerberosPermissionHandler
2017-11-07 09:46:26,281 [handler.KerberosAuthenticator] INFO : Removed /accumulo/0c13d53b-b043-4887-a839-a6ee9749f919/users/ from zookeeper

I start all Accumulo services from Ambari.

I kinit with me@EXAMPLE.COM successfully.

I run:

$ accumulo shell

me@EXAMPLE.COM@hdp-accumulo-instance> whoami #returns the correct user

me@EXAMPLE.COM@hdp-accumulo-instance> userpermissions # shows that I only have read permissions on the following tables:

Namespace permissions (accumulo): Namespace.READ
Table permissions (accumulo.metadata): Table.READ
Table permissions (accumulo.replication): Table.READ
Table permissions (accumulo.root): Table.READ

I am unable to perform any non-read actions on any tables with these permissions.

me@EXAMPLE.COM@hdp-accumulo-instance> createtable test
2017-11-07 10:02:09,065 [shell.Shell] ERROR: org.apache.accumulo.core.client.AccumuloSecurityException: Error PERMISSION_DENIED for user me@EXAMPLE.COM on table test(?) - User does not have permission to perform this action

me@EXAMPLE.COM@hdp-accumulo-instance> grant System.CREATE_TABLE -s -u me@EXAMPLE.COM
2017-11-07 10:05:17,661 [shell.Shell] ERROR: org.apache.accumulo.core.client.AccumuloSecurityException: Error PERMISSION_DENIED for user me@EXAMPLE.COM - User does not have permission to perform this action

Appreciate any help!

asirna · ‎11-08-2017

@Jason Farbman,

You can do the below

# klist -kt /etc/security/keytabs/accumulo.headless.keytab
Keytab name: FILE:/etc/security/keytabs/accumulo.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 09/10/17 14:06:14 accumulo@EXAMPLE.COM  ---- > principal for kinit (accumulo@EXAMPLE.COM)
   1 09/10/17 14:06:14 accumulo@EXAMPLE.COM
   1 09/10/17 14:06:14 accumulo@EXAMPLE.COM
   1 09/10/17 14:06:14 accumulo@EXAMPLE.COM
   1 09/10/17 14:06:14 accumulo@EXAMPLE.COM

# kinit -kt /etc/security/keytabs/accumulo.headless.keytab {principal} 
# accumulo shell
> grant System.CREATE_TABLE -s -u me@EXAMPLE.COM

Thanks,

Aditya

billie · ‎11-08-2017

That's right, use the original admin user to grant permissions to your custom user. To find out which permissions need to be granted for full admin access, check the permissions of accumulo@EXAMPLE.COM in the shell or take a look at the example in the Apache Accumulo user manual.

farbman · ‎11-08-2017

Hi Aditya,

Thanks for the response. Unfortunately I am having the same issues, even with the accumulo principal. Code and output is below.

klist -kt /etc/security/keytabs/accumulo.headless.keytab
Keytab name: FILE:/etc/security/keytabs/accumulo.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
   1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
   1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
   1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
   1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM

kinit -kt /etc/security/keytabs/accumulo.headless.keytab accumulo-sandbox@EXAMPLE.COM
accumulo shell
> whoami
accumulo-sandbox@EXAMPLE.COM
> grant System.CREATE_TABLE -s -u me@EXAMPLE.COM
2017-11-08 11:47:52,874 [shell.Shell] ERROR: org.apache.accumulo.core.client.AccumuloSecurityException: Error PERMISSION_DENIED for user accumulo-sandbox@EXAMPLE.COM - User does not have permission to perform this action
> userpermissions
Namespace permissions (accumulo): Namespace.READ


Table permissions (accumulo.metadata): Table.READ
Table permissions (accumulo.replication): Table.READ
Table permissions (accumulo.root): Table.READ

Do you have any other suggestions?

Thanks!

Jay

billie · ‎11-10-2017

Did you reset-security back to the accumulo principal? Also, you should kinit as accumulo@EXAMPLE.COM before issuing the reset-security command, so I'm not sure it will work using sudo -u accumulo unless you include kinit and reset-security in a single command.

asirna · ‎11-10-2017

@Jason Farbman,

Can you owner of the directory /apps/accumulo. Assuming it is 'xyz', try doing kinit with xyz's keytab and change the permission. By default accumulo is the owner but looks like this not in your case.

Thanks,

Aditya

Support Questions

Accumulo Kerberos Admin Account Not Granted Admin Privileges