Member since
11-07-2017
7
Posts
0
Kudos Received
0
Solutions
12-21-2017
04:36 PM
@Geoffrey Shelton Okot Is there anyway to test the encryption on the ports? I'd like to have some documented results as opposed to just trusting the settings. I think I have set everything correctly.
... View more
12-20-2017
07:39 PM
Is there a way to verify RPC encryption in a kerberized cluster for HDFS and YARN ports? Running openssl gives me a "connection reset by peer message" and I suspect this might be because of kerberos authentication.
... View more
Labels:
12-06-2017
06:26 PM
Is it possible to encrypt all communication from/to Zookeeper? I haven't seen any HDP documentation.
... View more
Labels:
- Labels:
-
Cloudera Navigator Encrypt
11-08-2017
07:06 PM
Hi Aditya, Thanks for the response. Unfortunately I am having the same issues, even with the accumulo principal. Code and output is below. klist -kt /etc/security/keytabs/accumulo.headless.keytab
Keytab name: FILE:/etc/security/keytabs/accumulo.headless.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
1 10/02/17 14:31:46 accumulo-sandbox@EXAMPLE.COM
kinit -kt /etc/security/keytabs/accumulo.headless.keytab accumulo-sandbox@EXAMPLE.COM
accumulo shell
> whoami
accumulo-sandbox@EXAMPLE.COM
> grant System.CREATE_TABLE -s -u me@EXAMPLE.COM
2017-11-08 11:47:52,874 [shell.Shell] ERROR: org.apache.accumulo.core.client.AccumuloSecurityException: Error PERMISSION_DENIED for user accumulo-sandbox@EXAMPLE.COM - User does not have permission to perform this action
> userpermissions
Namespace permissions (accumulo): Namespace.READ
Table permissions (accumulo.metadata): Table.READ
Table permissions (accumulo.replication): Table.READ
Table permissions (accumulo.root): Table.READ
Do you have any other suggestions? Thanks! Jay
... View more
11-08-2017
02:11 PM
I've had trouble granting administrator permissions for Accumulo to a kerberos user on the HDP 2.6.1 VirtualBox sandbox.
I stop all Accumulo services from Ambari and run the following command. $ sudo -u accumulo ACCUMULO_CONF_DIR=/etc/accumulo/conf/server accumulo init --reset-security -u me@EXAMPLE.COM
I enter the passwords as blank since it's a kerberized cluster.
The command outputs: 2017-11-07 09:46:26,012 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.KerberosAuthorizor
2017-11-07 09:46:26,023 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.KerberosAuthenticator
2017-11-07 09:46:26,031 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.KerberosPermissionHandler
2017-11-07 09:46:26,281 [handler.KerberosAuthenticator] INFO : Removed /accumulo/0c13d53b-b043-4887-a839-a6ee9749f919/users/ from zookeeper I start all Accumulo services from Ambari. I kinit with me@EXAMPLE.COM successfully. I run: $ accumulo shell
me@EXAMPLE.COM@hdp-accumulo-instance> whoami #returns the correct user
me@EXAMPLE.COM@hdp-accumulo-instance> userpermissions # shows that I only have read permissions on the following tables:
Namespace permissions (accumulo): Namespace.READ
Table permissions (accumulo.metadata): Table.READ
Table permissions (accumulo.replication): Table.READ
Table permissions (accumulo.root): Table.READ I am unable to perform any non-read actions on any tables with these permissions. me@EXAMPLE.COM@hdp-accumulo-instance> createtable test
2017-11-07 10:02:09,065 [shell.Shell] ERROR: org.apache.accumulo.core.client.AccumuloSecurityException: Error PERMISSION_DENIED for user me@EXAMPLE.COM on table test(?) - User does not have permission to perform this action
me@EXAMPLE.COM@hdp-accumulo-instance> grant System.CREATE_TABLE -s -u me@EXAMPLE.COM
2017-11-07 10:05:17,661 [shell.Shell] ERROR: org.apache.accumulo.core.client.AccumuloSecurityException: Error PERMISSION_DENIED for user me@EXAMPLE.COM - User does not have permission to perform this action
Appreciate any help!
... View more
Labels: