Search code examples
clientkerberosaccumulo

Accumulo kerberos authentication

I have problems with Accumulo authentication using Kerberos. When i try to create token my app fails with exception:

Exception in thread "main" java.lang.IllegalArgumentException: Subject is not logged in via Kerberos
    at com.google.common.base.Preconditions.checkArgument(Preconditions.java:92)
    at org.apache.accumulo.core.client.security.tokens.KerberosToken.<init>(KerberosToken.java:56)

My connection code:

UserGroupInformation.loginUserFromKeytab("user", "keytab"); // ok
KerberosToken token = new KerberosToken(); // Exception goes here

Any help is appreciated

Solution

  • It would appear that your Kerberos login is not functioning as expected. That constructor is doing the following:

      public KerberosToken(String principal) throws IOException {
    requireNonNull(principal);
    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged in via Kerberos");
    checkArgument(principal.equals(ugi.getUserName()), "Provided principal does not match currently logged-in user");
    this.principal = ugi.getUserName();
  }

    Somehow, your UGI call is resulting in a current user that doesn't have Kerberos credentials. You should be able to inspect this yourself. I don't have a simple solution for you, but you can try the following to debug this:

    1. Set org.apache.hadoop.security=DEBUG in your log4j configuration
    2. Pass -Dsun.security.krb5.debug=true to your JVM (or use System.setProperty(...))