accumulo icon indicating copy to clipboard operation
accumulo copied to clipboard
verified publisher icon apache

TLS + Kerberos Support in Accumulo

Open sjyang18 opened this issue 4 years ago • 1 comments

Is your feature request related to a problem? Please describe. Both TLS and Kerberos can be configured and turned on at the zookeeper and hadoop layer. However, Accumulo is required to turn only one of them: SSL or SASL for Kerberos. Turning off SSL but still keeping the zookeeeper.ssl* JVM switches (so that Accumulo may connect to secured zookeepers) would not work with the following error. Two ACL entries were added: one for host certificate used during SSL connection, one for accumulo admin account (in kerberos) given to 'accumulo init' process.

2021-03-25T22:07:19,495 [manager.Manager] INFO : Starting delegation-token key manager
2021-03-25T22:07:19,500 [delegation.ZooAuthenticationKeyDistributor] ERROR: Saw more than one ACL on the node
2021-03-25T22:07:19,503 [delegation.ZooAuthenticationKeyDistributor] ERROR: Expected /accumulo/74df60b2-7f63-4306-8f82-f08a81ba2a33/delegation_token_keys to have ACLs [31,s{'auth,'}
 ] but was [31,s{'x509,'CN=accucluster3-0.domain}
 , 31,s{'digest,'accumulo:KBeh49allLP6OCuJmbGiQ7Q0guQ=}
 ]
 2021-03-25T22:07:19,501 [conf.SiteConfiguration] INFO : Found Accumulo configuration on classpath at /opt/muchos/install/accumulo-2.1.0-SNAPSHOT/conf/accumulo.properties
 2021-03-25T22:07:19,505 [start.Main] ERROR: Thread 'manager' died.
 java.lang.IllegalStateException: Delegation token secret key node in ZooKeeper is not protected.
 at org.apache.accumulo.server.security.delegation.ZooAuthenticationKeyDistributor.initialize(ZooAuthenticationKeyDistributor.java:86) ~[accumulo-server-base-2.1.0-SNAPSHOT.jar:2.1.0-SNAPSHOT]
 at org.apache.accumulo.manager.Manager.run(Manager.java:1154) ~[accumulo-manager-2.1.0-SNAPSHOT.jar:2.1.0-SNAPSHOT]
 at java.lang.Thread.run(Thread.java:834) [?:?]

Describe the solution you'd like Accumulo may be configured with both TLS + Kerberos on and connect to TLS + Kerberos enabled zookeeper and hadoop.

Describe alternatives you've considered There is no alternative if TLS and Kerberos is enabled in zookeepers.

Additional context Add any other context or screenshots about the feature request here.

sjyang18 avatar Mar 30 '21 16:03 sjyang18

When I enabled both TLS and SASL in Zookeeper side, I am getting more ACL in /accumulo/*/delegation_token_keys.

2021-04-01T22:05:26,786 [delegation.ZooAuthenticationKeyDistributor] ERROR: Saw more than one ACL on the node
2021-04-01T22:05:26,788 [delegation.ZooAuthenticationKeyDistributor] ERROR: Expected /accumulo/1478471c-189b-453d-b186-bdc0bc84215c/delegation_token_keys to have ACLs [31,s{'auth,'}
] but was [31,s{'x509,'CN=accucluster3-0.example.domain.com}
, 31,s{'sasl,'azureuser}
, 31,s{'digest,'accumulo:KBeh49allLP6OCuJmbGiQ7Q0guQ=}
]

Looking at https://github.com/apache/accumulo/blob/aab34a980d7a9ccad63797913b99b331c5cbbaae/server/base/src/main/java/org/apache/accumulo/server/security/delegation/ZooAuthenticationKeyDistributor.java#L72, it expects only one ACL, with one digest, accumulo ACL.

sjyang18 avatar Apr 01 '21 23:04 sjyang18