In-place data upgrade from Accumulo 1.7.0 in HDP 3 to Accumulo 1.10
HDP 3 has Accumulo 1.7.0 that still uses an older format for root user name when it stores it in ZooKeeper. This is no longer compatible with Accumulo 1.10. To prevent such issues, before adding the new Accumulo-on-cdp service, you must first stop the old service and then change the stored name.
The old headless Accumulo principals, like the current root user, are no longer
handled by Cloudera Manager and not added to the generated keytabs. The old keytabs
generated by Ambari still exist on the nodes, but to ensure that the necessary
keytabs can be re-generated if needed, we first have to add the headless principal
to Cloudera Manager through the Cloudera Manager API. To do so use the following
call: Support -> API Explorer ->
/cm/commands/generateCredentialsAdhoc
Use the following body:
{
"items": [
"accumulo@EXAMPLE.COM"
]
}
When the keytab needs to be regenerated it can be done using another call:
Support -> API Explorer -> /cm/retrieveKeytab
With the following body:
{
"items": [
"accumulo@EXAMPLE.COM"
]
}
The above call returns a link using which the keytab can be downloaded.
In case you use the old principal, it might have trouble accessing HDFS after the upgrade. In that case change the permission in the HDFS -> Configuration -> extra_auth_to_local_rules file as follows:
RULE:[1:$1@$0](accumulo@EXAMPLE.COM)s/.*/accumulo/
This ensures that the old principal has the same permissions as the new Accumulo principals.
After the update the tracer and monitor roles automatically use the node specific Accumulo principals. These principals does not have permissions for the trace table. You must add the permissions as follows:
grant Table.READ -t trace -u accumulo/{hostname}@EXAMPLE.COM
grant Table.WRITE -t trace -u accumulo/{hostname}@EXAMPLE.COM
grant Table.ALTER_TABLE -t trace -u accumulo/{hostname}@EXAMPLE.COM