In-place data upgrade from Accumulo 1.7.0 in HDP 3 to Accumulo 1.10

HDP 3 has Accumulo 1.7.0 that still uses an older format for root user name when it stores it in ZooKeeper. This is no longer compatible with Accumulo 1.10. To prevent such issues, before adding the new Accumulo-on-cdp service, you must first stop the old service and then change the stored name.

  1. Start a zookeeper-client.
  2. Authenticate with the old Accumulo root user and password.
    1. addauth digest {accumulo_root_user}:{accumulo_root_user_pass}
    2. If you do not know the password, you can create a superuser for ZooKeeper that has the permissions to make the necessary change.
      Following are the steps to create a superuser for ZooKeeper.
      1. Add the following line to the ZooKeeper Server Java options.


      2. Now you can authenticate with addauth digest super:super123.
  3. Obtain the current InstanceId.
    get /accumulo/instances/{accumulo_instance_name}
  4. Change the root user for this instance.
    set /accumulo/{accumulo_instance_id}/users {old_accumulo_principal}@{kerberos_realm_name}

The old headless Accumulo principals, like the current root user, are no longer handled by Cloudera Manager and not added to the generated keytabs. The old keytabs generated by Ambari still exist on the nodes, but to ensure that the necessary keytabs can be re-generated if needed, we first have to add the headless principal to Cloudera Manager through the Cloudera Manager API. To do so use the following call: Support -> API Explorer -> /cm/commands/generateCredentialsAdhoc

Use the following body:

  "items": [

When the keytab needs to be regenerated it can be done using another call: Support -> API Explorer -> /cm/retrieveKeytab

With the following body:

  "items": [

The above call returns a link using which the keytab can be downloaded.

In case you use the old principal, it might have trouble accessing HDFS after the upgrade. In that case change the permission in the HDFS -> Configuration -> extra_auth_to_local_rules file as follows:


This ensures that the old principal has the same permissions as the new Accumulo principals.

After the update the tracer and monitor roles automatically use the node specific Accumulo principals. These principals does not have permissions for the trace table. You must add the permissions as follows:

grant Table.READ -t trace -u accumulo/{hostname}@EXAMPLE.COM
grant Table.WRITE -t trace -u accumulo/{hostname}@EXAMPLE.COM
grant Table.ALTER_TABLE -t trace -u accumulo/{hostname}@EXAMPLE.COM