hadoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erravelli, Venkat" <venkat.errave...@baml.com>
Subject RE: submitting a mapreduce job to remote cluster
Date Thu, 29 Nov 2012 18:55:56 GMT
I have tested this authentication piece separately to make sure if kerberos authentication
is working fine; works fine.   Have krb5.ini, .java.login.config and java.security files on
windows m/c.

How do I integrate this authentication functionality to submit the mapreduce job to remote
Hadoop cluster? What am I missing?  Thank you.

        public static void main(String[] args) throws Exception {

                // System.out.println(System.getProperty("java.home"));

                if (args.length > 0) {
                        name = args[0];
                } else {
                        name = "test";
                }

                // Create action to perform
                PrivilegedExceptionAction action = new MyAction();

                loginAndAction(name, action);
        }

        static void loginAndAction(String name, PrivilegedExceptionAction action)
                        throws LoginException, PrivilegedActionException {

                // Create a callback handler
                CallbackHandler callbackHandler = new TextCallbackHandler();

                LoginContext context = null;

                try {
                        // Create a LoginContext with a callback handler
                        context = new LoginContext(name, callbackHandler);

                        // Perform authentication
                        context.login();
                } catch (LoginException e) {
                        System.err.println("Login failed");
                        e.printStackTrace();
                        System.exit(-1);
                }

                // Perform action as authenticated user
                Subject subject = context.getSubject();
                if (verbose) {
                        System.out.println(subject.toString());
                } else {
                        System.out.println("Authenticated principal: "
                                        + subject.getPrincipals());
                }

                //Subject.doAs(subject, action);

                context.logout();
        }


Output
--------------------------------------------------
Kerberos password for user1: *********
Authenticated principal: [user1@xyz.HDFS.COM]
----------------------------------------------------

-----Original Message-----
From: Harsh J [mailto:harsh@cloudera.com]
Sent: Wednesday, November 28, 2012 12:23 PM
To: <user@hadoop.apache.org>
Subject: Re: submitting a mapreduce job to remote cluster

Hi,

This appears to be more of an environment or JRE config issue. Your Windows machine needs
the kerberos configuration files on it for Java security APIs to be able to locate which KDC
to talk to, for logging in. You can also manually specify the path to such a configuration
- read http://docs.oracle.com/javase/1.4.2/docs/guide/security/jgss/tutorials/KerberosReq.html
for some behavior data on how a JRE would locate the kerberos config file on different platforms,
and how you may override it.

On Wed, Nov 28, 2012 at 10:43 PM, Erravelli, Venkat <venkat.erravelli@baml.com> wrote:
> Tried the below :
>
> conf.set("hadoop.security.authentication", "kerberos");  >>>>>>>>
 Added this line.
>
>
> UserGroupInformation.setConfiguration(conf);  <<<<<<<<<<<<<
Now, it
> fails on this line with the below exception
>
>
> Exception in thread "Main Thread" java.lang.ExceptionInInitializerError
>         at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:227)
>         at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:268)
>         at com.ard.WordCountJob.process2(WordCountJob.java:147)
>         at com.ard.WordCountJob.main(WordCountJob.java:198)
> Caused by: java.lang.IllegalArgumentException: Can't get Kerberos configuration
>         at org.apache.hadoop.security.HadoopKerberosName.<clinit>(HadoopKerberosName.java:44)
>         at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:227)
>         at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:267)
>         at com.ard.WordCountJob.process2(WordCountJob.java:142)
>         at com.ard.WordCountJob.main(WordCountJob.java:197)
> Caused by: java.lang.reflect.InvocationTargetException
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at org.apache.hadoop.security.authentication.util.KerberosUtil.getDefaultRealm(KerberosUtil.java:63)
>         at org.apache.hadoop.security.HadoopKerberosName.<clinit>(HadoopKerberosName.java:41)
>         at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:227)
>         at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:268)
>         at com.ard.WordCountJob.process2(WordCountJob.java:147)
>         at com.ard.WordCountJob.main(WordCountJob.java:198)
> Caused by: KrbException: Could not load configuration file C:\WINNT\krb5.ini (The system
cannot find the file specified)
>         at sun.security.krb5.Config.<init>(Config.java:147)
>         at sun.security.krb5.Config.getInstance(Config.java:79)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at org.apache.hadoop.security.authentication.util.KerberosUtil.getDefaultRealm(KerberosUtil.java:63)
>         at org.apache.hadoop.security.HadoopKerberosName.<clinit>(HadoopKerberosName.java:41)
>         at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:227)
>         at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:267)
>         at com.ard.WordCountJob.process2(WordCountJob.java:142)
>         at com.ard.WordCountJob.main(WordCountJob.java:197)
> Caused by: java.io.FileNotFoundException: C:\WINNT\krb5.ini (The system cannot find the
file specified)
>         at java.io.FileInputStream.open(Native Method)
>         at java.io.FileInputStream.<init>(FileInputStream.java:106)
>         at java.io.FileInputStream.<init>(FileInputStream.java:66)
>         at sun.security.krb5.Config$1.run(Config.java:539)
>         at sun.security.krb5.Config.loadConfigFile(Config.java:535)
>         at sun.security.krb5.Config.<init>(Config.java:144)
>         ... 11 more
>
> -----Original Message-----
> From: Harsh J [mailto:harsh@cloudera.com]
> Sent: Wednesday, November 28, 2012 11:35 AM
> To: <user@hadoop.apache.org>
> Subject: Re: submitting a mapreduce job to remote cluster
>
> Are you positive that your cluster/client configuration files'
> directory is on the classpath when you run this job? Only then its values would get automatically
read when you instantiate the Configuration class.
>
> Alternatively, you may try to set: "hadoop.security.authentication" to "kerberos" manually
in your Configuration (conf) object.
>
> On Wed, Nov 28, 2012 at 9:23 PM, Erravelli, Venkat <venkat.erravelli@baml.com>
wrote:
>> Hello :
>>
>>
>>
>> I see the below exception when I submit a MapReduce Job from
>> standalone java application to a remote Hadoop cluster. Cluster
>> authentication mechanism is Kerberos.
>>
>>
>>
>> Below is the code. I am using user impersonation since I need to
>> submit the job as a hadoop cluster user (userx) from my machine, on
>> which I am logged is as user99. So:
>>
>>
>>
>> userx -- user that is setup on the hadoop cluster.
>>
>> user99 -- user on whoes machine the standalone java application code
>> is executing.
>>
>>
>>
>>                     System.setProperty("HADOOP_USER_NAME", "userx");
>>
>>
>>
>>             final Configuration conf = new Configuration();
>>
>>
>>
>>             conf.set("hadoop.security.auth_to_local",
>>
>>                         "RULE:[1:$1@$0](.*@\\Q\\E$)s/@\\Q\\E$//"
>>
>>                                     +
>> "RULE:[2:$1@$0](.*@\\Q\\E$)s/@\\Q\\E$//" + "DEFAULT");
>>
>>
>>
>>             conf.set("mapred.job.tracker", "abcde.yyyy.com:9921");
>>
>>
>>
>>             conf.set("fs.defaultFS", "hdfs://xxxxx.yyyy.com:9920");
>>
>>
>>
>>             UserGroupInformation.setConfiguration(conf);
>>
>>
>>
>>             System.out.println("here ::::: "+
>> UserGroupInformation.getCurrentUser());
>>
>>
>>
>> UserGroupInformation ugi =
>> UserGroupInformation.createProxyUser("user99",
>> UserGroupInformation.getCurrentUser());
>>
>>             AuthenticationMethod am = AuthenticationMethod.KERBEROS;
>>
>>             ugi.setAuthenticationMethod(am);
>>
>>
>>
>>
>>
>>             final Path inPath = new Path("/user/userx/test.txt");
>>
>>
>>
>>             DateFormat df = new SimpleDateFormat("dd_MM_yyyy_hh_mm");
>>
>>             StringBuilder sb = new StringBuilder();
>>
>>             sb.append("wordcount_result_").append(df.format(new
>> Date()));
>>
>>
>>
>>             // out
>>
>>             final Path outPath = new Path(sb.toString());
>>
>>
>>
>>             ugi.doAs(new
>> PrivilegedExceptionAction<UserGroupInformation>() { <<<<---------throws
exception here!!!
>>
>>
>>
>>                   public UserGroupInformation run() throws Exception
>> {
>>
>>                         // Submit a job
>>
>>                         // create a new job based on the
>> configuration
>>
>>                         Job job = new Job(conf, "word count remote");
>>
>>
>>
>>                         job.setJarByClass(WordCountJob.class);
>>
>>                         job.setMapperClass(TokenizerMapper.class);
>>
>>                         job.setCombinerClass(IntSumReducer.class);
>>
>>                         job.setReducerClass(IntSumReducer.class);
>>
>>                         job.setOutputKeyClass(Text.class);
>>
>>                         job.setOutputValueClass(IntWritable.class);
>>
>>                         FileInputFormat.addInputPath(job, inPath);
>>
>>                         FileOutputFormat.setOutputPath(job, outPath);
>>
>>
>>
>>                         // this waits until the job completes
>>
>>                         job.waitForCompletion(true);
>>
>>
>>
>>                         if (job.isSuccessful()) {
>>
>>                               System.out.println("Job completed
>> successfully");
>>
>>                         } else {
>>
>>                               System.out.println("Job Failed");
>>
>>                         }
>>
>>                         return UserGroupInformation.getCurrentUser();
>>
>>
>>
>>                   }
>>
>>             });
>>
>>
>>
>> When the above code is executed, I get the below exception on the
>> line mentioned in the code above:
>>
>> ***************
>>
>> 12/11/28 09:43:51 ERROR security.UserGroupInformation:
>> PriviledgedActionException as: user99 (auth:KERBEROS) via userx
>> (auth:SIMPLE)
>> cause:org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
>> Authorization (hadoop.security.authorization) is enabled but
>> authentication
>> (hadoop.security.authentication) is configured as simple. Please
>> configure another method like kerberos or digest.
>>
>> Exception in thread "Main Thread"
>> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
>> Authorization (hadoop.security.authorization) is enabled but
>> authentication
>> (hadoop.security.authentication) is configured as simple. Please
>> configure another method like kerberos or digest.
>>
>> ***************
>>
>> Can someone tell me/point me in the right direction on what is going
>> on here, and how do i get over this exception? Any help will be
>> greatly appreciated. thanks!
>>
>>
>>
>> Below are the hadoop cluster configuration files:
>>
>>
>>
>> ***************
>>
>> Core-site.xml
>>
>>
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>>
>>
>> <!--Autogenerated by Cloudera CM on 2012-11-06T20:18:31.456Z-->
>>
>> <configuration>
>>
>>   <property>
>>
>>     <name>fs.defaultFS</name>
>>
>>     <value>hdfs://xxxxx.yyyy.com:9920</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>io.file.buffer.size</name>
>>
>>     <value>65536</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>io.compression.codecs</name>
>>
>>     <value></value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>hadoop.security.authentication</name>
>>
>>     <value>kerberos</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>hadoop.security.auth_to_local</name>
>>
>>     <value>RULE:[1:$1@$0](.*@\Q\E$)s/@\Q\E$//
>>
>> RULE:[2:$1@$0](.*@\Q\E$)s/@\Q\E$//
>>
>> DEFAULT</value>
>>
>>   </property>
>>
>> </configuration>
>>
>>
>>
>>
>>
>> Hdfs-site.xml
>>
>>
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>>
>>
>> <!--Autogenerated by Cloudera CM on 2012-11-06T20:18:31.467Z-->
>>
>> <configuration>
>>
>>   <property>
>>
>>     <name>dfs.https.address</name>
>>
>>     <value>xxxxx.yyyy.com:50470</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.https.port</name>
>>
>>     <value>50470</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.namenode.http-address</name>
>>
>>     <value>xxxxx.yyyy.com:50070</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.replication</name>
>>
>>     <value>3</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.blocksize</name>
>>
>>     <value>134217728</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.client.use.datanode.hostname</name>
>>
>>     <value>false</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.block.access.token.enable</name>
>>
>>     <value>true</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.namenode.kerberos.principal</name>
>>
>>     <value>hdfs/_HOST@RND.HDFS.COM</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.namenode.kerberos.https.principal</name>
>>
>>     <value>host/_HOST@RND.HDFS.COM</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>dfs.namenode.kerberos.internal.spnego.principal</name>
>>
>>     <value>HTTP/_HOST@RND.HDFS.COM</value>
>>
>>   </property>
>>
>> </configuration>
>>
>>
>>
>>
>>
>> Mapred-site.xml
>>
>>
>>
>>
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>>
>>
>> <!--Autogenerated by Cloudera CM on 2012-11-06T20:18:31.456Z-->
>>
>> <configuration>
>>
>>   <property>
>>
>>     <name>mapred.job.tracker</name>
>>
>>     <value>abcde.yyyy.com:9921</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.output.compress</name>
>>
>>     <value>false</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.output.compression.type</name>
>>
>>     <value>BLOCK</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.output.compression.codec</name>
>>
>>     <value>org.apache.hadoop.io.compress.DefaultCodec</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.map.output.compression.codec</name>
>>
>>     <value>org.apache.hadoop.io.compress.SnappyCodec</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.compress.map.output</name>
>>
>>     <value>true</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>io.sort.factor</name>
>>
>>     <value>64</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>io.sort.record.percent</name>
>>
>>     <value>0.05</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>io.sort.spill.percent</name>
>>
>>     <value>0.8</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.reduce.parallel.copies</name>
>>
>>     <value>10</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.submit.replication</name>
>>
>>     <value>10</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.reduce.tasks</name>
>>
>>     <value>72</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>io.sort.mb</name>
>>
>>     <value>256</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.child.java.opts</name>
>>
>>     <value> -Xmx1073741824</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.job.reuse.jvm.num.tasks</name>
>>
>>     <value>1</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.map.tasks.speculative.execution</name>
>>
>>     <value>false</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.reduce.tasks.speculative.execution</name>
>>
>>     <value>false</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapred.reduce.slowstart.completed.maps</name>
>>
>>     <value>1.0</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapreduce.jobtracker.kerberos.principal</name>
>>
>>     <value>mapred/_HOST@RND.HDFS.COM</value>
>>
>>   </property>
>>
>>   <property>
>>
>>     <name>mapreduce.jobtracker.kerberos.https.principal</name>
>>
>>     <value>host/_HOST@RND.HDFS.COM</value>
>>
>>   </property>
>>
>> </configuration>
>>
>>
>>
>>
>>
>> ***************
>>
>>
>>
>> ________________________________
>> This message, and any attachments, is for the intended recipient(s)
>> only, may contain information that is privileged, confidential and/or
>> proprietary and subject to important terms and conditions available
>> at http://www.bankofamerica.com/emaildisclaimer. If you are not the
>> intended recipient, please delete this message.
>
>
>
> --
> Harsh J
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only, may contain
information that is privileged, confidential and/or proprietary and subject to important terms
and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not
the intended recipient, please delete this message.



--
Harsh J

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information
that is privileged, confidential and/or proprietary and subject to important terms and conditions
available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient,
please delete this message.

Mime
View raw message