Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 8ECA8200BC5 for ; Tue, 22 Nov 2016 10:17:25 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 8D5D1160B0C; Tue, 22 Nov 2016 09:17:25 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 83A4B160B0A for ; Tue, 22 Nov 2016 10:17:24 +0100 (CET) Received: (qmail 24729 invoked by uid 500); 22 Nov 2016 09:17:23 -0000 Mailing-List: contact user-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hbase.apache.org Delivered-To: mailing list user@hbase.apache.org Received: (qmail 24708 invoked by uid 99); 22 Nov 2016 09:17:22 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Nov 2016 09:17:22 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id EE09EC0D64 for ; Tue, 22 Nov 2016 09:17:21 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.38 X-Spam-Level: ** X-Spam-Status: No, score=2.38 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id PXFtA1XtpV1c for ; Tue, 22 Nov 2016 09:17:17 +0000 (UTC) Received: from mail-wm0-f50.google.com (mail-wm0-f50.google.com [74.125.82.50]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 10A2A6282F for ; Tue, 22 Nov 2016 09:14:49 +0000 (UTC) Received: by mail-wm0-f50.google.com with SMTP id t79so13870284wmt.0 for ; Tue, 22 Nov 2016 01:14:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=dhD9+cP512qN7hXv0V5clHBPxex0uflJ2JOjDeKzKwg=; b=smDxOZpS7j5tLXerWC5Hmf35+RM3z4S/5N7i/T1e0kvAON0YAZMhMkjzvNlGKaqUoq lgbzQ9lkUM1r4tHEOLHJyPctx72avlIAUoGfWJpkS56V4C1cgWa7c0NdsLaHV7q6+c+h OeJURTL3wVmdVxeWC8ySOUZPEKd088WzpB6t54uD7hcSn1q+GkArdybPMZojo16Pk8pO 3K4mRlO+1xPL+1VUFoMwQyU1HIDPSRDkBAwAt3ih6n0M01RCYdC6Kd6QM75KQTIBdnCa Mt76TJO2usCIBFD9G2x7hfj2qJL3jpi/tUUnA2pEabW1/Des1xjn+9p8hFxnoTXCWCIf 5POA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=dhD9+cP512qN7hXv0V5clHBPxex0uflJ2JOjDeKzKwg=; b=INt8P6VmrDCJ+CZvBISWe09NK9RS31qW1Yf4x58tlMT1Nlzfejrd1QhnFCX5GMtRJ1 VIVrj51shJrCxtp1E4PAOBntQyncRKUGf7FvITZdhsn+jiodOFxKmeBn7u7euEu+ikW7 i+AVNpOlJG/2rErlSQ+7NzzVy2r3vMF+lR2Inz7io53hwIIQYh3zFjl8ZewFRBKNoJzo K9ztn6OmBeuKAn8Nmt/YGKd5PQh9+AbxJ6MF52i5B8M7huWS491CeaqJ0QjlkPkEuKKR fAHO0PoAor8dRN15wKpGvJ9yVnwSQZmtxaTcsa41tGtdQZskx7d1Uq+IRrfZJEIR/8Xv 82PQ== X-Gm-Message-State: AKaTC01OnGHXDFD1WbbHj37GAb0UcsHZD/bQvsVbj28S5gGsP+l8J/CUOQmTe3H175iJAwHBQK11YjZHXXBCfA== X-Received: by 10.25.16.209 with SMTP id 78mr3935172lfq.53.1479806088249; Tue, 22 Nov 2016 01:14:48 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: =?UTF-8?Q?Abel_Fern=C3=A1ndez?= Date: Tue, 22 Nov 2016 09:14:37 +0000 Message-ID: Subject: Re: hbase/spark - Delegation Token can be issued only with kerberos or web authentication To: user@hbase.apache.org Content-Type: multipart/alternative; boundary=001a113facb63a06030541e0344c archived-at: Tue, 22 Nov 2016 09:17:25 -0000 --001a113facb63a06030541e0344c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I think the tgt is not the problem, checking the logs I can see: 16/11/22 10:06:40 DEBUG [main] YarnSparkHadoopUtil: running as user: hbase 16/11/22 10:06:40 DEBUG [main] UserGroupInformation: hadoop login 16/11/22 10:06:40 DEBUG [main] UserGroupInformation: hadoop login commit 16/11/22 10:06:40 DEBUG [main] UserGroupInformation: using kerberos user:hbase@COMPANY.CORP 16/11/22 10:06:40 DEBUG [main] UserGroupInformation: Using user: "hbase@COMPANY.CORP" with name hbase@COMPANY.CORP 16/11/22 10:06:40 DEBUG [main] UserGroupInformation: User entry: "hbase@COMPANY.CORP" 16/11/22 10:06:40 DEBUG [main] UserGroupInformation: UGI loginUser:hbase@COMPANY.CORP (auth:KERBEROS) 16/11/22 10:06:40 DEBUG [main] UserGroupInformation: PrivilegedAction as:hbase (auth:SIMPLE) from:org.apache.spark.deploy.SparkHadoopUtil.runAsSparkUser(SparkHadoopUtil= .scala:68) 16/11/22 10:06:40 DEBUG [TGT Renewer for hbase@COMPANY.CORP] UserGroupInformation: Found tgt Ticket (hex) =3D 0000: 61 82 01 61 30 82 01 5D A0 03 02 01 05 A1 12 1B a..a0..]........ 0010: 10 53 41 4E 54 41 4E 44 45 52 55 4B 2E 43 4F 52 .COMPANY.COR 0020: 50 A2 25 30 23 A0 03 02 01 02 A1 1C 30 1A 1B 06 P.%0#.......0... 0030: 6B 72 62 74 67 74 1B 10 53 41 4E 54 41 4E 44 45 .... Client Principal =3D hbase@COMPANY.CORP Server Principal =3D krbtgt/COMPANY.CORP@COMPANY.CORP Session Key =3D EncryptionKey: keyType=3D18 keyBytes (hex dump)=3D 0000: 2D 9D 67 F5 7C B4 15 17 AE DE BE A5 B9 2C 15 95 -.g..........,.. 0010: E6 6B 1C 4A 02 A2 44 67 6D D2 16 36 4A DA 11 82 .k.J..Dgm..6J... Forwardable Ticket true Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket true Initial Ticket true Auth Time =3D Tue Nov 22 03:39:05 CET 2016 Start Time =3D Tue Nov 22 03:39:05 CET 2016 End Time =3D Wed Nov 23 03:39:05 CET 2016 Renew Till =3D Tue Nov 29 03:39:05 CET 2016 Client Addresses Null 16/11/22 10:06:40 DEBUG [TGT Renewer for hbase@COMPANY.CORP] UserGroupInformation: Current time is 1479805600691 16/11/22 10:06:40 DEBUG [TGT Renewer for hbase@COMPANY.CORP] UserGroupInformation: Next refresh is 1479851465000 Is the retrofit version you are using public? We are using CDH 5.5.4 but with a backported version of hbase on spark from the latest code released on github. On Mon, 21 Nov 2016 at 21:11 Nkechi Achara wrote: > I am still convinced that it could be due to class path issues but I migh= t > be missing something. > > Just to make sure.... Have you checked the use of the principal / keytab > only on the driver only so you can make sure the tgt is valid. > > I am using the same config but with CDH 5.5.2, but I am using a retrofit = of > cloudera labs hbase on spark. > > Thanks > > On 21 Nov 2016 5:32 p.m., "Abel Fern=C3=A1ndez" wr= ote: > > > I have included into the spark-submit and into all nodemanagers and > drivers > > the krb5.conf and the jaas.conf, but I am still having the same problem= . > > > > I think the problem is this piece of code, it is trying to execute a > > function into the executors and for some reason, the executors cannot > get a > > valid credentials. > > > > /** > > * A simple enrichment of the traditional Spark RDD foreachPartition. > > * This function differs from the original in that it offers the > > * developer access to a already connected Connection object > > * > > * Note: Do not close the Connection object. All Connection > > * management is handled outside this method > > * > > * @param rdd Original RDD with data to iterate over > > * @param f Function to be given a iterator to iterate through > > * the RDD values and a Connection object to interact > > * with HBase > > */ > > def foreachPartition[T](rdd: RDD[T], > > f: (Iterator[T], Connection) =3D> Unit):Unit = =3D { > > rdd.foreachPartition( > > it =3D> hbaseForeachPartition(broadcastedConf, it, f)) > > } > > > > > > The first thing is trying to do the hbaseForeachPartition is getting th= e > > credentials but I think this code is never executed: > > > > /** > > * underlining wrapper all foreach functions in HBaseContext > > */ > > private def hbaseForeachPartition[T](configBroadcast: > > > > Broadcast[SerializableWritable[Configuration]], > > it: Iterator[T], > > f: (Iterator[T], Connection) =3D> > > Unit) =3D { > > > > val config =3D getConf(configBroadcast) > > > > applyCreds > > // specify that this is a proxy user > > val smartConn =3D HBaseConnectionCache.getConnection(config) > > f(it, smartConn.connection) > > smartConn.close() > > } > > > > > > This is the latest spark-submit I am using: > > #!/bin/bash > > > > SPARK_CONF_DIR=3Dconf-hbase spark-submit --master yarn-cluster \ > > --executor-memory 6G \ > > --num-executors 10 \ > > --queue cards \ > > --executor-cores 4 \ > > --driver-java-options "-Dlog4j.configuration=3Dfile:log4j.properties"= \ > > --driver-java-options "-Djava.security.krb5.conf=3D/etc/krb5.conf" \ > > --driver-java-options > > "-Djava.security.auth.login.config=3D/opt/company/conf/jaas.conf" \ > > --driver-class-path "$2" \ > > --jars file:/opt/company/lib/rocksdbjni-4.5.1.jar \ > > --conf > > "spark.driver.extraClassPath=3D/var/cloudera/parcels/CDH/lib/ > > hbase/lib/htrace-core-3.2.0-incubating.jar:/var/cloudera/ > > parcels/CDH/jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/ > > cloudera/parcels/CDH/jars/hbase-common-1.0.0-cdh5.5.4. > > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-client-1. > > 0.0-cdh5.5.4.jar:/var/cloudera/parcels/CDH/lib/ > > hbase/lib/hbase-protocol-1.0.0-cdh5.5.4.jar:/opt/orange/ > > lib/rocksdbjni-4.5.1.jar:/var/cloudera/parcels/CLABS_ > > PHOENIX-4.5.2-1.clabs_phoenix1.2.0.p0.774/lib/ > > phoenix/lib/phoenix-core-1.2.0.jar:/var/cloudera/parcels/ > > CDH/jars/hadoop-mapreduce-client-core-2.6.0-cdh5.5.4.jar" > > \ > > --conf > > "spark.executor.extraClassPath=3D/var/cloudera/parcels/CDH/lib/hbase/li= b/ > > htrace-core-3.2.0-incubating.jar:/var/cloudera/parcels/CDH/ > > jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/cloudera/parcels/ > > CDH/jars/hbase-common-1.0.0-cdh5.5.4.jar:/var/cloudera/ > > parcels/CDH/lib/hbase/lib/hbase-client-1.0.0-cdh5.5.4. > > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-protocol- > > 1.0.0-cdh5.5.4.jar:/opt/orange/lib/rocksdbjni-4.5.1. > > jar:/var/cloudera/parcels/CLABS_PHOENIX-4.5.2-1.clabs_ > > phoenix1.2.0.p0.774/lib/phoenix/lib/phoenix-core-1.2. > > 0.jar:/var/cloudera/parcels/CDH/jars/hadoop-mapreduce- > > client-core-2.6.0-cdh5.5.4.jar"\ > > --principal hbase@COMPANY.CORP \ > > --keytab /opt/company/conf/hbase.keytab \ > > --files > > "owl.properties,conf-hbase/log4j.properties,conf-hbase/ > > hbase-site.xml,conf-hbase/core-site.xml,$2" > > \ > > --class $1 \ > > cards-batch-$3-jar-with-dependencies.jar $2 > > > > > > > > On Fri, 18 Nov 2016 at 16:37 Abel Fern=C3=A1ndez > wrote: > > > > > No worries. > > > > > > This is the spark version we are using: 1.5.0-cdh5.5.4 > > > > > > I have to use Hbase context, it is the first parameter for the method= I > > am > > > using to generate the HFiles (HbaseRDDFunctions.hbaseBulkLoadThinRows= ) > > > > > > On Fri, 18 Nov 2016 at 16:06 Nkechi Achara > > > wrote: > > > > > > Sorry on my way to a flight. > > > > > > Read is required for a keytab to be permissioned properly. So that > looks > > > fine in your case. > > > > > > I do not have my PC with me, but have you tried to use Hbase without > > using > > > Hbase context. > > > > > > Also which version of Spark are you using? > > > > > > On 18 Nov 2016 16:01, "Abel Fern=C3=A1ndez" wr= ote: > > > > > > > Yep, the keytab is also in the driver into the same location. > > > > > > > > -rw-r--r-- 1 hbase root 370 Nov 16 17:13 hbase.keytab > > > > > > > > Do you know what are the permissions that the keytab should have? > > > > > > > > > > > > > > > > On Fri, 18 Nov 2016 at 14:19 Nkechi Achara > > > > wrote: > > > > > > > > > Sorry just realised you had the submit command in the attached > docs. > > > > > > > > > > Can I ask if the keytab is also on the driver in the same locatio= n? > > > > > > > > > > The spark option normally requires the keytab to be on the driver > so > > it > > > > can > > > > > pick it up and pass it to yarn etc to perform the kerberos > > operations. > > > > > > > > > > On 18 Nov 2016 3:10 p.m., "Abel Fern=C3=A1ndez" > > > wrote: > > > > > > > > > > > Hi Nkechi, > > > > > > > > > > > > Thank for your early response. > > > > > > > > > > > > I am currently specifying the principal and the keytab in the > > > > > spark-submit, > > > > > > the keytab is in the same location in every node manager. > > > > > > > > > > > > SPARK_CONF_DIR=3Dconf-hbase spark-submit --master yarn-cluster = \ > > > > > > --executor-memory 6G \ > > > > > > --num-executors 10 \ > > > > > > --queue cards \ > > > > > > --executor-cores 4 \ > > > > > > --driver-java-options "-Dlog4j.configuration=3Dfile: > > log4j.properties" > > > > \ > > > > > > --driver-class-path "$2" \ > > > > > > --jars file:/opt/orange/lib/rocksdbjni-4.5.1.jar \ > > > > > > --conf > > > > > > "spark.driver.extraClassPath=3D/var/cloudera/parcels/CDH/lib/ > > > > > > hbase/lib/htrace-core-3.2.0-incubating.jar:/var/cloudera/ > > > > > > parcels/CDH/jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/ > > > > > > cloudera/parcels/CDH/jars/hbase-common-1.0.0-cdh5.5.4. > > > > > > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-client-1. > > > > > > 0.0-cdh5.5.4.jar:/var/cloudera/parcels/CDH/lib/ > > > > > > hbase/lib/hbase-protocol-1.0.0-cdh5.5.4.jar:/opt/orange/ > > > > > > lib/rocksdbjni-4.5.1.jar:/var/cloudera/parcels/CLABS_ > > > > > > PHOENIX-4.5.2-1.clabs_phoenix1.2.0.p0.774/lib/ > > > > > > phoenix/lib/phoenix-core-1.2.0.jar:/var/cloudera/parcels/ > > > > > > CDH/jars/hadoop-mapreduce-client-core-2.6.0-cdh5.5.4.jar" > > > > > > \ > > > > > > --conf > > > > > > "spark.executor.extraClassPath=3D/var/cloudera/ > > > > parcels/CDH/lib/hbase/lib/ > > > > > > htrace-core-3.2.0-incubating.jar:/var/cloudera/parcels/CDH/ > > > > > > jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/cloudera/parcels/ > > > > > > CDH/jars/hbase-common-1.0.0-cdh5.5.4.jar:/var/cloudera/ > > > > > > parcels/CDH/lib/hbase/lib/hbase-client-1.0.0-cdh5.5.4. > > > > > > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-protocol- > > > > > > 1.0.0-cdh5.5.4.jar:/opt/orange/lib/rocksdbjni-4.5.1. > > > > > > jar:/var/cloudera/parcels/CLABS_PHOENIX-4.5.2-1.clabs_ > > > > > > phoenix1.2.0.p0.774/lib/phoenix/lib/phoenix-core-1.2. > > > > > > 0.jar:/var/cloudera/parcels/CDH/jars/hadoop-mapreduce- > > > > > > client-core-2.6.0-cdh5.5.4.jar"\ > > > > > > --principal hbase@COMPANY.CORP \ > > > > > > --keytab /opt/company/conf/hbase.keytab \ > > > > > > --files > > > > > > "owl.properties,conf-hbase/log4j.properties,conf-hbase/ > > > > > > hbase-site.xml,conf-hbase/core-site.xml,$2" > > > > > > \ > > > > > > --class $1 \ > > > > > > cards-batch-$3-jar-with-dependencies.jar $2 > > > > > > > > > > > > On Fri, 18 Nov 2016 at 14:01 Nkechi Achara < > > nkachara@googlemail.com> > > > > > > wrote: > > > > > > > > > > > > > Can you use the principal and keytab options in Spark submit? > > These > > > > > > should > > > > > > > circumvent this issue. > > > > > > > > > > > > > > On 18 Nov 2016 1:01 p.m., "Abel Fern=C3=A1ndez" < > mevsmyself@gmail.com > > > > > > > > wrote: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > We are having problems with the delegation of the token in = a > > > secure > > > > > > > > cluster: Delegation Token can be issued only with kerberos = or > > web > > > > > > > > authentication > > > > > > > > > > > > > > > > We have a spark process which is generating the hfiles to b= e > > > loaded > > > > > > into > > > > > > > > hbase. To generate these hfiles, (we are using a back-porte= d > > > > version > > > > > of > > > > > > > the > > > > > > > > latest hbase/spark code), we are using this method > > > > HBaseRDDFunctions. > > > > > > > > hbaseBulkLoadThinRows. > > > > > > > > > > > > > > > > I think the problem is in the below piece of code. This > > function > > > is > > > > > > > > executed in every partition of the rdd, when the executors > are > > > > trying > > > > > > to > > > > > > > > execute the code, the executors do not have a valid kerbero= s > > > > > credential > > > > > > > and > > > > > > > > cannot execute anything. > > > > > > > > > > > > > > > > private def hbaseForeachPartition[T](configBroadcast: > > > > > > > > > > > > > Broadcast[SerializableWritable[ > > > > > > > > Configuration]], > > > > > > > > it: Iterator[T], > > > > > > > > f: (Iterator[T], > > > > Connection) > > > > > =3D> > > > > > > > > Unit) =3D { > > > > > > > > > > > > > > > > val config =3D getConf(configBroadcast) > > > > > > > > > > > > > > > > applyCreds > > > > > > > > // specify that this is a proxy user > > > > > > > > val smartConn =3D > HBaseConnectionCache.getConnection(config) > > > > > > > > f(it, smartConn.connection) > > > > > > > > smartConn.close() > > > > > > > > } > > > > > > > > > > > > > > > > I have attached the spark-submit and the complete error log > > > trace. > > > > > Has > > > > > > > > anyone faced this problem before? > > > > > > > > > > > > > > > > Thanks in advance. > > > > > > > > > > > > > > > > Regards, > > > > > > > > Abel. > > > > > > > > -- > > > > > > > > Un saludo - Best Regards. > > > > > > > > Abel > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Un saludo - Best Regards. > > > > > > Abel > > > > > > > > > > > > > > > -- > > > > Un saludo - Best Regards. > > > > Abel > > > > > > > > > > -- > > > Un saludo - Best Regards. > > > Abel > > > > > -- > > Un saludo - Best Regards. > > Abel > > > --=20 Un saludo - Best Regards. Abel --001a113facb63a06030541e0344c--