Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C2072200BCA for ; Mon, 21 Nov 2016 22:11:58 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id C06BE160AF9; Mon, 21 Nov 2016 21:11:58 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B9B27160AEF for ; Mon, 21 Nov 2016 22:11:57 +0100 (CET) Received: (qmail 59016 invoked by uid 500); 21 Nov 2016 21:11:51 -0000 Mailing-List: contact user-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hbase.apache.org Delivered-To: mailing list user@hbase.apache.org Received: (qmail 59000 invoked by uid 99); 21 Nov 2016 21:11:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Nov 2016 21:11:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id BA3BDC0D8D for ; Mon, 21 Nov 2016 21:11:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.679 X-Spam-Level: ** X-Spam-Status: No, score=2.679 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_REPLY=1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 44TubBI3O6EP for ; Mon, 21 Nov 2016 21:11:46 +0000 (UTC) Received: from mail-it0-f45.google.com (mail-it0-f45.google.com [209.85.214.45]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id BDEDC5FC4A for ; Mon, 21 Nov 2016 21:11:45 +0000 (UTC) Received: by mail-it0-f45.google.com with SMTP id c20so2035781itb.0 for ; Mon, 21 Nov 2016 13:11:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=X+tYRW0AdK1KMP7R4G3tUpmix5tt/yW9nK/l9DrQzqY=; b=Q02MtQWzaaqoK1m4ae/cls/+X9Os1qdLkxlnA3S/L5r6yMBqyLNfoQhm1ment72ZAW sLJngo0V8xO8wQFurG1C2hjW96H1nPfOC/64Z4BaCmrK20vPHFB88JdcMBl8kqX6LWOK VVGmbfy72+gJ6xfKgtFk+GEgZlu6XwDs8rOGB7MfU0+XApTu+s9uWLRQDKux7Fz0suMH 6NBAoYlMCWuMZvHQOm/YpxIK9fDGgRM8/9rYsPRkeIonNITwKRpbcJ9zCcZTuwyLOqSu LTi0fZg4qtUBj1BcTRVykwnel8zt+rgiygtQYPdMRUyB56yf0qqrt7zmJDHhq4EC8+pV M38Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=X+tYRW0AdK1KMP7R4G3tUpmix5tt/yW9nK/l9DrQzqY=; b=HaX19ZLIjUGMViH0WjPxZ7RubYnhfuzcN48D/+T4acEormbkT8pXoYYuTRjQUn/oEU gHEfVOgBaNagCLNrnW8z3h1UUNECNXiAMmr8yeEtcvfEfWDItXqJzn2+0E+XIfxb8XTw txHlSrhbZ84+vgp7avJ0VeRLGdj/3aZExQE5JM34e9g3l4jca/iYKZvaIMcFjMSJPMQP dtkin5+Pr7f9pYbC5aF8Evz78ZvCeFDDSgSM3j6q4Bi7LsKnrlLwVJpwed8xQpnhcDAc Eu/2Wr0gY82iUItpMl4YCuHFukR3eiwVrIdrFC43Hz6hwdQcTwVK+pVCuRlKMSiO64LC 4oCQ== X-Gm-Message-State: AKaTC03WZ3lpgxnLRHQK6L0t4AQaQhbstjnlosmXqdeSXlX2Uoogj748JybOSURpxHwFFvZ/df3favIBMHT6xQ== X-Received: by 10.36.224.200 with SMTP id c191mr12702248ith.118.1479762703371; Mon, 21 Nov 2016 13:11:43 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.136.95 with HTTP; Mon, 21 Nov 2016 13:11:42 -0800 (PST) Received: by 10.107.136.95 with HTTP; Mon, 21 Nov 2016 13:11:42 -0800 (PST) In-Reply-To: References: From: Nkechi Achara Date: Mon, 21 Nov 2016 22:11:42 +0100 Message-ID: Subject: Re: hbase/spark - Delegation Token can be issued only with kerberos or web authentication To: user@hbase.apache.org Content-Type: multipart/alternative; boundary=94eb2c19dc104950d80541d61a5d archived-at: Mon, 21 Nov 2016 21:11:58 -0000 --94eb2c19dc104950d80541d61a5d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I am still convinced that it could be due to class path issues but I might be missing something. Just to make sure.... Have you checked the use of the principal / keytab only on the driver only so you can make sure the tgt is valid. I am using the same config but with CDH 5.5.2, but I am using a retrofit of cloudera labs hbase on spark. Thanks On 21 Nov 2016 5:32 p.m., "Abel Fern=C3=A1ndez" wrot= e: > I have included into the spark-submit and into all nodemanagers and drive= rs > the krb5.conf and the jaas.conf, but I am still having the same problem. > > I think the problem is this piece of code, it is trying to execute a > function into the executors and for some reason, the executors cannot get= a > valid credentials. > > /** > * A simple enrichment of the traditional Spark RDD foreachPartition. > * This function differs from the original in that it offers the > * developer access to a already connected Connection object > * > * Note: Do not close the Connection object. All Connection > * management is handled outside this method > * > * @param rdd Original RDD with data to iterate over > * @param f Function to be given a iterator to iterate through > * the RDD values and a Connection object to interact > * with HBase > */ > def foreachPartition[T](rdd: RDD[T], > f: (Iterator[T], Connection) =3D> Unit):Unit =3D = { > rdd.foreachPartition( > it =3D> hbaseForeachPartition(broadcastedConf, it, f)) > } > > > The first thing is trying to do the hbaseForeachPartition is getting the > credentials but I think this code is never executed: > > /** > * underlining wrapper all foreach functions in HBaseContext > */ > private def hbaseForeachPartition[T](configBroadcast: > > Broadcast[SerializableWritable[Configuration]], > it: Iterator[T], > f: (Iterator[T], Connection) =3D> > Unit) =3D { > > val config =3D getConf(configBroadcast) > > applyCreds > // specify that this is a proxy user > val smartConn =3D HBaseConnectionCache.getConnection(config) > f(it, smartConn.connection) > smartConn.close() > } > > > This is the latest spark-submit I am using: > #!/bin/bash > > SPARK_CONF_DIR=3Dconf-hbase spark-submit --master yarn-cluster \ > --executor-memory 6G \ > --num-executors 10 \ > --queue cards \ > --executor-cores 4 \ > --driver-java-options "-Dlog4j.configuration=3Dfile:log4j.properties" \ > --driver-java-options "-Djava.security.krb5.conf=3D/etc/krb5.conf" \ > --driver-java-options > "-Djava.security.auth.login.config=3D/opt/company/conf/jaas.conf" \ > --driver-class-path "$2" \ > --jars file:/opt/company/lib/rocksdbjni-4.5.1.jar \ > --conf > "spark.driver.extraClassPath=3D/var/cloudera/parcels/CDH/lib/ > hbase/lib/htrace-core-3.2.0-incubating.jar:/var/cloudera/ > parcels/CDH/jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/ > cloudera/parcels/CDH/jars/hbase-common-1.0.0-cdh5.5.4. > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-client-1. > 0.0-cdh5.5.4.jar:/var/cloudera/parcels/CDH/lib/ > hbase/lib/hbase-protocol-1.0.0-cdh5.5.4.jar:/opt/orange/ > lib/rocksdbjni-4.5.1.jar:/var/cloudera/parcels/CLABS_ > PHOENIX-4.5.2-1.clabs_phoenix1.2.0.p0.774/lib/ > phoenix/lib/phoenix-core-1.2.0.jar:/var/cloudera/parcels/ > CDH/jars/hadoop-mapreduce-client-core-2.6.0-cdh5.5.4.jar" > \ > --conf > "spark.executor.extraClassPath=3D/var/cloudera/parcels/CDH/lib/hbase/lib/ > htrace-core-3.2.0-incubating.jar:/var/cloudera/parcels/CDH/ > jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/cloudera/parcels/ > CDH/jars/hbase-common-1.0.0-cdh5.5.4.jar:/var/cloudera/ > parcels/CDH/lib/hbase/lib/hbase-client-1.0.0-cdh5.5.4. > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-protocol- > 1.0.0-cdh5.5.4.jar:/opt/orange/lib/rocksdbjni-4.5.1. > jar:/var/cloudera/parcels/CLABS_PHOENIX-4.5.2-1.clabs_ > phoenix1.2.0.p0.774/lib/phoenix/lib/phoenix-core-1.2. > 0.jar:/var/cloudera/parcels/CDH/jars/hadoop-mapreduce- > client-core-2.6.0-cdh5.5.4.jar"\ > --principal hbase@COMPANY.CORP \ > --keytab /opt/company/conf/hbase.keytab \ > --files > "owl.properties,conf-hbase/log4j.properties,conf-hbase/ > hbase-site.xml,conf-hbase/core-site.xml,$2" > \ > --class $1 \ > cards-batch-$3-jar-with-dependencies.jar $2 > > > > On Fri, 18 Nov 2016 at 16:37 Abel Fern=C3=A1ndez w= rote: > > > No worries. > > > > This is the spark version we are using: 1.5.0-cdh5.5.4 > > > > I have to use Hbase context, it is the first parameter for the method I > am > > using to generate the HFiles (HbaseRDDFunctions.hbaseBulkLoadThinRows) > > > > On Fri, 18 Nov 2016 at 16:06 Nkechi Achara > > wrote: > > > > Sorry on my way to a flight. > > > > Read is required for a keytab to be permissioned properly. So that look= s > > fine in your case. > > > > I do not have my PC with me, but have you tried to use Hbase without > using > > Hbase context. > > > > Also which version of Spark are you using? > > > > On 18 Nov 2016 16:01, "Abel Fern=C3=A1ndez" wrot= e: > > > > > Yep, the keytab is also in the driver into the same location. > > > > > > -rw-r--r-- 1 hbase root 370 Nov 16 17:13 hbase.keytab > > > > > > Do you know what are the permissions that the keytab should have? > > > > > > > > > > > > On Fri, 18 Nov 2016 at 14:19 Nkechi Achara > > > wrote: > > > > > > > Sorry just realised you had the submit command in the attached docs= . > > > > > > > > Can I ask if the keytab is also on the driver in the same location? > > > > > > > > The spark option normally requires the keytab to be on the driver s= o > it > > > can > > > > pick it up and pass it to yarn etc to perform the kerberos > operations. > > > > > > > > On 18 Nov 2016 3:10 p.m., "Abel Fern=C3=A1ndez" > > wrote: > > > > > > > > > Hi Nkechi, > > > > > > > > > > Thank for your early response. > > > > > > > > > > I am currently specifying the principal and the keytab in the > > > > spark-submit, > > > > > the keytab is in the same location in every node manager. > > > > > > > > > > SPARK_CONF_DIR=3Dconf-hbase spark-submit --master yarn-cluster \ > > > > > --executor-memory 6G \ > > > > > --num-executors 10 \ > > > > > --queue cards \ > > > > > --executor-cores 4 \ > > > > > --driver-java-options "-Dlog4j.configuration=3Dfile: > log4j.properties" > > > \ > > > > > --driver-class-path "$2" \ > > > > > --jars file:/opt/orange/lib/rocksdbjni-4.5.1.jar \ > > > > > --conf > > > > > "spark.driver.extraClassPath=3D/var/cloudera/parcels/CDH/lib/ > > > > > hbase/lib/htrace-core-3.2.0-incubating.jar:/var/cloudera/ > > > > > parcels/CDH/jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/ > > > > > cloudera/parcels/CDH/jars/hbase-common-1.0.0-cdh5.5.4. > > > > > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-client-1. > > > > > 0.0-cdh5.5.4.jar:/var/cloudera/parcels/CDH/lib/ > > > > > hbase/lib/hbase-protocol-1.0.0-cdh5.5.4.jar:/opt/orange/ > > > > > lib/rocksdbjni-4.5.1.jar:/var/cloudera/parcels/CLABS_ > > > > > PHOENIX-4.5.2-1.clabs_phoenix1.2.0.p0.774/lib/ > > > > > phoenix/lib/phoenix-core-1.2.0.jar:/var/cloudera/parcels/ > > > > > CDH/jars/hadoop-mapreduce-client-core-2.6.0-cdh5.5.4.jar" > > > > > \ > > > > > --conf > > > > > "spark.executor.extraClassPath=3D/var/cloudera/ > > > parcels/CDH/lib/hbase/lib/ > > > > > htrace-core-3.2.0-incubating.jar:/var/cloudera/parcels/CDH/ > > > > > jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/cloudera/parcels/ > > > > > CDH/jars/hbase-common-1.0.0-cdh5.5.4.jar:/var/cloudera/ > > > > > parcels/CDH/lib/hbase/lib/hbase-client-1.0.0-cdh5.5.4. > > > > > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-protocol- > > > > > 1.0.0-cdh5.5.4.jar:/opt/orange/lib/rocksdbjni-4.5.1. > > > > > jar:/var/cloudera/parcels/CLABS_PHOENIX-4.5.2-1.clabs_ > > > > > phoenix1.2.0.p0.774/lib/phoenix/lib/phoenix-core-1.2. > > > > > 0.jar:/var/cloudera/parcels/CDH/jars/hadoop-mapreduce- > > > > > client-core-2.6.0-cdh5.5.4.jar"\ > > > > > --principal hbase@COMPANY.CORP \ > > > > > --keytab /opt/company/conf/hbase.keytab \ > > > > > --files > > > > > "owl.properties,conf-hbase/log4j.properties,conf-hbase/ > > > > > hbase-site.xml,conf-hbase/core-site.xml,$2" > > > > > \ > > > > > --class $1 \ > > > > > cards-batch-$3-jar-with-dependencies.jar $2 > > > > > > > > > > On Fri, 18 Nov 2016 at 14:01 Nkechi Achara < > nkachara@googlemail.com> > > > > > wrote: > > > > > > > > > > > Can you use the principal and keytab options in Spark submit? > These > > > > > should > > > > > > circumvent this issue. > > > > > > > > > > > > On 18 Nov 2016 1:01 p.m., "Abel Fern=C3=A1ndez" > > > > > wrote: > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > We are having problems with the delegation of the token in a > > secure > > > > > > > cluster: Delegation Token can be issued only with kerberos or > web > > > > > > > authentication > > > > > > > > > > > > > > We have a spark process which is generating the hfiles to be > > loaded > > > > > into > > > > > > > hbase. To generate these hfiles, (we are using a back-ported > > > version > > > > of > > > > > > the > > > > > > > latest hbase/spark code), we are using this method > > > HBaseRDDFunctions. > > > > > > > hbaseBulkLoadThinRows. > > > > > > > > > > > > > > I think the problem is in the below piece of code. This > function > > is > > > > > > > executed in every partition of the rdd, when the executors ar= e > > > trying > > > > > to > > > > > > > execute the code, the executors do not have a valid kerberos > > > > credential > > > > > > and > > > > > > > cannot execute anything. > > > > > > > > > > > > > > private def hbaseForeachPartition[T](configBroadcast: > > > > > > > > > > > Broadcast[SerializableWritable[ > > > > > > > Configuration]], > > > > > > > it: Iterator[T], > > > > > > > f: (Iterator[T], > > > Connection) > > > > =3D> > > > > > > > Unit) =3D { > > > > > > > > > > > > > > val config =3D getConf(configBroadcast) > > > > > > > > > > > > > > applyCreds > > > > > > > // specify that this is a proxy user > > > > > > > val smartConn =3D HBaseConnectionCache.getConnection(conf= ig) > > > > > > > f(it, smartConn.connection) > > > > > > > smartConn.close() > > > > > > > } > > > > > > > > > > > > > > I have attached the spark-submit and the complete error log > > trace. > > > > Has > > > > > > > anyone faced this problem before? > > > > > > > > > > > > > > Thanks in advance. > > > > > > > > > > > > > > Regards, > > > > > > > Abel. > > > > > > > -- > > > > > > > Un saludo - Best Regards. > > > > > > > Abel > > > > > > > > > > > > > > > > > > -- > > > > > Un saludo - Best Regards. > > > > > Abel > > > > > > > > > > > > -- > > > Un saludo - Best Regards. > > > Abel > > > > > > > -- > > Un saludo - Best Regards. > > Abel > > > -- > Un saludo - Best Regards. > Abel > --94eb2c19dc104950d80541d61a5d--