tez-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eugene Chung (Jira)" <j...@apache.org>
Subject [jira] [Updated] (TEZ-4205) Support RM delegation token
Date Sat, 09 Jan 2021 10:24:00 GMT

     [ https://issues.apache.org/jira/browse/TEZ-4205?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eugene Chung updated TEZ-4205:
------------------------------
    Description: 
I have a requirement to get some information from YARN Resource Manager like [NodeReports|#getNodeReports-org.apache.hadoop.yarn.api.records.NodeState...-].

But on the kerberized cluster, I can't do it because of kerberos authentication failure. 
{code:java}
2020-05-26 14:29:03,044 [ERROR] [InputInitializer {Map 1} #0] |mapreduce.MyInputFormat|: getNodeReports
error 
java.io.IOException: DestHost:destPort my-rm-address:9050 , LocalHost:localPort my-node-address:0.
Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException:
Client cannot authenticate via:[TOKEN, KERBEROS]
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
 at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
 at org.apache.hadoop.net.NetUtils.wrapWithMessage(NetUtils.java:831)
 at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:806)
 at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1495)
 at org.apache.hadoop.ipc.Client.call(Client.java:1437)
 at org.apache.hadoop.ipc.Client.call(Client.java:1347)
 at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228)
 at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116)
 at com.sun.proxy.$Proxy54.getClusterNodes(Unknown Source)
 at org.apache.hadoop.yarn.api.impl.pb.client.ApplicationClientProtocolPBClientImpl.getClusterNodes(ApplicationClientProtocolPBClientImpl.java:319)
 at sun.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:422)
 at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:165)
 at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:157)
 at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95)
 at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:359)
 at com.sun.proxy.$Proxy55.getClusterNodes(Unknown Source)
 at org.apache.hadoop.yarn.client.api.impl.YarnClientImpl.getNodeReports(YarnClientImpl.java:614)
 ...
 at com.naver.mapreduce.MyInputFormat.getSplits(MyInputFormat.java:537)
 ...
 at org.apache.hadoop.hive.ql.io.HiveInputFormat.addSplitsForGroup(HiveInputFormat.java:512)
 at org.apache.hadoop.hive.ql.io.HiveInputFormat.getSplits(HiveInputFormat.java:781)
 at org.apache.hadoop.hive.ql.exec.tez.HiveSplitGenerator.initialize(HiveSplitGenerator.java:243)
 at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable$1.run(RootInputInitializerManager.java:278)
 at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable$1.run(RootInputInitializerManager.java:269)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:422)
 at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
 at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable.call(RootInputInitializerManager.java:269)
 at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable.call(RootInputInitializerManager.java:253)
 at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:108)
 at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:41)
 at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:77)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client
cannot authenticate via:[TOKEN, KERBEROS]
 at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:755)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:422)
 at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
 at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:718)
 at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:811)
 at org.apache.hadoop.ipc.Client$Connection.access$3500(Client.java:409)
 at org.apache.hadoop.ipc.Client.getConnection(Client.java:1552)
 at org.apache.hadoop.ipc.Client.call(Client.java:1383)
 ... 35 more
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN,
KERBEROS]
 at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:173)
 at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:390)
 at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:613)
 at org.apache.hadoop.ipc.Client$Connection.access$2200(Client.java:409)
 at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:798)
 at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:794)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:422)
 at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
 at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:794)
 ... 38 more{code}
 

So I implemented the feature that generates RM delegation token at Tez client side like 
https://issues.apache.org/jira/browse/TEZ-4032.

I borrowed the main code fragment from here, slider [https://github.com/apache/incubator-retired-slider/blob/1d4f519d763210f46e327338be72efa99e65cb5d/slider-core/src/main/java/org/apache/slider/core/launch/CredentialUtils.java#L257-L269] which
considers RM single/HA case using RM delegation token service.

  was:
I have a requirement to get some information from YARN Resource Manager like [NodeReports|#getNodeReports-org.apache.hadoop.yarn.api.records.NodeState...-]].

But on the kerberized cluster, I can't do it because of kerberos authentication failure. 
{code:java}
2020-05-26 14:29:03,044 [ERROR] [InputInitializer {Map 1} #0] |mapreduce.MyInputFormat|: getNodeReports
error 
java.io.IOException: DestHost:destPort my-rm-address:9050 , LocalHost:localPort my-node-address:0.
Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException:
Client cannot authenticate via:[TOKEN, KERBEROS]
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
 at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
 at org.apache.hadoop.net.NetUtils.wrapWithMessage(NetUtils.java:831)
 at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:806)
 at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1495)
 at org.apache.hadoop.ipc.Client.call(Client.java:1437)
 at org.apache.hadoop.ipc.Client.call(Client.java:1347)
 at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228)
 at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116)
 at com.sun.proxy.$Proxy54.getClusterNodes(Unknown Source)
 at org.apache.hadoop.yarn.api.impl.pb.client.ApplicationClientProtocolPBClientImpl.getClusterNodes(ApplicationClientProtocolPBClientImpl.java:319)
 at sun.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:422)
 at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:165)
 at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:157)
 at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95)
 at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:359)
 at com.sun.proxy.$Proxy55.getClusterNodes(Unknown Source)
 at org.apache.hadoop.yarn.client.api.impl.YarnClientImpl.getNodeReports(YarnClientImpl.java:614)
 ...
 at com.naver.mapreduce.MyInputFormat.getSplits(MyInputFormat.java:537)
 ...
 at org.apache.hadoop.hive.ql.io.HiveInputFormat.addSplitsForGroup(HiveInputFormat.java:512)
 at org.apache.hadoop.hive.ql.io.HiveInputFormat.getSplits(HiveInputFormat.java:781)
 at org.apache.hadoop.hive.ql.exec.tez.HiveSplitGenerator.initialize(HiveSplitGenerator.java:243)
 at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable$1.run(RootInputInitializerManager.java:278)
 at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable$1.run(RootInputInitializerManager.java:269)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:422)
 at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
 at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable.call(RootInputInitializerManager.java:269)
 at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable.call(RootInputInitializerManager.java:253)
 at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:108)
 at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:41)
 at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:77)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client
cannot authenticate via:[TOKEN, KERBEROS]
 at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:755)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:422)
 at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
 at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:718)
 at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:811)
 at org.apache.hadoop.ipc.Client$Connection.access$3500(Client.java:409)
 at org.apache.hadoop.ipc.Client.getConnection(Client.java:1552)
 at org.apache.hadoop.ipc.Client.call(Client.java:1383)
 ... 35 more
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN,
KERBEROS]
 at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:173)
 at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:390)
 at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:613)
 at org.apache.hadoop.ipc.Client$Connection.access$2200(Client.java:409)
 at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:798)
 at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:794)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:422)
 at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
 at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:794)
 ... 38 more{code}
 

So I implemented the feature that generates RM delegation token at Tez client side like 
https://issues.apache.org/jira/browse/TEZ-4032.

I borrowed the main code fragment from here, slider [https://github.com/apache/incubator-retired-slider/blob/1d4f519d763210f46e327338be72efa99e65cb5d/slider-core/src/main/java/org/apache/slider/core/launch/CredentialUtils.java#L257-L269] which
considers RM single/HA case using RM delegation token service.


> Support RM delegation token
> ---------------------------
>
>                 Key: TEZ-4205
>                 URL: https://issues.apache.org/jira/browse/TEZ-4205
>             Project: Apache Tez
>          Issue Type: Improvement
>            Reporter: Eugene Chung
>            Priority: Major
>         Attachments: TEZ-4205-0.9.2.patch, TEZ-4205.01.patch
>
>
> I have a requirement to get some information from YARN Resource Manager like [NodeReports|#getNodeReports-org.apache.hadoop.yarn.api.records.NodeState...-].
> But on the kerberized cluster, I can't do it because of kerberos authentication failure. 
> {code:java}
> 2020-05-26 14:29:03,044 [ERROR] [InputInitializer {Map 1} #0] |mapreduce.MyInputFormat|:
getNodeReports error 
> java.io.IOException: DestHost:destPort my-rm-address:9050 , LocalHost:localPort my-node-address:0.
Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException:
Client cannot authenticate via:[TOKEN, KERBEROS]
>  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>  at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>  at org.apache.hadoop.net.NetUtils.wrapWithMessage(NetUtils.java:831)
>  at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:806)
>  at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1495)
>  at org.apache.hadoop.ipc.Client.call(Client.java:1437)
>  at org.apache.hadoop.ipc.Client.call(Client.java:1347)
>  at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228)
>  at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116)
>  at com.sun.proxy.$Proxy54.getClusterNodes(Unknown Source)
>  at org.apache.hadoop.yarn.api.impl.pb.client.ApplicationClientProtocolPBClientImpl.getClusterNodes(ApplicationClientProtocolPBClientImpl.java:319)
>  at sun.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
>  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  at java.lang.reflect.Method.invoke(Method.java:498)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:422)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:165)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:157)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95)
>  at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:359)
>  at com.sun.proxy.$Proxy55.getClusterNodes(Unknown Source)
>  at org.apache.hadoop.yarn.client.api.impl.YarnClientImpl.getNodeReports(YarnClientImpl.java:614)
>  ...
>  at com.naver.mapreduce.MyInputFormat.getSplits(MyInputFormat.java:537)
>  ...
>  at org.apache.hadoop.hive.ql.io.HiveInputFormat.addSplitsForGroup(HiveInputFormat.java:512)
>  at org.apache.hadoop.hive.ql.io.HiveInputFormat.getSplits(HiveInputFormat.java:781)
>  at org.apache.hadoop.hive.ql.exec.tez.HiveSplitGenerator.initialize(HiveSplitGenerator.java:243)
>  at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable$1.run(RootInputInitializerManager.java:278)
>  at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable$1.run(RootInputInitializerManager.java:269)
>  at java.security.AccessController.doPrivileged(Native Method)
>  at javax.security.auth.Subject.doAs(Subject.java:422)
>  at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
>  at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable.call(RootInputInitializerManager.java:269)
>  at org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable.call(RootInputInitializerManager.java:253)
>  at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:108)
>  at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:41)
>  at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:77)
>  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>  at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client
cannot authenticate via:[TOKEN, KERBEROS]
>  at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:755)
>  at java.security.AccessController.doPrivileged(Native Method)
>  at javax.security.auth.Subject.doAs(Subject.java:422)
>  at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
>  at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:718)
>  at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:811)
>  at org.apache.hadoop.ipc.Client$Connection.access$3500(Client.java:409)
>  at org.apache.hadoop.ipc.Client.getConnection(Client.java:1552)
>  at org.apache.hadoop.ipc.Client.call(Client.java:1383)
>  ... 35 more
> Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]
>  at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:173)
>  at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:390)
>  at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:613)
>  at org.apache.hadoop.ipc.Client$Connection.access$2200(Client.java:409)
>  at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:798)
>  at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:794)
>  at java.security.AccessController.doPrivileged(Native Method)
>  at javax.security.auth.Subject.doAs(Subject.java:422)
>  at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682)
>  at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:794)
>  ... 38 more{code}
>  
> So I implemented the feature that generates RM delegation token at Tez client side like 
https://issues.apache.org/jira/browse/TEZ-4032.
> I borrowed the main code fragment from here, slider [https://github.com/apache/incubator-retired-slider/blob/1d4f519d763210f46e327338be72efa99e65cb5d/slider-core/src/main/java/org/apache/slider/core/launch/CredentialUtils.java#L257-L269] which
considers RM single/HA case using RM delegation token service.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message