adoroszlai commented on code in PR #8531: URL: https://github.com/apache/ozone/pull/8531#discussion_r2120239536
########## hadoop-hdds/docs/content/integration/DistCp.md: ########## @@ -87,3 +87,78 @@ By specifying the appropriate checksum configuration or skipping the validation, When data resides in an HDFS encryption zone or Ozone encrypted buckets, the file checksum will not match. This is because the underlying block data differs due to the use of a new EDEK (Encryption Data Encryption Key) at the destination. In such cases, specify the `-skipcrccheck` parameter to avoid job failures. For more information about using Hadoop DistCp, consult the [DistCp Guide](https://hadoop.apache.org/docs/current/hadoop-distcp/DistCp.html). + +## Troubleshooting Common Issues + +### Delegation Token Issues +If a DistCp command fails and the error output contains "OzoneToken", indicating an issue with retrieving a delegation token from the destination (or source) Ozone cluster, ensure that Ozone's security is explicitly enabled in the client's Hadoop configuration. + +Add the following property to `core-site.xml` or `ozone-site.xml` on the node where you run the DistCp command: Review Comment: `ozone.security.enabled` is an Ozone configuration, should not be added in `core-site.xml`. ```suggestion Add the following property to `ozone-site.xml` on the node where you run the DistCp command: ``` ########## hadoop-hdds/docs/content/integration/DistCp.md: ########## @@ -87,3 +87,78 @@ By specifying the appropriate checksum configuration or skipping the validation, When data resides in an HDFS encryption zone or Ozone encrypted buckets, the file checksum will not match. This is because the underlying block data differs due to the use of a new EDEK (Encryption Data Encryption Key) at the destination. In such cases, specify the `-skipcrccheck` parameter to avoid job failures. For more information about using Hadoop DistCp, consult the [DistCp Guide](https://hadoop.apache.org/docs/current/hadoop-distcp/DistCp.html). + +## Troubleshooting Common Issues + +### Delegation Token Issues +If a DistCp command fails and the error output contains "OzoneToken", indicating an issue with retrieving a delegation token from the destination (or source) Ozone cluster, ensure that Ozone's security is explicitly enabled in the client's Hadoop configuration. Review Comment: ```suggestion If a DistCp command fails and the error output contains "OzoneToken", indicating an issue with retrieving a delegation token from the destination (or source) Ozone cluster, ensure that Ozone's security is explicitly enabled in the client's configuration. ``` ########## hadoop-hdds/docs/content/integration/DistCp.md: ########## @@ -87,3 +87,78 @@ By specifying the appropriate checksum configuration or skipping the validation, When data resides in an HDFS encryption zone or Ozone encrypted buckets, the file checksum will not match. This is because the underlying block data differs due to the use of a new EDEK (Encryption Data Encryption Key) at the destination. In such cases, specify the `-skipcrccheck` parameter to avoid job failures. For more information about using Hadoop DistCp, consult the [DistCp Guide](https://hadoop.apache.org/docs/current/hadoop-distcp/DistCp.html). + +## Troubleshooting Common Issues + +### Delegation Token Issues +If a DistCp command fails and the error output contains "OzoneToken", indicating an issue with retrieving a delegation token from the destination (or source) Ozone cluster, ensure that Ozone's security is explicitly enabled in the client's Hadoop configuration. + +Add the following property to `core-site.xml` or `ozone-site.xml` on the node where you run the DistCp command: + +```xml + <property> + <name>ozone.security.enabled</name> + <value>true</value> + </property> +``` + +This helps the client correctly engage in secure communication protocols with Ozone. + +### Cross-Realm Kerberos (Ozone 1.x) + +**Affected Versions:** Ozone 1.x + +When issuing DistCp commands (or other HDFS-compatible commands like `hdfs dfs -ls`) against an Ozone cluster in a different Kerberos realm than the client or source/destination cluster, Ozone 1.x versions may produce an error similar to: + + 24/02/07 18:47:36 INFO retry.RetryInvocationHandler: com.google.protobuf.ServiceException: java.io.IOException: DestHost:destPort ccycloud-1.weichiu-dst.root.comops.site:9862, LocalHost:localPort ccycloud-1.weichiu-src.local/10.140.99.144:0. Failed on local exception: java.io.IOException: Couldn't set up IO streams: java.lang.IllegalArgumentException: Server has invalid Kerberos principal: om/[email protected], expecting: OM/ccycloud-1.weichiu-dst.local@REALM, while invoking $Proxy10.submitRequest over nodeId=om26,nodeAddress=ccycloud-1.weichiu-dst.local:9862 after 3 failover attempts. Trying to failover immediately. Review Comment: Please redact hostname/IP information. (Also elsewhere in the patch.) ########## hadoop-hdds/docs/content/feature/Topology.md: ########## @@ -105,4 +105,4 @@ Finally the read path also should be configured to read the data from the closes ## References * Hadoop documentation about `net.topology.node.switch.mapping.impl`: https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/RackAwareness.html - * [Design doc]({{< ref "design/topology.md">}}) \ No newline at end of file + * [Design doc]({{< ref "design/topology.md">}}) Review Comment: Unrelated change, please omit. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
