Re: hbase/spark - Delegation Token can be issued only with kerberos or web authentication

Abel Fernández Fri, 18 Nov 2016 07:01:20 -0800

Yep, the keytab is also in the driver into the same location.

-rw-r--r-- 1 hbase root  370 Nov 16 17:13 hbase.keytab


Do you know what are the permissions that the keytab should have?



On Fri, 18 Nov 2016 at 14:19 Nkechi Achara <nkach...@googlemail.com> wrote:

> Sorry just realised you had the submit command in the attached docs.
>
> Can I ask if the keytab is also on the driver in the same location?
>
> The spark option normally requires the keytab to be on the driver so it can
> pick it up and pass it to yarn etc to perform the kerberos operations.
>
> On 18 Nov 2016 3:10 p.m., "Abel Fernández" <mevsmys...@gmail.com> wrote:
>
> > Hi Nkechi,
> >
> > Thank for your early response.
> >
> > I am currently specifying the principal and the keytab in the
> spark-submit,
> > the keytab is in the same location in every node manager.
> >
> > SPARK_CONF_DIR=conf-hbase spark-submit --master yarn-cluster \
> >   --executor-memory 6G \
> >   --num-executors 10 \
> >   --queue cards \
> >   --executor-cores 4 \
> >   --driver-java-options "-Dlog4j.configuration=file:log4j.properties" \
> >   --driver-class-path "$2" \
> >   --jars file:/opt/orange/lib/rocksdbjni-4.5.1.jar \
> >   --conf
> > "spark.driver.extraClassPath=/var/cloudera/parcels/CDH/lib/
> > hbase/lib/htrace-core-3.2.0-incubating.jar:/var/cloudera/
> > parcels/CDH/jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/
> > cloudera/parcels/CDH/jars/hbase-common-1.0.0-cdh5.5.4.
> > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-client-1.
> > 0.0-cdh5.5.4.jar:/var/cloudera/parcels/CDH/lib/
> > hbase/lib/hbase-protocol-1.0.0-cdh5.5.4.jar:/opt/orange/
> > lib/rocksdbjni-4.5.1.jar:/var/cloudera/parcels/CLABS_
> > PHOENIX-4.5.2-1.clabs_phoenix1.2.0.p0.774/lib/
> > phoenix/lib/phoenix-core-1.2.0.jar:/var/cloudera/parcels/
> > CDH/jars/hadoop-mapreduce-client-core-2.6.0-cdh5.5.4.jar"
> > \
> >   --conf
> > "spark.executor.extraClassPath=/var/cloudera/parcels/CDH/lib/hbase/lib/
> > htrace-core-3.2.0-incubating.jar:/var/cloudera/parcels/CDH/
> > jars/hbase-server-1.0.0-cdh5.5.4.jar:/var/cloudera/parcels/
> > CDH/jars/hbase-common-1.0.0-cdh5.5.4.jar:/var/cloudera/
> > parcels/CDH/lib/hbase/lib/hbase-client-1.0.0-cdh5.5.4.
> > jar:/var/cloudera/parcels/CDH/lib/hbase/lib/hbase-protocol-
> > 1.0.0-cdh5.5.4.jar:/opt/orange/lib/rocksdbjni-4.5.1.
> > jar:/var/cloudera/parcels/CLABS_PHOENIX-4.5.2-1.clabs_
> > phoenix1.2.0.p0.774/lib/phoenix/lib/phoenix-core-1.2.
> > 0.jar:/var/cloudera/parcels/CDH/jars/hadoop-mapreduce-
> > client-core-2.6.0-cdh5.5.4.jar"\
> >   --principal hb...@company.corp \
> >   --keytab /opt/company/conf/hbase.keytab \
> >   --files
> > "owl.properties,conf-hbase/log4j.properties,conf-hbase/
> > hbase-site.xml,conf-hbase/core-site.xml,$2"
> > \
> >   --class $1 \
> >   cards-batch-$3-jar-with-dependencies.jar $2
> >
> > On Fri, 18 Nov 2016 at 14:01 Nkechi Achara <nkach...@googlemail.com>
> > wrote:
> >
> > > Can you use the principal and keytab options in Spark submit? These
> > should
> > > circumvent this issue.
> > >
> > > On 18 Nov 2016 1:01 p.m., "Abel Fernández" <mevsmys...@gmail.com>
> wrote:
> > >
> > > > Hello,
> > > >
> > > > We are having problems with the delegation of the token in a secure
> > > > cluster: Delegation Token can be issued only with kerberos or web
> > > > authentication
> > > >
> > > > We have a spark process which is generating the hfiles to be loaded
> > into
> > > > hbase. To generate these hfiles, (we are using a back-ported version
> of
> > > the
> > > > latest hbase/spark code), we are using this method HBaseRDDFunctions.
> > > > hbaseBulkLoadThinRows.
> > > >
> > > > I think the problem is in the below piece of code. This function is
> > > > executed in every partition of the rdd, when the executors are trying
> > to
> > > > execute the code, the executors do not have a valid kerberos
> credential
> > > and
> > > > cannot execute anything.
> > > >
> > > > private def hbaseForeachPartition[T](configBroadcast:
> > > >
> Broadcast[SerializableWritable[
> > > > Configuration]],
> > > >                                         it: Iterator[T],
> > > >                                         f: (Iterator[T], Connection)
> =>
> > > > Unit) = {
> > > >
> > > >     val config = getConf(configBroadcast)
> > > >
> > > >     applyCreds
> > > >     // specify that this is a proxy user
> > > >     val smartConn = HBaseConnectionCache.getConnection(config)
> > > >     f(it, smartConn.connection)
> > > >     smartConn.close()
> > > >   }
> > > >
> > > > I have attached the spark-submit and the complete error log trace.
> Has
> > > > anyone faced this problem before?
> > > >
> > > > Thanks in advance.
> > > >
> > > > Regards,
> > > > Abel.
> > > > --
> > > > Un saludo - Best Regards.
> > > > Abel
> > > >
> > >
> > --
> > Un saludo - Best Regards.
> > Abel
> >
>
-- 
Un saludo - Best Regards.
Abel

Re: hbase/spark - Delegation Token can be issued only with kerberos or web authentication

Reply via email to