Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Step-by-step guide

...

  1. Before doing the following setups, make sure the Groundplex is working fine.
  2. Install Kerberos packages on the Groundplex nodes.

    Code Block
    $ sudo yum install krb5-workstation krb5-libs krb5-auth-dialog


  3. Copy the file /etc/krb5.conf from one of the target cluster nodes to /etc/krb5.conf on each Groundplex node. 

  4. Install the JCE extension on each Groundplex node.
    1. Download the JCE extension zip file: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
    2. Copy the JCE extension zip file onto each Groundplex node and install the JCE extension with the following command. Restart the node after the installation.

      Code Block
      $ unzip -o -j -q jce_policy-8.zip -d /opt/snaplogic/pkgs/jre1.8.0_45/lib/security/


    3. To check if the JCE extension was correctly installed, run the command below and you should see the same output shown as below:

      Code Block
      $ zipgrep CryptoAllPermission /opt/snaplogic/pkgs/jre1.8.0_45/lib/security/local_policy.jar default_local.policy: permission javax.crypto.CryptoAllPermission;


  5. Generate the keytab file for the Kerberos user, put it on each Groundplex node, and give snapuser access to the keytab file.

    Code Block
    $ sudo cp /path/to/keytab/file /home/snapuser/<keytab_file_name>
    $ sudo chown snapuser:snapuser /home/snapuser/<keytab_file_name>
    $ sudo chmod 400 /home/snapuser/<keytab_file_name>


  6. If user would like to To provide additional Hadoop Configuration details to the JccJCC,  it it should be passed as a JCC Configuration option. For more details on configuration, please check the Configuration page. The global.properties file should be updated to add the following configuration option. Value that jcc.jvm_options  points to the HDFS configuration directory.

    Code Block
    jcc.jvm_options=-DHADOOP_CLIENT_CONF_DIR=<PATH_TO_HDFS_CONF_DIRECTORY>
    

    for example:

    Code Block
    jcc.jvm_options=-DHADOOP_CLIENT_CONF_DIR=/home/snapuser/remote-hadoop/conf


  7. To provide additional Hadoop Configuration details to the JCC from the UI, edit the Snapplex properties in Manager.

    Go to the Snapplex Node Properties. Under Global Properties and add a key named "jvm_options" with the value:  

    Code Block
    -DHADOOP_CLIENT_CONF_DIR=<PATH_TO_HDFS_CONF_DIRECTORY>


    for example:

    Code Block
    -DHADOOP_CLIENT_CONF_DIR=/home/snapuser/remote-hadoop/conf
    

    Image Added

Setting Up Edge Node with Kerberos Configurations on Groundplex Nodes

...

Panel

Symptom:

The attempt to access Kerberos enabled Hadoop Distributed File System (HDFS) on any cluster host fails with error message "SIMPLE authentication is not enabled" though all Kerberos parameters are configured correctly. 

Error Message:

The following exception is displayed as the error message for the Kerberos authentication enable HDFS Snaps. 

java.util.concurrent.ExecutionException: java.io.IOException:
Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: 
Client cannot authenticate via:[TOKEN, KERBEROS];


Cause:

All hosts that participate in the Kerberos authentication system must have their internal clocks synchronized within a specified maximum amount of time (known as clock skew). This requirement provides another Kerberos security check. If the clock skew is exceeded between any of the participating hosts, client requests are rejected.

Resolution:

Maintaining synchronized clocks between the KDCs and Kerberos clients is important, please use the Network Time Protocol (NTP) software to synchronize them.


Panel

Symptom:

The attempt to access Kerberos enabled Hadoop Distributed File System (HDFS) on any cluster host fails with error message "Server has invalid Kerberos principal:" though all Kerberos parameters are configured correctly. 

Error Message:

The following exception is displayed as the error message. 

Failed on local exception: java.io.IOException: 
java.lang.IllegalArgumentException: Server has invalid Kerberos principal: 
hdfs/cdhclusterqa-2-1.clouddev.snaplogic.com@CLOUDDEV.SNAPLOGIC.COM; 
Host Details : local host is: "<LOCALHOST>/127.0.0.1"; 
destination host is: "cdh2-1.devsnaplogic.com":8020;

Cause:

When Kerberos Authentication is configured on the HDFS Server, the following properties are added 


Code Block
languagexml
<property>
  <name>dfs.namenode.kerberos.principal</name>
  <value>hdfs/_HOST@YOUR-REALM.COM</value>
</property>

<property>
  <name>dfs.datanode.kerberos.principal</name>
  <value>hdfs/_HOST@YOUR-REALM.COM</value>
</property>


The special string _HOST in the properties is replaced at run-time by the fully-qualified domain name of the host machine where the daemon is running. This requires that reverse DNS is properly working on all the hosts configured this way.

Resolution:

One potential cause for this issue is, the "_HOST" has multiple host names and the hostname provided in the "Service Principle" in the Snap Kerberos configuration is not matching with the hostname resolved on the Namenode or DataNode. In the error message, the server's service principle is displayed, please make sure that the same service principle is provided in the Snap Kerberos Configuration.

More details can be found at 

You can use the HadoopDNSResolver tool to verify the DNS Names. Details on the usage of the tool are provided in the same page.

...

Panel

Symptom:

  • HDFS Reader Snap times out to read the data, even after all the credentials provided correctly,
  • HDFS Writer Snap times out in writing the data, even after all the credentials provided correctly,


Error Message:

The following exception is displayed as the error message for the Kerberos authentication enable HDFS Writer. 

java.lang.Thread.State: WAITING
at java.lang.Object.wait(Object.java:-1)
at org.apache.hadoop.hdfs.DFSOutputStream.waitForAckedSeqno(DFSOutputStream.java:2119)
at org.apache.hadoop.hdfs.DFSOutputStream.flushInternal(DFSOutputStream.java:2101)
at org.apache.hadoop.hdfs.DFSOutputStream.closeImpl(DFSOutputStream.java:2232)
- locked <0x2fca> (a org.apache.hadoop.hdfs.DFSOutputStream)
at org.apache.hadoop.hdfs.DFSOutputStream.close(DFSOutputStream.java:2204)
at org.apache.hadoop.fs.FSDataOutputStream$PositionCache.close(FSDataOutputStream.java:72)
at org.apache.hadoop.fs.FSDataOutputStream.close(FSDataOutputStream.java:106)
at java.io.FilterOutputStream.close(FilterOutputStream.java:159)

Cause:

This can be caused by the following reasons. 

  • Data Node not responding to the Groundplex requests 
  • Security or Firewall settings are blocking the access from the Groundplex to the Ports on DataNode


Resolution:

The edge node, on which the Groundplex is executing should be able to access all the standard Hadoop ports. Here is the Hadoop default ports for various distributions.