Reply
Posts: 68
Topics: 0
Kudos: 11
Solutions: 9
Registered: ‎01-05-2015

Re: Hiveserver2 HA using haproxy load balancing

java.security.cert.CertificateException: No subject alternative DNS name matching abc found. 

 

Hi,

 

This error is important to note, as it would appear to mean that a certificate is now vailable to the client. The balancing algorithim really has no bearing on this particular issue and you must address this issue. By RFC standard if you use Subject Alt Names (SAN) and a CN the very first entry in the DNS Alt Name field must be the CN of the certificate. The error tells us that abc is not the first entry in DNS Alt Names (SAN).

 

You need to review the CN and Subject/DNS Alt Names on your certificates in use by Hiveserver 2.

Senior Customer Operations Engineer | Security SME | Cloudera, Inc.
Explorer
Posts: 29
Registered: ‎07-05-2018

Re: Hiveserver2 HA using haproxy load balancing

@bgooley

 

As suggested i have checked for SAN recreated certificate with SAN name defined in it with hostname of hapoxy server.

 

Checked and verified, haproxy forwarded the requests to both hiveserver2 instace, verified through logs.

 

Few questions:

 

1. What are different type of balance algorithm in haproxy like mentioned below ?

balance source

 

2. What the difference between source, leastconn, roundrobin, etc?

 

- Vijay M

Explorer
Posts: 29
Registered: ‎07-05-2018

Re: Hiveserver2 HA using haproxy load balancing

@bgooley

 

After setting up Hiveserver2 HA and Impala using haproxy does

 

1. Any configuration needs to be done in Hue

2. While Connecting to Hive and impala through Hue any additional configuration in haproxy require?

 

- Vijay M

Posts: 953
Topics: 1
Kudos: 226
Solutions: 121
Registered: ‎04-22-2014

Re: Hiveserver2 HA using haproxy load balancing

@VijayM,

 

The way that Hue is designed, it needs to know that an impala connection it has open (where it excecuted a query on a coordinator) will connect to the same coordinator.  This is because Hue needs to pull information regarding the query for display.  This means that the balancer in between Hue and Impala needs to use IP persistence.  Also, to avoid intermittent session errors with impala, it is recommended that the timeout at the HAProxy side be increased to a long time so that connections are not timed out.

 

No configuration in Hue is required.  Just make sure that Hue knows to connect to the right server/port (Impala Load Balancer (HAProxy)) in its config.  Here is an example of a configuration that has 3 ports:

  • one for impala-shell
  • one for JDBC-based applications
  • one for Hue

Since Hue has some specific needs that may not be required for other applications, this makes sense.

Here is an example config that does pass-through TLS. 

NOTE:  I don't think the ssl stuff is necessary for pass-through since the packets should be passed to the backend servers without TLS negotiation, so you can probably ignore that.

 

NOTE2:  Currently it is not possible to have true load balancing for Hue connections to Impala, but we are working on it and have some code that could change that.  For now, you can achieve failover for the Hue connections, but not real balancing of connections.

 

# For impala-shell users on port 21000.
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend impala_front
bind *:21000 ssl crt /opt/cloudera/security/x509/certkeynopw.pem
mode tcp
option tcplog
default_backend impala-shell

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend impala-shell
balance leastconn
mode tcp
server impalad1 impalad-1.example.com:21000 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem
server impalad2 impalad-2.example.com:21000 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem
server impalad3 impalad-3.example.com:21000 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem


# For JDBC or ODBC version 2.x driver, use port 21050 instead of 21000.
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend impala_front
bind *:21050 ssl crt /opt/cloudera/security/x509/certkeynopw.pem
mode tcp
option tcplog
default_backend impala-jdbc

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend impala-jdbc
balance leastconn
mode tcp
server impalad1 impalad-1.example.com:21050 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem
server impalad2 impalad-2.example.com:21050 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem
server impalad3 impalad-3.example.com:21050 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem


# Setup for Hue or other JDBC-enabled applications.
# In particular, Hue requires SOURCE IP PERSISTANCE
# The application connects to load_balancer_host:21051, and HAProxy balances
# connections to the associated hosts, where Impala listens for JDBC
# requests on port 21050.
# Notice the timeouts below that do not exist in the other configs
# these are to stop the connections from being killed even though
# hue is using them
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend impalajdbc_front
bind *:21051 ssl crt /opt/cloudera/security/x509/certkeynopw.pem
mode tcp
option tcplog
timeout client 720m
timeout server 720m
default_backend impala-hue

#---------------------------------------------------------------------
# source balancing between the various backends
#---------------------------------------------------------------------
backend impala-hue
balance source
mode tcp
server impalad1 impalad-1.example.com:21050 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem
server impalad2 impalad-2.example.com:21050 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem
server impalad3 impalad-3.example.com:21050 check ssl ca-file /opt/cloudera/security/truststore/ca-truststore.pem

Highlighted
Posts: 953
Topics: 1
Kudos: 226
Solutions: 121
Registered: ‎04-22-2014

Re: Hiveserver2 HA using haproxy load balancing

@VijayM,

 

Oh, and the same rules apply to Hive as well.  Forgot to add that.

Announcements