Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Horotonworks Data Cloud error autoscaling token expired

Labels:
avatar
author-rank Carolyn author-rank
Guru

Created ‎04-29-2017 04:06 PM

I am provisioning a cluster using version 1.14.0 of Hortonworks Data Cloud. The Autoscaling status slider is in the off position, but cluster provisioning fails with the following error on the auto scaling token:

Infrastructure creation failed. Reason: com.amazonaws.AmazonServiceException: The security token included in the request is expired (Service: AmazonAutoScaling; Status Code: 403; Error Code: ExpiredToken; Request ID: cf2aebb0-2cec-11e7-8985-4100dda4669c)

The autoscaling tab on the failed cluster in the cloud controller, shows the cluster trying to autoscale to 3 nodes:

7,155 Views
1 ACCEPTED SOLUTION

avatar
author-rank Dominika author-rank
Guru

Created on ‎05-01-2017 06:25 PM - edited ‎08-17-2019 08:08 PM

In case this helps, back in March I got this error when using HDP 2.5 EDW-ETL in us-east.

In my case, for some reason the infrastructure creation took too long (1 hour instead of 5 minutes) and the security token expired during that time.

In addition to what Jeff said, it may help to check the CloudFormation UI on the AWS console, find your stack and post the data from the “Events” and “Resources” tabs.

14971-unknown.png

View solution in original post

6,656 Views
25 REPLIES 25

avatar
author-rank dletendre
Explorer

Created ‎05-02-2017 09:39 PM

Thanks @Dominika Bialek I'm using 1.14.1. Unfortunately I'm stuck in US east since all our other infra is there.

3,629 Views
0 Kudos

avatar
author-rank Dominika author-rank
Guru

Created ‎05-02-2017 09:46 PM

Oh 😞 The last thing that I can think of is that this is related to the instance type so you could try using a different type than default.

@Marton Sereg @Attila Kanto I can reproduce this error. I don't see anything unusual in the CloudFormation console (It showed AutoScaling group creation in progress). Could you recommend which cloudbreak log to access and what to look for? I accessed /var/lib/cloudbreak-deployment/cbreak.log on the cloud controller instance but wasn't sure what to look for. Here is what I found:

/cbreak_identity_1 | [2017-05-02 20:09:45.851] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=token, source=credentials} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.852] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeApiRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=code, client_id=} and headers {Authorization=[bearer ]}
/cbreak_identity_1 | [2017-05-02 20:09:45.853] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- UaaRequestMatcher: [xOauthCallbackRequestMatcher] Checking match of request : '/check_token'; '/login/callback' with parameters={code=} and headers {}
/cbreak_identity_1 | [2017-05-02 20:09:45.853] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcherOld] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=token, credentials={} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.851] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthenticateRequestMatcher] Checking match of request : '/check_token'; '/authenticate' with parameters={} and headers {Authorization=[bearer ], accept=[application/json]}
/cbreak_identity_1 | [2017-05-02 20:09:45.854] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={source=login} and headers {accept=[application/json]}
/cbreak_identity_1 | [2017-05-02 20:09:45.855] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginTokenRequestMatcher] Checking match of request : '/check_token'; '/oauth/token' with parameters={source=login, grant_type=password, add_new=} and headers {Authorization=[bearer ], accept=[application/json]}
/cbreak_identity_1 | [2017-05-02 20:09:45.855] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [loginAuthorizeRequestMatcherOld] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={login={} and headers {accept=[application/json]}
/cbreak_identity_1 | [2017-05-02 20:09:45.856] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [passcodeTokenMatcher] Checking match of request : '/check_token'; '/oauth/token' with parameters={grant_type=password, passcode=} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.856] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=token, source=credentials} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.857] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeApiRequestMatcher] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=code, client_id=} and headers {Authorization=[bearer ]}
/cbreak_identity_1 | [2017-05-02 20:09:45.857] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [xOauthCallbackRequestMatcher] Checking match of request : '/check_token'; '/login/callback' with parameters={code=} and headers {}
/cbreak_identity_1 | [2017-05-02 20:09:45.858] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- UaaRequestMatcher: [oauthAuthorizeRequestMatcherOld] Checking match of request : '/check_token'; '/oauth/authorize' with parameters={response_type=token, credentials={} and headers {accept=[application/json, application/x-www-form-urlencoded]}
/cbreak_identity_1 | [2017-05-02 20:09:45.860] cloudfoundry-identity-server - ???? [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
/cbreak_identity_1 | [2017-05-02 20:09:45.861] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
/cbreak_identity_1 | [2017-05-02 20:09:45.862] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/check_token response_type:null
/cbreak_identity_1 | [2017-05-02 20:09:45.862] cloudfoundry-identity-server - ???? [http-nio-8080-exec-9] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/check_token response_type:null
3,629 Views
0 Kudos

avatar
author-rank dletendre
Explorer

Created ‎05-03-2017 12:51 AM

Thanks @Dominika Bialek For some reason I can't post questions in the Data Cloud track even though we've been an HDP customer with an AWS cluster running since last Nov. Is there anything I can do to help figure out why this is happening?

3,629 Views
0 Kudos

avatar
author-rank Dominika author-rank
Guru

Created ‎05-03-2017 02:59 AM

Hi @DL Did you follow the instructions at http://docs.hortonworks.com/HDPDocuments/HDCloudAWS/HDCloudAWS-1.14.1/bk_hdcloud-aws/content/gethelp... to sign up for the Hortonworks Data Cloud track? If not, you need to do that first. If yes, then maybe we can create a separate question about this.

3,629 Views
0 Kudos

avatar
author-rank dletendre
Explorer

Created ‎05-03-2017 04:03 AM

@Dominika BialekI did but it said I already had an account with my work email and wouldn't let me do anything. Do I have to somehow delete this account and start all over?

3,629 Views
0 Kudos

avatar
author-rank Dominika author-rank
Guru

Created ‎05-03-2017 02:42 PM

@jeff @Julia Ostrowski Can you help?

3,629 Views
0 Kudos

avatar
author-rank msereg
Rising Star

Created ‎05-03-2017 03:37 PM

@cduby @DL

If you're using spot instances, can you try to increase the bid price, or without spot instances first?

I can see on the screenshots that infrastructure creation is taking more than an hour (it should be around 5 mins with on-demand instances, and a few mins more with spot priced instances). You can try to check the spot requests page and see if there are any messages there, like "request is pending".

So the main problem is that infra creation is taking too much time and that's why the temporary credentials used by HDC are expired - it is still a bug because spot instance requests can sometimes take more than an hour to fulfill and HDC should be able to handle that.

But for now as a workaround you should find out what is taking too long (my guess is spot requests), and change the cluster configuration according to that - different instance types, bid price, etc..

3,629 Views
0 Kudos

avatar
author-rank dletendre
Explorer

Created ‎05-03-2017 04:01 PM

I have spot instances unchecked so it shouldn't be using them at all, but it seems to be. I also tried to add a worker late last night and no luck (same timeout after an hour). I terminated the cluster (for the third time). Will try again and take screenshots

3,629 Views
0 Kudos

avatar
author-rank dletendre
Explorer

Created ‎05-03-2017 04:08 PM

Trying now. Spot is unchecked, autoscaling unchecked, here is the json:

{ "ClusterName": "cluster-6", "HDPVersion": "2.6", "ClusterType": "EDW-ETL: Apache Hive 1.2.1, Apache Spark 2.1", "Master": { "InstanceType": "r3.xlarge", "VolumeType": "ephemeral", "VolumeSize": 80, "VolumeCount": 1 }, "Worker": { "InstanceType": "r3.xlarge", "VolumeType": "gp2", "VolumeSize": 500, "VolumeCount": 1, "InstanceCount": 4, "RecoveryMode": "AUTO" }, "Compute": { "InstanceType": "m3.xlarge", "VolumeType": "ephemeral", "VolumeSize": 40, "VolumeCount": 2, "InstanceCount": 0, "RecoveryMode": "AUTO" }, "SSHKeyName": "xxx-pem", "RemoteAccess": "x.x.x.x/32", "WebAccess": true, "HiveJDBCAccess": true, "ClusterComponentAccess": true, "ClusterAndAmbariUser": "admin", "ClusterAndAmbariPassword": "", "Tags": {}, "Autoscaling": { "Configurations": { "CooldownTime": 30, "ClusterMinSize": 3, "ClusterMaxSize": 100 } }, "InstanceRole": "CREATE" }
3,629 Views
0 Kudos

avatar
author-rank Carolyn author-rank
Guru

Created ‎05-03-2017 04:45 PM

@Marton Sereg I was not using spot instances but perhaps the setting is not read properly?

3,629 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements