Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Is it possible run Spark in local mode against a kerberized cluster

Labels:
avatar
author-rank marcus_aidley
Contributor

Created ‎06-16-2017 09:33 AM

We've recently kerberized our HDFS development cluster. Before we did this we could run Spark jobs using spark.master=local from an IDE to test new code to allow debugging before deploying the code to the cluster and running in yarn mode.

Since kerberizing the cluster I've not been able to find a way run spark jobs in local mode. We get the following error:

org.apache.hadoop.security.AccessControlException: SIMPLE authentication is not enabled. Available:[TOKEN, KERBEROS]

Everything works fine if we deploy the code and run in yarn mode, but this slows down development cycles.

I've tried passing through the hdfs config files and setting "hadoop.security.authentication"="kerberos" and looked on the internet but have not found definitive answer as to whether I can run a Spark job in local mode against a kerberized cluster.

3,656 Views
0 Kudos
7 REPLIES 7

avatar
author-rank gnovak author-rank
Expert Contributor

Created ‎06-19-2017 06:51 AM

@Marcus Aidley

You can run Spark in local mode against a kerberized cluster.

Here are some configuration values to check:

  • In spark-defaults.conf (in an HDP cluster: /etc/spark/conf/spark-defaults.conf);
    • spark.history.kerberos.enabled true
    • spark.history.kerberos.keytab /your/path/to/spark.headless.keytab
    • spark.history.kerberos.principal your-principal@YOUR.DOMAIN
  • In spark-env.sh make sure you have
    • export HADOOP_CONF_DIR=/your/path/to/hadoop/conf
  • In core-site.xml
    • hadoop.security.authentication: kerberos
2,769 Views
0 Kudos

avatar
author-rank ashish_kumarsin
Explorer

Created ‎12-05-2017 10:32 AM

Hi @gnovak, @Marcus Aidley,

Could you please explain if you were able to solve this issue?

I am facing the same issue even after performing the recommended steps provided by @gnovak

2,769 Views
0 Kudos

avatar
author-rank marcus_aidley
Contributor

Created ‎12-07-2017 10:34 AM

We have this working now. When running in local mode we invoke the following method loginKerb, before creating the SparkSession:

import org.apache.hadoop.security.UserGroupInformation;

import javax.security.auth.callback.*;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.io.IOException;


public class LoginKerb {

    public static void loginKerb() throws LoginException, IOException {
        LoginContext lc = kinit();
        UserGroupInformation.loginUserFromSubject(lc.getSubject());
    }
    private static LoginContext kinit() throws LoginException {
        LoginContext lc = new LoginContext(LoginKerb.class.getSimpleName(), callbacks -> {
            for(Callback c : callbacks){
                if(c instanceof NameCallback)
                    ((NameCallback) c).setName(System.getProperty("kerberos.user"));
                if(c instanceof PasswordCallback)
                    ((PasswordCallback) c).setPassword(System.getProperty("kerberos.password").toCharArray());
            }
        });
        lc.login();
        return lc;
    }
}
2,769 Views
0 Kudos

avatar
author-rank ashish_kumarsin
Explorer

Created ‎12-07-2017 11:14 AM

@Marcus Aidley Thanks for your quick response. Could you please provide me full implementation of LoginKerb class if possible? Is kerberos.user referring to principal name or just the user?

Stacktrace with loginKerb so far :-

javax.security.auth.login.LoginException: No LoginModules configured for KerberosUtil at javax.security.auth.login.LoginContext.init(LoginContext.java:264) at javax.security.auth.login.LoginContext.<init>(LoginContext.java:417)

2,769 Views
0 Kudos

avatar
author-rank marcus_aidley
Contributor

Created ‎12-07-2017 11:29 AM

I've updated the code snippet. And yes kerberos.user is the principal.

2,769 Views
0 Kudos

avatar
author-rank ashish_kumarsin
Explorer

Created ‎12-07-2017 11:42 AM

Hi @Marcus Aidley,

I am getting the exception added below. Do you use any JAAS conf in VM arguments?

javax.security.auth.login.LoginException: No LoginModules configured for LoginKerb at javax.security.auth.login.LoginContext.init(LoginContext.java:264) at javax.security.auth.login.LoginContext.<init>(LoginContext.java:417)

2,769 Views
0 Kudos

avatar
author-rank marcus_aidley
Contributor

Created ‎12-07-2017 12:07 PM

Yes you'll need a jaas.conf on your path looking something like the following and we also have a krb5.conf on the path.

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal=""
    useKeyTab=true
    keyTab=""
    storeKey=true;
};

LoginKerb {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};
2,769 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements