Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Running distcp between two cluster: One Kerberized and the other is not

avatar
author-rank dstreev author-rank
Guru

Created ‎09-25-2015 05:58 PM

hadoop distcp -i -log /tmp/ hdfs://xxx:8020/apps/yyyy hdfs://xxx_cid/tmp/

In this case the "xxx" is the "un-secure" cluster, while "xxx_cid" in the secure cluster.

We are launching the job from the Kerberos cluster, with the appropriate kinit for the user and getting the following error:

java.io.IOException: Failed on local exception: java.io.IOException: Server asks us to fall back to SIMPLE auth, but this client is configured to only allow secure connections.; Host Details : local host is: "xxx/10.x.x.x"; destination host is: "xxx":8020;

...

Caused by: java.io.IOException: Server asks us to fall back to SIMPLE auth, but this client is configured to only allow secure connections.

I thought by launching the job from the secure cluster, that we could avoid any access issues. But it appears that the processes are kicked off from the "source" cluster. In this case, that's the insecure cluster.

Idea's on getting around this?

29,558 Views
1 ACCEPTED SOLUTION

avatar
author-rank cnauroth
Guru

Created ‎11-18-2015 10:25 PM

I recommend not setting this in core-site.xml, and instead setting it on the command line invocation specifically for the DistCp command that needs to communicate with the unsecured cluster. Setting it in core-site.xml means that all RPC connections for any application are eligible for fallback to simple authentication. This potentially expands the attack surface for man-in-the-middle attacks.

Here is an example of overriding the setting on the command line while running DistCp:

hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true hdfs://nn1:8020/foo/bar hdfs://nn2:8020/bar/foo

The command must be run while logged into the secured cluster, not the unsecured cluster.

View solution in original post

16,774 Views
17 REPLIES 17

avatar
author-rank stevel author-rank
Guru

Created ‎09-26-2015 10:28 AM

sounds like the distcp process is running secure, but is configured to not like simple connections.

try setting the config option

ipc.client.fallback-to-simple-auth-allowed=true
15,432 Views

avatar
author-rank pardeep_kumar
Guru

Created ‎09-29-2015 10:20 AM

@dstreever@hortonworks.com To use Distcp for copying between a secure cluster and an insecure one, add the following to the HDFS core-default.xml, by using Ambari. 

<property>
  <name>ipc.client.fallback-to-simple-auth-allowed</name>
  <value>true</value> 
</property>
15,432 Views

avatar
author-rank jkiran2020
Explorer

Created ‎03-27-2018 11:23 PM

Adding this property in core-site.xml helped resolve the error.

15,432 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎11-04-2015 04:09 PM

@Pardeep Nice find! Link

When copying data from a secure cluster to a secure cluster, the following configuration setting is required in the core-site.xml file:

<property>
    <name>hadoop.security.auth_to_local</name>
    <value></value>
    <description>Maps kerberos principals to local user names</description>
</property>
15,432 Views
0 Kudos

avatar
author-rank cnauroth
Guru

Created ‎11-18-2015 10:25 PM

I recommend not setting this in core-site.xml, and instead setting it on the command line invocation specifically for the DistCp command that needs to communicate with the unsecured cluster. Setting it in core-site.xml means that all RPC connections for any application are eligible for fallback to simple authentication. This potentially expands the attack surface for man-in-the-middle attacks.

Here is an example of overriding the setting on the command line while running DistCp:

hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true hdfs://nn1:8020/foo/bar hdfs://nn2:8020/bar/foo

The command must be run while logged into the secured cluster, not the unsecured cluster.

16,775 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎11-21-2015 02:46 PM

@Chris Nauroth Thanks for sharing this. Could you update the answer with more details? I believe this is the best answer if you can add more details.

15,432 Views
0 Kudos

avatar
author-rank cnauroth
Guru

Created ‎11-23-2015 09:49 PM

@Neeraj Sabharwal, thank you. I updated the answer to show an example of overriding the property from the DistCp command line.

15,432 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎11-23-2015 11:37 PM

Thanks @Chris Nauroth

15,433 Views
0 Kudos

avatar
author-rank hari_prsd14
Explorer

Created ‎03-16-2016 04:36 PM 

  1. getting below error after running the command "hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true hdfs://nn1:8020/foo/bar hdfs://nn2:8020/bar/foo"
  2. java.io.EOFException:End of FileException between local host is***; destination host is:***;
  3. please suggest

					
				
			
			
				
			
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
					
				
		
			
					
				
		
			
		
			
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	

	
		

			
		
			
					

    15,433 Views


				
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Kudos

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
		

	
	

	
		
			
					
		
	
				
		
			
		
	
	


		

	



		

	

	

	



        

      


			
		
    
            

                

            

        

	
		

		
	

	

	



		
		
	


	

	
		

			

	
				
			


		

	




			
				


	
			
				

					
						

							
		

			

	
			
				
					
				
				
			
		


		

	
							

								
								
							

							

								

	
									
								


							

						

					
				

			
		
	


			
		

	

	

				
		
		
			
		
	
	


		

			

	
		
			
  
  


		
			    

        

            Announcements
        

            

                

                    What's New @ Cloudera
                

                

                    [RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
                

            

            

                

                    What's New @ Cloudera
                

                

                    Cloudera Data Engineering 1.23: Access Spark from Your Favor...
                

            

            

                

                    What's New @ Cloudera
                

                

                    HBase REST server scaling support is Generally Available
                

            

            

                

                    What's New @ Cloudera
                

                

                    New CLI option in the update-database command
                

            

            

                

                    What's New @ Cloudera
                

                

                    New Action menu item in the Cloudera Operational Database UI
                

            

        

            View More Announcements