About stevel

stevel · ‎03-14-2016

use the slider kill-container command; it's how we test slider apps resilience to failure. There's also a built in chaos-monkey in slider; you can configure the AM to randomly kill containers (and/or its own). See Configuring the Chaos Monkey

stevel · ‎03-14-2016

@Steven Hirsch -let me look at this 1. Which version of HDP, OS, etc? 2. are there any logs in the spark history server? 3. If you restart the spark history server, do the jobs come up as incomplete? The spark history server in spark <= 1.6 doesn't detects updates to incomplete jobs once they've been clicked on and loaded (SPARK-7889; will be fixed in Spark 2), but the UI listing complete/incomplete apps should work. If the Yarn history server is used as the back end for spark histories, then the code there will check with YARN to see if the application is still running. If the filesystem-based log mechanism is used, then the spark history server code doesn't ask yarn about application state. Instead it just plays back the file until it gets to the end: if there isn't a logged "application ended" event there, it will languish as "incomplete" forever

stevel · ‎03-03-2016

Well, this is "interesting". I think it's that specific realmless principal, "HTTP/sandbox.hortonworks.com@"; you don't have a TGT ticket for that empty realm, so fail. I've heard of this before https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/terrors.html Follow the instructions there; if it makes it go away, then it's a sign that the krb5 in the sandbox needs fixing If you use kdestroy to delete the HTTP/sandbox.hortonworks.com@ ticket, what does that do? download Kdiag and give it a run before and after the curl call: https://github.com/steveloughran/kdiag . `export HADOOP_JAAS_DEBUG=true` for extra info; grab stdout and stderr into a single file, and attach. what does your /etc/krb5.conf say? Mine explicitly set dns_lookup_realm = false and dns_lookup_kdc = false set the env vars and JVM properties covered in troubleshooting, see what's being negotiated. https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md

stevel · ‎02-16-2016

note that even when running as OS user "yarn", an environment variable, "HADOOP_USER_NAME" passes the name of the account submitting the work into that process, which is then picked up by the HDFS client: the code should be able to work with HDFS directories as the submitter, with the same permissions and things. That is, as you may have guessed, completely insecure and open to abuse —for that you need to make the leap to Kerberos, I'm afraid.

stevel · ‎02-06-2016

a few seconds isn't going to matter. Kerberos and the security system is fussy about clocks. you can usually set your network switch up as an NTP server, so they can all sync with that. Or turn one of your machines into the NTP server and again, make it a reference source of time. Ideally, if detached from the network, you could hook up a GPS unit and run gpsd to be as accurate as pretty much everything else on the internet

stevel · ‎01-23-2016

@mkataria, thanks for this "I'm sure HDO engineering team must be looking into this for a solution, since KEYRING is the future for kerberos cache and the stuff you can do with it like keylist and etc." Hadoop uses the Kerberos libraries that come with the JVM. That's pretty problematic, because we have to delve into the private com.sun. and com.ibm. internal classes to get some stuff done, and that tends to break across major (and sometimes minor) releases. If we stay with the Oracle libraries, we're stuck with whatever they implement, which, as you've noticed, is pretty limited and out of date. You may be interested to hear of Apache Kerby, an ongoing project to have a pure Java Kerberos Domain Controller and, importantly for production Hadoop —a modern Kerberos client library, with CPU-acceleration of encryption when available (i.e. latest intel parts, as Hadoop already does for HDFS encryption), and broader protocol support. I don't think its ready for production use yet, and nobody has —yet— gone beyond looking at what it would take to switch Hadoop over to it. But be assured: people are looking at it. Finally, what was the error message you got? Was it the classic "unable to find TGT for user" kind of text, or something new? I'm trying to build a list list of common Kerberos error messages —adding a new message or a new possible cause of an existing message is something else to put in here.

stevel · ‎01-19-2016

@KRISHNANAND THOMMAND Can you email me, thats stevel at hortonworks.com , the exact spark-assembly JAR you've got with this problem. I want to make sure that I really am looking at the one you are seeing this problem. Once I've got it I'll have a look inside the JAR to see what's up. thanks

stevel · ‎01-19-2016

Connection refused invariably means "there's no service at the destination". Here I'd assume that either the configuration of the KMS is wrong (it's URL), or its not currently running.

stevel · ‎01-15-2016

sorry, just catching up on this. ATS integration should be there, so I'm trying to work out why things don't work.

stevel · ‎01-14-2016

If you were logged in via kerberos when you submit work, they usually pick up your credentials, then request hadoop tokens off the various services. Try using "kdestroy" to remove your kerberos tickets and repeating your operations, to see what happens then

Online	Offline
Last Visited	‎03-13-2023 07:42 AM

Name	Steve Loughran
Location	Bristol, England
Member Since	‎09-26-2015 10:24 AM
Last Visited	‎03-13-2023 07:42 AM
Posts	135
Kudos received	85

Cloudera Community

Re: Hbase Restore using the Backup ID from S3 thro...

Re: What is EMRFS? Is it a file system in AWS that...

Re: How to hotswap Data node hard disk without sto...

Re: HDFS Encryption Data at Rest - in Non-Kerberiz...

Re: Spark Weird Error

Re: Can we able to kill particular container in th...

Re: Spark UI thinks job is incomplete

Re: Can not invoke hdfs command after invoking web...

Re: User impersonation in Spark and Samza

Re: Token expiry issue due to System time on machi...

Re: Kerberos Cache in IPA /RedHat IDM (KEYRING) SO...

Re: Spark history server startup error

Re: After enable the kerberos ,the spark does not ...

Re: Spark history server startup error

Re: Kerberos authentication from Edge node