Member since
07-06-2017
53
Posts
12
Kudos Received
5
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
16006 | 05-03-2018 08:01 AM | |
9816 | 10-11-2017 08:17 AM | |
10632 | 07-20-2017 07:04 AM | |
1193 | 04-05-2017 07:32 AM | |
3090 | 03-09-2017 12:05 PM |
03-09-2017
02:39 PM
Hello, I have a HDF cluster (kerberos/ ranger) on which the client nodes all reports the following 2017-03-09 14:54:00,662 WARN [org.apache.ranger.audit.queue.AuditBatchQueue0] o.a.r.audit.provider.BaseAuditHandler failed to log audit event: {"repoType":10,"repo":"<MASKED>","reqUser":"<MASKED>","evtTime":"2017-03-09 14:54:00.275","access":"WRITE","resource":"/proxy","resType":"nifi-resource","action":"WRITE","result":1,"policy":2,"enforcer":"ranger-acl","cliIP":"<MASKED>","agentHost":"<MASKED>","logType":"RangerAudit","id":"56f7f5c4-a834-4405-9bae-18b19453129d-140","seq_num":276,"event_count":1,"event_dur_ms":0,"tags":[]}
org.apache.solr.client.solrj.impl.CloudSolrClient$RouteException: IOException occured when talking to server at: https://<Ambari_solr_FQDN>:8886/solr/ranger_audits_shard1_replica1
at org.apache.solr.client.solrj.impl.CloudSolrClient.directUpdate(CloudSolrClient.java:634) ~[solr-solrj-5.5.1.jar:5.5.1
<SNIP>
Caused by: org.apache.solr.client.solrj.SolrServerException: IOException occured when talking to server at: https://<Ambari_solr_FQDN>:8886/solr/ranger_audits_shard1_replica1
<SNIP>
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
<SNIP>
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
<SNIP>
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
<SNIP>
I have checked the keystore & truststore storead at the location refered in Ambari: the chain looks correct to me. curl https://<Ambari_solr_FQDN>:8886/solr/ranger_audits_shard1_replica1 connects without errors openssl indicates a valid chain. I can't find which store / chain is used by Nifi and how to fix this. Any help will be welcome. Thanks Christophe
... View more
Labels:
- Labels:
-
Apache NiFi
-
Apache Ranger
-
Apache Solr
03-09-2017
02:26 PM
@Matt Clarke, I indeed have mapping set: nifi.security.identity.mapping.pattern.dn=^cn=(.*?),ou=(.*?),ou=(.*?),ou=(.*?),dc=(.*?),dc=(.*?)$
nifi.security.identity.mapping.pattern.dn2=^CN=(.*?), OU=(.*?), OU=(.*?), OU=(.*?), DC=(.*?), DC=(.*?)$
nifi.security.identity.mapping.pattern.kerb=
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.value.dn2=$1
nifi.security.identity.mapping.value.kerb=
I'm not too sure how to interpret these (i'm new to this actually) thanks!
... View more
03-09-2017
12:05 PM
Hello, This is related to https://issues.apache.org/jira/browse/NIFI-3530 Workaround https://hortonworks.jira.com/browse/BUG-66889?jql=text%20~%20%22hive%20metastore%20nifi%22 Patch to included in the next HDF release
... View more
03-09-2017
11:58 AM
Hello, I was extending my HDF cluster (Kerberos -Active Directory)/ Ranger / SSL enabled ) by adding one node using Ambari and I came accross the following behavior I'm struggling to explain & address. The nodes of my cluster all have a AD principal CN=nodename, OU=some OU, DC=dc1, DC=dc2. All nodes are members of a group "NifiClusterMember" Ranger is in sync, and the required policies are setup to allow R/W access to Proxy for NifiClusterMember. While trying to log on to the new node, I received the error "Untrusted Proxy - <Nodename>". In this case, the "short" name. not the FDQN. I had to create <short name> as in internal user in Ranger to setup the access. While it's currently running OK, i'd like to clean up the situation the way it should. However I could not find what part of the configuration is driving the behavior I encounter. I take any tips 🙂 thanks
... View more
Labels:
- Labels:
-
Apache NiFi
-
Cloudera DataFlow (CDF)
02-23-2017
12:41 PM
3 Kudos
Hello, I've compiled this article after I struggled quiet a bit to have the ingestion working. Credits to @Kuldeep Kulkarni, @Rahul Pathak and @awhitter for helping me figuring out these steps. Feel free to contact me. I'll make sure to keep this up-to-date. Sqoop is the tool of choice for ingesting OLTP data to HDFS of Hive. Incremental ingestion requires to keep track of the last row ingested in order to know where to start the next round from. Using a shared Sqoop metastore and sqoop job will let sqoop take care of keeping track of the ingestion. Oozie will be setup to call the sqoop job at the required interval of time. For this a coordinator will be required, 1 Sqoop 1a. Shared Metastore Create a Sqoop metastore on a node (preferably not on a data/worker node). - Create a folder to save the metastore DB file (e.g. "/var/lib/sqoop/metastore) - configure the Metastore from Ambari > Sqoop > Configs sqoop.metastore.server.location "/var/lib/sqoop/metastore/shared.db"
sqoop.metastore.client.record.password "true"
sqoop.metastore.server.port "17000"
sqoop.metastore.client.autoconnect.url "jdbc:hsqldb:hsql://<Metastore_node>:17000/sqoop
Start the Sqoop-Metastore process "nohup sqoop-metastore &>>/var/log/sqoop-metastore.log &" Sqoop unfortunately does not offer OS Service (yet). So ensure that the metastore startup command is added to your startup scripts 1b. Sqoop job Notes: Active directory authentication is not support yet. The user must be a SQL user. As Sqoop will store the credentails in clear, the user must be created with the least privileges possible and monitored accordingly while testing using AD integratio (";Integrated Security=SSPI" in the connection string), connection has been successful, however it's not (yet) a HWX supported situation sqoop-job --create <JobName> \
--meta-connect jdbc:hsqldb:hsql://<metastore_node>:17000/sqoop \
-- import \
--connect "jdbc:sqlserver://<SQLSERVER>:1433;database=<SQLDB>;" \
--username <username> \
--password <password> \
--num-mappers 5 \
--table <SQL TableName>\
--append \
--incremental append \
--check-column <Base Column for incremental>\
--hive-drop-import-delims\
--hive-import \
--hive-table <Hive DB>.<Hive Table> \
-- -- --schema <MSSQL Schema>
-- -- --table-hints NOLOCK
The job will now appear in the job list sqoop-job --list and can be run manually sqoop-job --exec <JobName> 2 Oozie 2a <application>-Site.xml files If not already available in HDFS, copy core-site.xml files to HDFS /usr/hdp/current/sqoop-client/conf/sqoop-site.xml
Copy hive-site.xml to a temp location for editing cp /usr/hdp/current/hive-server2/conf/hive-site.xml /tmp Edit /tmp/hive-site.xml, locate the property hive.exec.post.hooks remove the value if any present The result in the file: <property>
<name>hive.exec.post.hooks</name>
<value/>
</property>
Save the change and copy the modified /tmp/hive-site.xml to HDFS Note #1: if the file sqoop-site.xml is not reachable to Oozie/Sqoop, the Sqoop job will run once and fail subsequent runs logging the following entries 17/01/17 16:30:32 INFO sqoop.Sqoop: Running Sqoop version: 1.4.6.2.5.3.0-37
17/01/17 16:30:33 ERROR sqoop.SqoopOptions: It seems that you have launched a Sqoop metastore job via
17/01/17 16:30:33 ERROR sqoop.SqoopOptions: Oozie with sqoop.metastore.client.record.password disabled.
17/01/17 16:30:33 ERROR sqoop.SqoopOptions: But this configuration is not supported because Sqoop can't
17/01/17 16:30:33 ERROR sqoop.SqoopOptions: prompt the user to enter the password while being executed
17/01/17 16:30:33 ERROR sqoop.SqoopOptions: as Oozie tasks. Please enable sqoop.metastore.client.record
17/01/17 16:30:33 ERROR sqoop.SqoopOptions: .password in sqoop-site.xml, or provide the password
17/01/17 16:30:33 ERROR sqoop.SqoopOptions: explicitly using --password in the command tag of the Oozie
17/01/17 16:30:33 ERROR sqoop.SqoopOptions: workflow file. Note #2 : When hive.exec.post.hooks are set, I have seen the workflow execution failing with a rate of 50-60%, after the data is ingested to Hive and beforethe Sqoop Metastore is updated. Generating duplicate ingestion in the Hive table 2b Update the Oozie share lib with the required jar files /usr/hdp/current/hive-server2/lib/hive-shims-* to hdfs://user/oozie/share/lib/ lib_<timestamp>/hive/
/usr/hdp/current/atlas-server/hook/hive/*.jar to hdfs://user/oozie/share/lib/lib_<timestamp>/hive/
run the following command after having created a Kerberos ticket with Oozie keytab oozie admin -oozie https://<oozie_server>:11443/oozie -sharelibupdate 2c Copy required jar files to HDFS (Microsoft) sqljdbc.jar to <HDFS_PATH>/jars/sqljdbc.jar
/usr/hdp/2.5.3.0-37/sqoop/lib/java-json.jar to <HDFS_PATH>/jars/sqljdbc.jar
2d Create the workflow File : workflow.xml <global> </global> passed the required -site.xml to all the actions defined <archive> </archive> lists the jar file required by Sqoop. (It seems that Sqoop will not parse the CLASS_PATH) <workflow-app xmlns="uri:oozie:workflow:0.4" name="Worklow Sqoop Incremental">
<global>
<job-xml>/<HDFS_PATH>/sqoop-site.xml </job-xml>
<job-xml>/<HDFS_PATH>/sqoop/hive-site.xml </job-xml>
</global>
<credentials>
<credential name='hive_creds' type='hcat'>
<property>
<name>hcat.metastore.uri</name>
<value>thrift://<hive thrift URI>:9083</value>
</property>
<property>
<name>hcat.metastore.principal</name>
<value>hive/_HOST@domain.name</value>
</property>
</credential>
</credentials>
<start to="SqoopStep"/>
<action name="SqoopStep" cred="hive_creds">
<sqoop xmlns="uri:oozie:sqoop-action:0.3">
<job-tracker>${jobTracker}</job-tracker>
<name-node>${nameNode}</name-node>
<command>job --meta-connect jdbc:hsqldb:hsql://<metastorenode>:17000/sqoop --exec <SqoopJobname></command>
<archive><HDFS_PATH>/jars/sqljdbc.jar</archive>
<archive><HDFS_PATH>/jars/java-json.jar</archive>
</sqoop>
<ok to="end"/>
<error to="fail"/>
</action>
<kill name="fail">
<message>Map/Reduce failed, error message[${wf:errorMessage(wf:lastErrorNode())}]</message>
</kill>
<end name = "end"/>
</workflow-app>
2e Create the coordinator File : coordinator.xml <coordinator-app name="Sqoop Incremental Ingestion Scheduler" frequency="${coord:minutes(5)}"
start="${start}" end="2100-01-01T08:00Z" timezone="UTC"
xmlns="uri:oozie:coordinator:0.1">
<controls>
<timeout>90</timeout>
</controls>
<action>
<workflow>
<app-path>/<HDFS_PATH>/<FOLDER_WHERE_TO_FIND_WORKLOW></app-path>
</workflow>
</action>
</coordinator-app>
2f Edit job.properties File : job.properties nameNode=hdfs://<namenode>
jobTracker=<jobtracker>:8050
queueName=default
examplesRoot=examples
oozie.action.sharelib.for.sqoop=sqoop,hive,atlas
#oozie.libpath=${nameNode}/user/oozie/share/lib
oozie.use.system.libpath=true
#oozie.wf.rerun.failnodes=true
user.name=oozie
oozie.coord.application.path=${nameNode}/HDFSPATH/Folder_To_find_coordinator.xml
outputDir=/HDFS_PATH/Oozie/OutputDir
start=2017-02-15T13:00Z
Keys setting : oozie.action.sharelib.for.sqoop must be set to at least "sqoop, hive" 2g submitting Copy both coordinator.xml & workflow.xml to HDFS (make sure to reflect the right paths in both job.properties & coordinator.xml) submit the job to oozie (with a kerberos ticket generated with Oozie keytab) oozie job -oozie https://<oozieserver>:11443/oozie -config <localpath>/job.properties -submit Hopefully this will prove useful.
... View more
Labels:
02-20-2017
03:55 PM
Update: running Wireshark: CALL set_ugi seems to be successful, Followed by CALL get_database which is not served, at this time the Hive metastore server RST the connections
... View more
02-20-2017
03:42 PM
Hello, While trying to ingest Data to Hive using Nifi - PutHiveStreaming. I'm stranded on the error while trying to connect to Hive Metastore. HDP 2.5.3 / HDF 2.1.1 both kerberized both technoted https://community.hortonworks.com/articles/52856/stream-data-into-hive-like-a-king-using-nifi.html and https://community.hortonworks.com/questions/59681/puthivestreaming-nifi-processor-various-errors.html have been applied to luck (While is wonder if the last one is still accurate with HDF2.1.1, however the error is present no matter with NAR file I use) Extract of hivemetastore.log 2017-02-20 16:32:20,536 ERROR [pool-7-thread-195]: server.TThreadPoolServer (TThreadPoolServer.java:run(297)) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Invalid status -128
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:609)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:606)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1704)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:606)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.thrift.transport.TTransportException: Invalid status -128
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184)
at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 10 more
Browsing the knowledge base of Google did not help, Status -128 is never listed Thanks! Christophe
... View more
Labels:
- Labels:
-
Apache Hive
-
Apache NiFi
02-17-2017
04:03 PM
Hello, The metrics are back. Not sure how (i just stopped & restarted the task to extract its settings). My problem is solved 🙂 Thanks! Christophe
... View more
02-17-2017
03:28 PM
Hi @brosander, Now that you bring up, I remember to have indeed deleted one flow.xml.gz once I faced an issue with out-of-sync cluster. I would have expected the flow.xml.gz to be replicated from the active node. Maybe it did not happen. That said, I've just extracted my flow.xml.gz. and compared it (for the Ambari metric related node) to the template and the bootstrap.conf content, and I believe my recreation of the task to be accurate. The URL is correct (confirmed by the logs that report a successful data submissions), the application code ('nifi') is matching bootstrap.conf file. Hostname is set to ${hostname(true)}, which matches the template. Do I need to reset anything Ambari-Metrics-collector ? (I would assume that ambari-metrics still has a record of the old task-id) Thanks Christophe
... View more
02-17-2017
09:52 AM
Hi @Pierre Villard Thanks for prompt reaction. The Ambari Reporting task was indeed not present. I added & configured it. It's running and sending data: 2017-02-17 10:40:41,086 INFO [Timer-Driven Process Thread-10] o.a.n.r.ambari.AmbariReportingTask AmbariReportingTask[id=4b551cf1-015a-1000-ffff-ffff8823e94e] Successfully sent metrics to Ambari in 0 ms However my Nifi Widgets (Ambari >Nifi >summary) keep diplaying "No Data". I have restarted both Ambari Server & Ambari-metrics, yet to no luck. Did I miss a step somewhere? Thanks Christophe
... View more
- « Previous
- Next »