Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
mliem
mliem
Expert Contributor

Enabling SASL/Plain on kerberos-enabled cluster (m...

by Expert Contributor mliem in Support Questions
‎09-06-2017 06:23 PM
‎09-06-2017 06:23 PM
Hello, I have a kerberos-enabled cluster and trying to enable SASL/PLAIN as well on the same broker. SASL (GSSAPI) works fine. These are the steps i took: 1) Added PlainLoginModule to kafka_jaas.conf (all other sections already there due to kerberos) KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="{{kafka_keytab_path}}" storeKey=true useTicketCache=false serviceName="{{kafka_bare_jaas_principal}}" principal="{{kafka_jaas_principal}}"; org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret" user_admin="admin-secret" user_alice="alice-secret"; }; KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true renewTicket=true serviceName="{{kafka_bare_jaas_principal}}"; }; Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="{{kafka_keytab_path}}" storeKey=true useTicketCache=false serviceName="zookeeper" principal="{{kafka_jaas_principal}}"; }; I've also validated, -Djava.security.auth.login.config=/usr/hdp/current/kafka-broker/config/kafka_jaas.conf is being loaded (ps -ef | grep kafka_jaas.conf) 2) Created a kafka_plain_jaas_client.conf KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="alice" password="alice-secret"; }; 3) Update to server.properties sasl.enabled.mechanisms=GSSAPI,PLAIN advertised.listeners=PLAINTEXTSASL://ip-123-0-0-12.ec2.internal:6667 4) Producer.proerties security.protocol=SASL_PLAINTEXT sasl.mechanism=PLAIN 5) Restarted Kafka When I use the old kafka_client_jaas that references com.sun.security.auth.module.Krb5LoginModule, everything still works but using the new client_jaas with plainLoginModule I get: kafka@ip-170-0-0-12:/usr/hdp/current/kafka-broker/bin$ /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list ip-170-0-0-12.ec2.internal:6667 --topic ssl_plain_test -producer.config /usr/hdp/current/kafka-broker/conf/producer.properties --security-protocol PLAINTEXTSASL d [2017-09-06 18:13:56,982] WARN Error while fetching metadata with correlation id 0 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-09-06 18:13:57,183] WARN Error while fetching metadata with correlation id 1 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-09-06 18:13:57,284] WARN Error while fetching metadata with correlation id 2 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-09-06 18:13:57,385] WARN Error while fetching metadata with correlation id 3 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-09-06 18:13:57,485] WARN Error while fetching metadata with correlation id 4 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) I edited: /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh to point to my client_jaas: export KAFKA_CLIENT_KERBEROS_PARAMS="-Djava.security.auth.login.config=$KAFKA_HOME/config/kafka_plain_jaas_client.conf" Any ideas? Thanks! ... View more

Re: How to process CSV file based on info in an X...

by Expert Contributor mliem in Support Questions
‎08-09-2017 06:54 PM
1 Kudo
‎08-09-2017 06:54 PM
1 Kudo
Hey Eyad, One option is to use the XML as the starting point/ingestion/trigger. Once you get the getFile/fetchFile you can pass it to evaluateXPath to read/parse the XML file and turn the values into attributes. Once you have the attributes you should have everything you need to prep the file (fetch file, create table, putHDFS, etc). We do something similar for our ingestion but use a sql db that has all the metadata information. Once we detect a file, we query mysql to pull in the similar info you have in your XML file. ... View more

NiFi - Cannot assign requested address (Bind faile...

by Expert Contributor mliem in Support Questions
‎07-07-2017 07:42 PM
‎07-07-2017 07:42 PM
Hi, Getting the below error during nifi startup: Exception in thread "main" java.net.BindException: Cannot assign requested address (Bind failed) at java.net.PlainSocketImpl.socketBind(Native Method) at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387) at java.net.ServerSocket.bind(ServerSocket.java:375) at java.net.ServerSocket.bind(ServerSocket.java:329) at org.apache.nifi.bootstrap.NiFiListener.start(NiFiListener.java:38) at org.apache.nifi.bootstrap.RunNiFi.start(RunNiFi.java:1022) at org.apache.nifi.bootstrap.RunNiFi.main(RunNiFi.java:216) I've left nifi.properties default and verified ports not being used nifi.web.http.host= nifi.web.http.port=8080 any ideas? ... View more
Labels:

XML handling suggestions

by Expert Contributor mliem in Support Questions
‎06-30-2017 05:13 AM
‎06-30-2017 05:13 AM
Hi, We are ingesting a very complex XML file (super nested, unordered elements etc). We have HDP and HDF for ingestion and considering a few options: 1. XML Serde on File (not the most intuitive for really complex structures) 2. Spit XML into child splits and remerge into 1:M hive tables (a little better than option 1 but still gets a little crazy) 3. Convert XML to JSON with xlst, and use hive Serde. I found JSON SerDe a little more flexible and was able to deal with the deep nested, unordered entities okay. 4. Convert XML directly to Avro with Spark 5. Read XML and pull out only relevant entities/attributes Any recommendations or other approaches people have succesffuly used? ... View more
Labels:

Searchable Tag hierarchy

by Expert Contributor mliem in Support Questions
‎06-30-2017 05:05 AM
‎06-30-2017 05:05 AM
Hi - Is it possible to setup a Hierarchy of tags that can be searchable (either API or UI) through the parent tag? If for example I have 4 tags, company1,company2,company3,company4 and a parent tag of vendors. Is there a way for me to search vendors and it to come up with the tag list of company1-4? I have created tags that inheirt from others but cant see this relationship in the UI ... View more
Labels:

NiFi failing startup - nested exception is org.h2...

by Expert Contributor mliem in Support Questions
‎06-30-2017 04:59 AM
‎06-30-2017 04:59 AM
Hi - upgraded from HDF 2.x -> 3.0 (ran into issue with upgrade so wiped everything 2.x related and installed 3). Getting the below error in app log during startup. Everything done through Ambari 2017-06-29 20:11:31,391 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setJwtAuthenticationProvider(org.apache.nifi.web.security.jwt.JwtAuthenticationProvider); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'jwtService' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtService' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'keyService' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyService' defined in class path resource [nifi-administration-context.xml]: Cannot resolve reference to bean 'keyTransactionBuilder' while setting bean property 'transactionBuilder'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyTransactionBuilder' defined in class path resource [nifi-administration-context.xml]: Cannot resolve reference to bean 'keyDataSource' while setting bean property 'dataSource'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyDataSource': FactoryBean threw exception on object creation; nested exception is org.h2.jdbc.JdbcSQLException: Error while creating file "/data/1/nifi/database_repository_rock" [90062-176] I do see: 2017-06-29 20:11:10,586 - Creating directory Directory['/data/1/nifi/database_repository'] since it doesn't exist. 2017-06-29 20:11:10,586 - Changing owner for /data/1/nifi/database_repository_rock from 0 to nifi 2017-06-29 20:11:10,586 - Changing group for /data/1/nifi/database_repository_rock from 0 to nifi Permissions and everything looks to be set correctly. Have tried completely removing /data/1/* and clearing other remnants of previous install. any ideas or places I should look? Only happens ... View more
Labels:

Re: certification

by Expert Contributor mliem in Support Questions
‎06-30-2017 04:47 AM
‎06-30-2017 04:47 AM
Hi Ashutosh, I would use Hortonworks contact us support page for questions around certification and options you may have. Someone should be in touch with you https://hortonworks.com/marketo-contact-training Thanks, Matt ... View more

Re: Hive not applying auth_to_local rules with Ker...

by Expert Contributor mliem in Support Questions
‎05-03-2017 02:25 PM
‎05-03-2017 02:25 PM
Look like it was just hive needed to be restarted (no restart prompt was there)...none of the above made any difference. ranger.usersync.ldap.username.caseconversion=lower ranger.usersync.ldap.groupname.caseconversion=lower This is only used for usersync - how ranger imports your users in groups. It doesnt affect how your username or group will appear in audit Please verify the auth_to_local rules in the host where hive is running, usually in /usr/hdp/<Version>/hadoop/conf You can also try copy/link core-site.xml to /etc/hive/conf/conf.server and /etc/hive/conf This didnt make any difference either, i believe its because it hive uses: usr/hdp/current/hadoop-client/conf/: ... View more

Hive not applying auth_to_local rules with Kerbero...

by Expert Contributor mliem in Support Questions
‎05-03-2017 03:46 AM
‎05-03-2017 03:46 AM
Hello, When i run hive commands, ranger audit is picking up my user name with Capitals e.g "John.Doe". When I do HDFS Commands, its lower case "john.doe" My Principal is: John.Doe@CORP.AD and we have auth-to-local rules to convert this to all lower case. (john.doe) In ranger we are also doing ranger.user.sync case conversion to lower so if we use user policies, only hdfs will work (e.g. i appear as john.doe in users and since Hive comes in as "John.Doe" user policies dont get applied).  Example: CREATE TABLE test.permtest (field1 int); - the location of this folder is /data/2017 [john.doe@edge1 ~]$ hdfs dfs -ls /data/2017/ drwxr-xr-x - John.Doe hdfs 0 2017-05-02 20:43 /data/2017/permtest As you can see from the above, the table gets created with the ACL permissions as John.Doe. ------- Now when I do HDFS commands, e.g. it comes up as expected (john.doe - lower case) [john.doe@edge1 ~]$ hdfs dfs -mkdir /data/2017/permtest1 drwxr-xr-x - John.Doe hdfs 0 2017-05-02 20:43 /data/2017/permtest drwxr-xr-x - john.doe hdfs 0 2017-05-02 20:44 /data/2017/permtest1 The John.Doe and john.doe is what gets passed to ranger for authorization and this is a problem since user ranger sync brings over "john.doe" and so any Hive policies wont work. Any ideas? ... View more

Re: Nifi Sample Workflow to test Nifi Cluster Setu...

by Expert Contributor mliem in Support Questions
‎03-28-2017 02:18 PM
‎03-28-2017 02:18 PM
1) locally..I would also change generate flow file processor to have a file size of say 1KB to start and scale up from there. It looks like you've left it as the default of 0. (30,000 flow files but 0 bytes) 2) You need to make sure all route paths are taken care of. If you put your cursor over the yellow exclamation mark it'll highlight error. In your case you need to handle the failure route. (send to funnel or another processor) 3) Once compresscontent is completed ... View more

Re: Temporary table not found (ODBC driver issue ?...

by Expert Contributor mliem in Support Questions
‎03-28-2017 02:00 PM
‎03-28-2017 02:00 PM
Also, is the cluster kerberized? Do you have ranger policies for Hive? ... View more

Re: Temporary table not found (ODBC driver issue ?...

by Expert Contributor mliem in Support Questions
‎03-28-2017 01:58 PM
‎03-28-2017 01:58 PM
@dvt isoft Are the tables you've created via ODBC showing up in beeline? What about if you try creating a database instead. ... View more

Re: Ranger policy not working

by Expert Contributor mliem in Support Questions
‎03-28-2017 01:56 PM
‎03-28-2017 01:56 PM
@ARUN Hi, HDFS permissions is managed by a combination of ranger + native HDFS permissions (POSIX). Just because you've set ranger policies for those 3 users, doesnt mean they are the only users who are allowed to access HDFS. In your case, arun is still able to access hdfs because all folders in HDFS have 'r' access for others (eg. /tmp - drwxrwxrwx) The link below has best practicess in managing HDFS permissions with ranger and native hadoop permissions: https://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/ One of the important steps is to change HDFS umask to 077 from 022. This will prevent any new files or folders to be accessed by anyone other than the owner. As an example you can do the below: As hdfs user: 1. hdfs dfs -mkdir /tmp/ranger_test 2 hdfs dfs -chmod 700 /tmp/ranger_test (folder permission becomes "drwx------" - changing umask to 077 will do this for future files) 3. switch to ARUN user 4. hdfs dfs -ls /tmp/ranger_test (you should get an error along the lines of: " ls: Permission denied: user=arun, access=READ_EXECUTE, inode="/tmp/ranger_test":hdfs:hdfs:drwx------" 5. Add a policy in ranger to allow arun access to /tmp/ranger_test 6. try to access the /tmp/ranger_test folder with arun Hope this helps, ... View more

Re: Temporary table not found (ODBC driver issue ?...

by Expert Contributor mliem in Support Questions
‎03-28-2017 01:32 PM
‎03-28-2017 01:32 PM
@dvt isoft Hi, Are you able to access hive through command line? If so, I would look to see if your table is showing up there. I would also double check the database is selected correctly. Are you creating it in default database or creating your own database and a table within it. Thanks ... View more

Re: Nifi Sample Workflow to test Nifi Cluster Setu...

by Expert Contributor mliem in Support Questions
‎03-28-2017 01:27 PM
‎03-28-2017 01:27 PM
@Anishkumar Valsalam I usually test nifi cluster functions by setting up a very simple flow such as: GenerateFlowFile -> CompressContent -> UpdateAttribute This involves high rate flow file generation, CPU usage, and provenance emission. It will give you a certain level of knowledge on the health of your system These links are also very useful in determining throughput expectations http://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_Overview/content/performance-expectations-and-characteristics-of-nifi.html http://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.1.0/bk_dataflow-command-line-installation/content/hdf_isg_hardware.html ... View more

Re: MergeContent defrag errors when handling multi...

by Expert Contributor mliem in Support Questions
‎02-10-2017 08:25 PM
‎02-10-2017 08:25 PM
@Matt Clarke Thanks Matt, very useful info. It was about 20 tar files, which turned into almost 1000 individual files that I was looking to ZIP back to 20 files. Looks like the major problem was the bin #. It was set to 1, once I increased that it had no problem with the multiple tar files that were queued up. I only had 1 concurrent tasks so I was surprised that even with 1 bin, it would look to create a new bin. For selected prioritizers it was the default " first in first out", so if its untaring one tar file at a time it should finish a whole bin before moving to the next one. ... View more

Re: Hive performance bad on higher configured clus...

by Expert Contributor mliem in Support Questions
‎02-09-2017 06:17 AM
‎02-09-2017 06:17 AM
@Huahua Wei What about YARN and Hive Settings? Like: Yarn.nodemanager.resources.memory-mb min/max container memory min/max container sizes Tez container size All of these settings can be found in ambari in YARN/TEZ/MapReduce. I would ensure that they are set to take full advantage of all cluster resources. ... View more

MergeContent defrag errors when handling multiple ...

by Expert Contributor mliem in Support Questions
‎02-09-2017 06:00 AM
‎02-09-2017 06:00 AM
Hi I have the processors unpackContent -> MergeContent. I use this to untar a file and then zip the files. I am using the defragment merge strategy and have been noticing that when MergeContent has to handle many flowfiles at once (flowfile queue builds up before MergeContent) from many different fragments I get "Expected number of fragments is X but only getting Y". Simply routing failures back to merge content or creating a run schedule delay helped solve this but wondering why this would be happening. Thanks, ... View more
Labels:

Re: SQL processors (jdbc:phoenix) hanging in Secu...

by Expert Contributor mliem in Support Questions
‎01-26-2017 06:55 AM
‎01-26-2017 06:55 AM
No but all ports are open between the two machines. When I run phoenix-client (which works), i use the same node NiFI is running on so i don't think its a connection issue: Works from nifi node: /usr/hdp/current/phoenix-client/bin/sqlline.py zk:2181:/hbase-secure:hbase-dev-hadoop@DEV.COM:/etc/security/keytabs/hbase.headless.keytab ... View more

SQL processors (jdbc:phoenix) hanging in Secured ...

by Expert Contributor mliem in Support Questions
‎01-26-2017 06:45 AM
1 Kudo
‎01-26-2017 06:45 AM
1 Kudo
Hello, I have secured HDP cluster and a nifi flow that ingests JSON and inserts it into a Phoenix Table Getfile->ConvertJsonToSQL->ReplaceText(insert to update)->PutSQL. Prior to enabling kerberos the flow was working fine. After enabling kerberos, I changed the connection pool to: jdbc:phoenix:localhost:2181:/hbase-secure:hbase-dev@DEV.COM:/etc/security/keytabs/hbase.headless.keytab This connection URL works fine with sqlline/phoenix client Now when I start the flow, it initially hangs for a while and I end up with the below logs Caused by: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (org.apache.hadoop.hbase.client.RetriesExhaustedException: Failed after attempts=36, exceptions: Thu Jan 26 06:36:52 UTC 2017, null, java.net.SocketTimeoutException: callTimeout=60000, callDuration=68021: row 'SYSTEM:CATALOG,,' on table 'hbase:meta' at region=hbase:meta,,1.1588230740, hostname=ip-123-431-1-123.ec2.internal,16020,1485391803237, seqNum=0 at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1549) ~[na:na] at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1388) ~[na:na] at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:1044) ~[na:na] at org.apache.nifi.dbcp.DBCPConnectionPool.getConnection(DBCPConnectionPool.java:231) ~[na:na] ... 18 common frames omitted Caused by: java.net.SocketTimeoutException: callTimeout=60000, callDuration=68130: row 'SYSTEM:CATALOG,,' on table 'hbase:meta' at region=hbase:meta,,1.1588230740, hostname=ip-172-40-1-51.ec2.internal,16020,1485391803237, seqNum=0 at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:159) ~[na:na] at org.apache.hadoop.hbase.client.ResultBoundedCompletionService$QueueingFuture.run(ResultBoundedCompletionService.java:65) ~[na:na] ... 3 common frames omitted Caused by: org.apache.hadoop.hbase.exceptions.ConnectionClosingException: Call to ip-172-40-1-51.ec2.internal/172.40.1.51:16020 failed on local exception: org.apache.hadoop.hbase.exceptions.ConnectionClosingException: Connection to ip-172-40-1-51.ec2.internal/172.40.1.51:16020 is closing. Call id=9, waitTime=3 at org.apache.hadoop.hbase.ipc.RpcClientImpl.wrapException(RpcClientImpl.java:1258) ~[na:na] at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1229) ~[na:na] at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:213) ~[na:na] at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:287) ~[na:na] at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.scan(ClientProtos.java:32741) ~[na:na] at org.apache.hadoop.hbase.client.ScannerCallable.openScanner(ScannerCallable.java:373) ~[na:na] at org.apache.hadoop.hbase.client.ScannerCallable.call(ScannerCallable.java:200) ~[na:na] at org.apache.hadoop.hbase.client.ScannerCallable.call(ScannerCallable.java:62) ~[na:na] at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithoutRetries(RpcRetryingCaller.java:200) ~[na:na] at org.apache.hadoop.hbase.client.ScannerCallableWithReplicas$RetryingRPC.call(ScannerCallableWithReplicas.java:364) ~[na:na] at org.apache.hadoop.hbase.client.ScannerCallableWithReplicas$RetryingRPC.call(ScannerCallableWithReplicas.java:338) ~[na:na] at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:126) ~[na:na] ... 4 common frames omitted Caused by: org.apache.hadoop.hbase.exceptions.ConnectionClosingException: Connection to ip-172-40-1-51.ec2.internal/172.40.1.51:16020 is closing. Call id=9, waitTime=3 at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.cleanupCalls(RpcClientImpl.java:1047) ~[na:na] at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.close(RpcClientImpl.java:846) ~[na:na] at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.run(RpcClientImpl.java:574) ~[na:na] Any ideas on what I could be missing? Similar behaviour with executeSQL. Thanks! ... View more

Re: Connecting to Phoenix Query Server via DBVisua...

by Expert Contributor mliem in Community Articles
‎11-25-2016 05:43 AM
‎11-25-2016 05:43 AM
@Sunile Manjee Followed the above and getting: An error occurred while establishing the connection: Long Message: Remote driver error: RuntimeException: java.sql.SQLFeatureNotSupportedException -> SQLFeatureNotSupportedException: (null exception message) Details: Type: org.apache.calcite.avatica.AvaticaClientRuntimeException Stack Trace: AvaticaClientRuntimeException: Remote driver error: RuntimeException: java.sql.SQLFeatureNotSupportedException -> SQLFeatureNotSupportedException: (null exception message). Error -1 (00000) null java.lang.RuntimeException: java.sql.SQLFeatureNotSupportedException at org.apache.calcite.avatica.jdbc.JdbcMeta.propagate(JdbcMeta.java:681) at org.apache.calcite.avatica.jdbc.JdbcMeta.connectionSync(JdbcMeta.java:671) at org.apache.calcite.avatica.remote.LocalService.apply(LocalService.java:314) at org.apache.calcite.avatica.remote.Service$ConnectionSyncRequest.accept(Service.java:2001) at org.apache.calcite.avatica.remote.Service$ConnectionSyncRequest.accept(Service.java:1977) at org.apache.calcite.avatica.remote.AbstractHandler.apply(AbstractHandler.java:95) at org.apache.calcite.avatica.remote.ProtobufHandler.apply(ProtobufHandler.java:46) at org.apache.calcite.avatica.server.AvaticaProtobufHandler.handle(AvaticaProtobufHandler.java:124) at org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) at org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:499) at org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) at org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) Caused by: java.sql.SQLFeatureNotSupportedException at org.apache.phoenix.jdbc.PhoenixConnection.setCatalog(PhoenixConnection.java:799) at org.apache.calcite.avatica.jdbc.JdbcMeta.apply(JdbcMeta.java:652) at org.apache.calcite.avatica.jdbc.JdbcMeta.connectionSync(JdbcMeta.java:666) ... 15 more at org.apache.calcite.avatica.remote.Service$ErrorResponse.toException(Service.java:2453) at org.apache.calcite.avatica.remote.RemoteProtobufService._apply(RemoteProtobufService.java:61) at org.apache.calcite.avatica.remote.ProtobufService.apply(ProtobufService.java:89) at org.apache.calcite.avatica.remote.RemoteMeta$5.call(RemoteMeta.java:148) at org.apache.calcite.avatica.remote.RemoteMeta$5.call(RemoteMeta.java:134) at org.apache.calcite.avatica.AvaticaConnection.invokeWithRetries(AvaticaConnection.java:715) at org.apache.calcite.avatica.remote.RemoteMeta.connectionSync(RemoteMeta.java:133) at org.apache.calcite.avatica.AvaticaConnection.sync(AvaticaConnection.java:664) at org.apache.calcite.avatica.AvaticaConnection.getAutoCommit(AvaticaConnection.java:181) at com.onseven.dbvis.g.B.C.ā(Z:1315) at com.onseven.dbvis.g.B.F$A.call(Z:1369) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Through CLI, i am able to connect : p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #5330e1} span.s1 {font-variant-ligatures: no-common-ligatures} [cloudbreak@ip-172-40-1-169 bin]$ ./sqlline-thin.py Setting property: [incremental, false] Setting property: [isolation, TRANSACTION_READ_COMMITTED] issuing: !connect jdbc:phoenix:thin:url=http://localhost:8765;serialization=PROTOBUF none none org.apache.phoenix.queryserver.client.Driver Connecting to jdbc:phoenix:thin:url=http://localhost:8765;serialization=PROTOBUF Triple checked I am loading the correct driver. Anything else I could be missing? ... View more

Re: Accessing Hive JDBC/webHDFS through Knox in se...

by Expert Contributor mliem in Support Questions
‎10-31-2016 04:40 PM
‎10-31-2016 04:40 PM
@Gerg Git No I did not, I ended up using a different LDAP server freeipa which has been proven to integrate with kerberos and knox nicely. I was using openldap, cloudbreak and amazon linux servers on HDP 2.5. I suspect its something related to that or the way I had installed kerberos. What are you using? ... View more

Re: Can Knox connect to a database of users and pa...

by Expert Contributor mliem in Support Questions
‎10-31-2016 03:49 PM
‎10-31-2016 03:49 PM
For demo purposes, you can use capability of Shiro to embed users directly within its configuration (in our case knox-topology file). This approach is largely taken to “shake out” the process of editing topology files for various purposes. At the same time it minimizes external dependencies to help ensure a successful starting point. Your knox-topology would look like this: <topology> <gateway> <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param name="users.admin" value="admin-secret"/> <param name="urls./**" value="authcBasic"/> </provider> </gateway> <service> <role>KNOX</role> </service> </topology> Testing the topology through KNOX API with the embeded admin user. curl -u admin:admin-secret -ik 'https://localhost:8443/gateway/sample1/api/v1/version' Obviously not a replacement to integrating with LDAP but good way to test and start manipulating your topology file. ... View more

Re: Using the TLS Toolkit to simplify security

by Expert Contributor mliem in Community Articles
‎10-12-2016 05:52 PM
‎10-12-2016 05:52 PM
This is really good! Thanks ... View more

Re: Hive not resolving namenode HA

by Expert Contributor mliem in Support Questions
‎10-12-2016 02:43 PM
‎10-12-2016 02:43 PM
@santoshsb They are already configured to point to the nameservice URI. See my first screenshot: hive --service metatool -listFSRootListing FS Roots. hdfs://cluster1/apps/hive/warehouse/test2.d hdfs://cluster1/apps/hive/warehouse/raw.db hdfs://cluster1/apps/hive/warehouse/test.db hdfs://cluster1/apps/hive/warehouse hdfs://cluster1/apps/hive/warehouse/lookup.db ... View more

Hive not resolving namenode HA

by Expert Contributor mliem in Support Questions
‎10-11-2016 10:36 PM
‎10-11-2016 10:36 PM
Hello, After enabling HA on the name node, hive is unable to access the hive databases whose metastore name got updated to the new FS path: Error: Error while compiling statement: FAILED: SemanticException java.lang.IllegalArgumentException: java.net.UnknownHostException: cluster1 (state=42000,code=40000) hive metastore tool shows: hive --service metatool -listFSRootListing FS Roots.. hdfs://cluster1/apps/hive/warehouse/test2.db hdfs://cluster1/apps/hive/warehouse/raw.db hdfs://cluster1/apps/hive/warehouse/test.db hdfs://cluster1/apps/hive/warehouse hdfs://cluster1/apps/hive/warehouse/lookup.db cluster1 is the correct fs.defaultFS that was setup during HA. <property> <name>fs.defaultFS</name> <value>hdfs://cluster1</value> <final>true</final> </property> If I create a new database in hive, it gets created using the actual name node host name: 0: jdbc:hive2://ip-10-555-2-555.ec2.internal:> create database test3; No rows affected (0.148 seconds) Listing FS Roots.. hdfs://ip-10-123-5-42.ec2.internal:8020/apps/hive/warehouse/test3.db any ideas on what could be missing? hdfs client works fine with the HA name. ... View more

Accessing Hive JDBC/webHDFS through Knox in secure...

by Expert Contributor mliem in Support Questions
‎10-04-2016 10:47 PM
‎10-04-2016 10:47 PM
Hello, I am trying to access hive JDBC through Knox in a secured cluster (kerberos). When accessing them directly, it works fine. I am able to connect with hiveserver directly in HTTP mode passing in kerbeos principal and creating kerberos ticket beeline -u 'jdbc:hive2:/<hive_server>:10001/;transportMode=http;httpPath=cliservice;principal=hive/_HOST@DEV.COM' and access WEBHDFS fine directly connecting to namenode: curl -i --negotiate -u : 'http://<namenode>:50070/webhdfs/v1/?op=LISTSTATUS' Going through Knox gateway (using sample LDAP for simplicity), I get: curl -iku guest:guest-password -X GET 'https://<knox_gateway>:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS' <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 401 Authentication required</title> </head><body><h2>HTTP ERROR 401</h2> <p>Problem accessing /webhdfs/v1/. Reason:<pre> Authentication required</pre></p><hr/><i><small>Powered by Jetty://</small></i><br/> In gateway-audit i do see the request getting translated to the actual internal request but its returning 401. audit|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|unavailable|Request method: GET audit|WEBHDFS|guest|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success| audit|WEBHDFS|guest|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Groups: [] audit|WEBHDFS|guest|||authorization|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success| audit|WEBHDFS|guest|||dispatch|uri|http://<name_node>:50070/webhdfs/v1/?op=LISTSTATUS&doAs=guest|unavailable|Request method: GET audit|WEBHDFS|guest|||dispatch|uri|http://<name_node>:50070/webhdfs/v1/?op=LISTSTATUS&doAs=guest|success|Response status: 401 audit|WEBHDFS|guest|||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Response status: 401 Similarly in Hive, I can connect to hiveserver directly but when I attempt through knox I get: 16/10/04 22:31:34 [main]: ERROR jdbc.HiveConnection: Error opening sessionorg.apache.thrift.transport.TTransportException: HTTP Response code: 401 In Hive server logs: 2016-10-04 22:31:34,063 INFO [HiveServer2-HttpHandler-Pool: Thread-299]: thrift.ThriftHttpServlet (ThriftHttpServlet.java:doKerberosAuth(398)) - Failed to authenticate with http/_HOST kerberos principal, trying with hive/_HOST kerberos principal 2016-10-04 22:31:34,063 ERROR [HiveServer2-HttpHandler-Pool: Thread-299]: thrift.ThriftHttpServlet (ThriftHttpServlet.java:doKerberosAuth(406)) - Failed to authenticate with hive/_HOST kerberos principal 2016-10-04 22:31:34,064 ERROR [HiveServer2-HttpHandler-Pool: Thread-299]: thrift.ThriftHttpServlet (ThriftHttpServlet.java:doPost(209)) - Error: org.apache.hive.service.auth.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:407) at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doPost(ThriftHttpServlet.java:159) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:565) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:479) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111) at org.eclipse.jetty.server.Server.handle(Server.java:349) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:952) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.reflect.UndeclaredThrowableException at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1742) at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:404) ... 23 more Caused by: org.apache.hive.service.auth.HttpAuthenticationException: Authorization header received from the client is empty. at org.apache.hive.service.cli.thrift.ThriftHttpServlet.getAuthHeader(ThriftHttpServlet.java:548) at org.apache.hive.service.cli.thrift.ThriftHttpServlet.access$100(ThriftHttpServlet.java:74) at org.apache.hive.service.cli.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:449) at org.apache.hive.service.cli.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:412) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724) ... 24 more FYI I have: hadoop.proxyuser.knox.hosts=<knox_gateway>hadoop.proxyuser.knox.groups=* Thanks for any help! ... View more

Re: Hive Metastore won't start after enabling Kerb...

by Expert Contributor mliem in Support Questions
‎10-04-2016 04:18 PM
‎10-04-2016 04:18 PM
@Oliver Meyn Thanks...guess i'll just have to disable kerberos till then. What was your path to this error? Did you ever disable kerberos at some point and then try to re-enable it? (this is what I did) Im using HDP 2.5 ... View more

Re: Hive Metastore won't start after enabling Kerb...

by Expert Contributor mliem in Support Questions
‎10-04-2016 03:30 PM
‎10-04-2016 03:30 PM
@Oliver Meyn Did you ever find a solution to this? Running into the same issue after disabling and then re-enabling kerberos. ... View more

Instance Status stuck in requested

by Expert Contributor mliem in Support Questions
‎09-29-2016 09:28 PM
‎09-29-2016 09:28 PM
Hello, I was testing adding a node in cluster (cloudbreak 1.6 - via aws) and it's getting stuck at: cloudbreak_1 | 2016-09-29 21:24:01,951 [cloud-reactor-5] call:66 DEBUG c.s.c.c.a.t.ASGroupStatusCheckerTask - [owner:dec04b8c-ce10-48ab-80a1-687f007d4582] [type:springLog] [id:4] [name:instream-hadoop-cluster] Instances in AS group: 5, needed: 6 When i check psql i see: groupname | instanceid | instancestatus | discoveryfqdn ---------------------+------------+----------------+------------------------------ host_group_slave_1 | ******* || REGISTERED | ******* | host_group_slave_1 | ******* | REGISTERED | ******* | host_group_slave_1 | | REQUESTED | | I don't see anyhting happening in AWS and have verified that i'm not hitting any limits. Any ideas? Also whats required to stop the logging? (one shown above). Even after changing status in stack table to available it still produces that log. (currently it gets stuck at UPDATE_IN_PROGRESS postgres=# select name,status from stack; name | status -------------------------+-------------------- instream-hadoop-cluster | UPDATE_IN_PROGRESS ... View more
Contact Me
Online
Offline
Last Visited
‎09-13-2017 06:03 AM
Public Statistics
Date Registered ‎06-13-2016 02:04 AM
Last Visited ‎09-13-2017 06:03 AM
Total Messages Posted 76
Total Kudos Received 13