alinazemian
Contributor
My Accepted Solutions
Show All

Re: How to reissue a delegated token after max lif...

by Contributor in Support Questions
‎01-08-2019 06:00 AM
‎01-08-2019 06:00 AM
Spark submit: spark-submit \ --master yarn \ --deploy-mode cluster \ --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=kafka_client_jaas.conf -Dlog4j.configuration=xxx -Djava.util.Arrays.useLegacyMergeSort=true" \ --conf "spark.driver.extraJavaOptions=-Djava.security.auth.login.config=kafka_client_jaas.conf -Dlog4j.configuration=xxx -Djava.util.Arrays.useLegacyMergeSort=true" \ --conf spark.ui.port=18086 \ --conf spark.executor.memory=${executor_memory} \ --conf spark.executor.instances=${num_executors} \ --conf spark.executor.cores=${executor_cores} \ --conf spark.driver.memory=4g \ --conf spark.driver.maxResultSize=3g \ --conf spark.kafka.broker.ingest=xxx \ --conf spark.kafka.zookeeper.ingest=xxx \ --conf spark.kafka.broker.egest=xxx \ --conf spark.kafka.topic.input=xxx \ --conf spark.kafka.topic.output=xxx \ --conf spark.kafka.input.interval=10 \ --conf spark.kafka.group=xxx \ --conf spark.streaming.kafka.maxRetries=10 \ --conf spark.kafka.security.protocol.ingress=SASL_PLAINTEXT \ --conf spark.kafka.security.protocol.egress=SASL_PLAINTEXT \ --conf spark.fetch.message.max.bytes=104857600 \ --conf spark.hive.enable.stats=true \ --conf spark.streaming.backpressure.enabled=true \ --conf spark.streaming.kafka.maxRatePerPartition=1 \ --conf spark.streaming.receiver.maxRate=10 \ --conf spark.executor.heartbeatInterval=120s \ --conf spark.network.timeout=600s \ --conf spark.yarn.scheduler.heartbeat.interval-ms=1000 \ --conf spark.sql.parquet.compression.codec=snappy \ --conf spark.scheduler.minRegisteredResourcesRatio=1 \ --conf spark.yarn.maxAppAttempts=10 \ --conf spark.yarn.am.attemptFailuresValidityInterval=1h \ --conf spark.yarn.max.executor.failures=$((8 * ${num_executors})) `# Increase max executor failures (Default: max(numExecutors * 2, 3))` \ --conf spark.yarn.executor.failuresValidityInterval=1h \ --conf spark.task.maxFailures=8 \ --conf spark.yarn.submit.waitAppCompletion=false \ --conf spark.yarn.principal=xxx \ --conf spark.yarn.keytab=xxx \ --conf spark.hadoop.fs.hdfs.impl.disable.cache=true \ --queue default \ ${APP_HOME}/xxx.jar ... View more

Re: How to reissue a delegated token after max lif...

by Contributor in Support Questions
‎01-08-2019 05:54 AM
‎01-08-2019 05:54 AM
Stack trace: WARN Client: Exception encountered while connecting to the server : org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.token.Secret Manager$InvalidToken): token (HDFS_DELEGATION_TOKEN token 155456 for spark) can't be found in cache Exception in thread "main" org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.token.SecretManager$InvalidToken): token (HDFS_DELEGATION_TOKEN token 1 55456 for spark) can't be found in cache at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1554) at org.apache.hadoop.ipc.Client.call(Client.java:1498) at org.apache.hadoop.ipc.Client.call(Client.java:1398) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233) at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:818) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:291) at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:203) at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:185) at com.sun.proxy.$Proxy11.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:2165) at org.apache.hadoop.hdfs.DistributedFileSystem$26.doCall(DistributedFileSystem.java:1442) at org.apache.hadoop.hdfs.DistributedFileSystem$26.doCall(DistributedFileSystem.java:1438) at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1438) at org.apache.spark.deploy.yarn.ApplicationMaster$$anonfun$6.apply(ApplicationMaster.scala:160) at org.apache.spark.deploy.yarn.ApplicationMaster$$anonfun$6.apply(ApplicationMaster.scala:157) at scala.Option.foreach(Option.scala:257) at org.apache.spark.deploy.yarn.ApplicationMaster.<init>(ApplicationMaster.scala:157) at org.apache.spark.deploy.yarn.ApplicationMaster$$anonfun$main$1.apply$mcV$sp(ApplicationMaster.scala:765) at org.apache.spark.deploy.SparkHadoopUtil$$anon$1.run(SparkHadoopUtil.scala:67) at org.apache.spark.deploy.SparkHadoopUtil$$anon$1.run(SparkHadoopUtil.scala:66) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866) at org.apache.spark.deploy.SparkHadoopUtil.runAsSparkUser(SparkHadoopUtil.scala:66) at org.apache.spark.deploy.yarn.ApplicationMaster$.main(ApplicationMaster.scala:764) at org.apache.spark.deploy.yarn.ApplicationMaster.main(ApplicationMaster.scala) ... View more

Re: How to reissue a delegated token after max lif...

by Contributor in Support Questions
‎01-03-2019 12:52 AM
‎01-03-2019 12:52 AM
This is exactly the way we use spark-submit. A token is valid only for 24 hrs. Yarn renew the token every 24 hrs automatically until it reaches the max lifetime (which is 7 days) then the token cannot get renewed anymore and needs to be reissued. Hence, we are restarting the job every 7 days. Restarting the job every 7 days doesn't seem to be the right approach for a production environment! ... View more

How to reissue a delegated token after max lifetim...

by Contributor in Support Questions
‎12-20-2018 05:40 AM
‎12-20-2018 05:40 AM
We are using a headless keytab to run our long-running spark streaming application. The token is renewed automatically every 1 day until it hits the max life limit. The problem is token is expired after max life (7 days) and we need to restart the job. Is there any way we can re-issue the token and pass it to a job that is already running? It doesn't feel right at all to restart the job every 7 days only due to the token issue. ... View more
Labels:

Re: Does Ranger fully support WASB/ADLS?

by Contributor in Support Questions
‎08-21-2018 10:24 AM
‎08-21-2018 10:24 AM
So is WASB fully supported by Ranger KMS to enable TDE? ... View more

Does Ranger fully support WASB/ADLS?

by Contributor in Support Questions
‎08-21-2018 05:05 AM
‎08-21-2018 05:05 AM
I was wondering if Apache Ranger (Including Ranger KMS) in HDP 2.6.4 fully supports WASB and ADLS. I would like to understand if we move to use WASB/ADLS instead of HDFS what functionalities will be impacted regarding Authentication, Authorisation and Auditing. ... View more

Re: NiFi Sizing Guide & Deployment Best Practices

by Contributor in Community Articles
‎09-03-2017 11:17 AM
‎09-03-2017 11:17 AM
Have you checked Nifi throughput using Content Repo in a JBOD mode instead of Raid? Basically, let application decide for the distribution of data. ... View more

Re: When is the best time to enable Kerberos

by Contributor in Support Questions
‎08-01-2017 07:03 AM
‎08-01-2017 07:03 AM
So it is not required to disable Kerberos, upgrade HDP or install new service and enable Kerberos again? ... View more

Re: When is the best time to enable Kerberos

by Contributor in Support Questions
‎08-01-2017 06:56 AM
‎08-01-2017 06:56 AM
@Manish Kumar Yadav Sorry I got confused. What is the relation of Windows Integrated Authentication with the order of Kerberisation? ... View more

Re: When is the best time to enable Kerberos

by Contributor in Support Questions
‎08-01-2017 12:25 AM
‎08-01-2017 12:25 AM
@Geoffrey Shelton Okot What about the order of Kerberization? Which one is safer? Kerberizing at the final step or it doesn't matter? ... View more

When is the best time to enable Kerberos

by Contributor in Support Questions
‎07-31-2017 08:11 AM
‎07-31-2017 08:11 AM
I am trying to understand when the best time would be to enable Kerberos on a production platform to avoid any potential issue? After integrating Web-UI with LDAP or it is safe to Kerberize cluster and then integrate Web-UI like Ambari, Knox, Nifi, Ranger, Zeppelin and Hive with AD and enable fine grained authorization? Does it make any difference from the technical point of view? What about installing any new service or upgrading different services? Is it safer to disable Kerberos and install new service/upgrade current services and enable Kerberos again, or it is safe to upgrade current services on a Kerberized cluster? ... View more

Re: Cluster tuning parameters for provisioning Amb...

by Contributor in Support Questions
‎07-21-2017 12:09 AM
‎07-21-2017 12:09 AM
Briliant. Thanks. ... View more

Cluster tuning parameters for provisioning Ambari-...

by Contributor in Support Questions
‎07-19-2017 04:51 AM
‎07-19-2017 04:51 AM
I have used a blueprint to provision an HDP cluster in the following conditions: - Create an Ambari-managed HDP cluster in a manual approach (Non-blueprint installation) - Extract blueprint from the created cluster. - Remove all non-generic parts and all tuning part from the extracted blueprint to make it more generic. - Create host-group mapping file to capture all passwords and hostnames. - Create another cluster with the modified blueprint and host-group mapping file. My question is when you are using a manual installation Ambari selects the recommended values for tuning parameters. However, in the blueprint installation, you need to modify them separately or put all parameters in host-group mapping file which make the blueprint maintenance very hard. I was wondering whether there is another way that Ambari can pick all the parameters in the same way that is used in a Non-blueprint installation. ... View more
Labels:

Re: Best option for data node sizing: 24x 2 TB dis...

by Contributor in Support Questions
‎04-13-2017 06:47 AM
‎04-13-2017 06:47 AM
@Michael Young Thank you very much. Unfortunately, the hardware vendor we have married to does not provide any option like 24x8 TB. I have to choose between 12x(10/8/6TB) or 56x(10/8/6) TB. What do you think? Should I go for 12x10TB for the cold storage? ... View more

Best option for data node sizing: 24x 2 TB disk vs...

by Contributor in Support Questions
‎04-12-2017 12:51 PM
1 Kudo
‎04-12-2017 12:51 PM
1 Kudo
Hi, I have a hard time to decide which option would be better for Hot Data Nodes sizing: A) 12 x 10 TB 7.2k, single 12G Raid Controller Pros: Total cost per GB would be less Cons: Less number of data nodes, It takes more to replicate data in the case of node failure B) 24 x 2 TB 7.2k, single 12G Raid Controller Pros: Higher number of data nodes, It takes less to replicate data in the case of node failure Cons: 1 single disk controller might create a bottleneck for 24 disks especially in the case of using single drive raid-0 to take advantage of Raid controller caching, total cost per GB would be higher I was wondering how bad would be to use a data node with a 56x10TB disk with 2 Raid Controller for a cold storage? ... View more

Re: Tiered storage at a node level?

by Contributor in Support Questions
‎04-12-2017 06:11 AM
‎04-12-2017 06:11 AM
Please follow this instruction to deploy HDP on heterogeneous disks for Hot, Warm and Cold tiering in a single node. https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_hdfs-administration/content/configuring_archival_storage.html ... View more

Hadoop storage tiering best practice

by Contributor in Support Questions
‎04-11-2017 02:33 PM
‎04-11-2017 02:33 PM
I was wondering whether there is a best practice for providing Hadoop storage tiering in HDP or not? What would be the recommended replication factor for hot warm and cold storages? Which architecture would be recommended? Having separate data nodes for warm and cold storage or using hybrid disks in the entire platform? Is that possible to provide separate data nodes in HDP cluster through Ambari or it needs some customization at the Hadoop layer? ... View more
Labels:

Re: Collocate Storm and Kafka

by Contributor in Support Questions
‎03-13-2017 12:53 PM
‎03-13-2017 12:53 PM
Have you done any benchmarking for this purpose? ... View more

Collocate Storm and Kafka

by Contributor in Support Questions
‎03-13-2017 12:03 PM
‎03-13-2017 12:03 PM
Let's say Storm is compute intensive and Kafka IO intensive. In this case, do you suggest to collocate Storm and Kafka on the same node? I have seen Storm-Zookeeper collocation and separate Kafka ... View more
Labels:

Re: Hierarchy of TDE encryption zones with Ranger-...

by Contributor in Support Questions
‎02-26-2017 02:50 AM
‎02-26-2017 02:50 AM
So can we virtually build a hierarchy of encryption zone in this way? ... View more

Hierarchy of TDE encryption zones with Ranger-KMS

by Contributor in Support Questions
‎02-26-2017 02:35 AM
‎02-26-2017 02:35 AM
I was wondering is there any way to have a hierarchy of encryption zones managing by Ranger-KMS? Suppose we have the following directory structure: /userA/userB/ /userA/userC/ I want to configure HDFS in a way that userB and userA use two different encryption zones, but I would like to be able to access userB and userC folders with userA and be able to encrypt/decrypt data owned by userB or userC. Is there any way to handle this situation with Ranger-KMS? ... View more

Sharing HDFS/Hive/HBase access to Kerberised clust...

by Contributor in Support Questions
‎02-20-2017 02:12 AM
‎02-20-2017 02:12 AM
Let's say I have two different clusters authenticated by Kerberos. Let's say I have enabled TDE and managed that with Ranger-KMS. How can I design a solution which can work in this regards? Based on my understanding from the Kerberos point of view I have to provide a centralised KDC for both clusters. How can a user connect to one of the clusters run a spark query with some of the data stored in cluster 1 HDFS some of that in cluster 2 HDFS? How can a user run a hive aggregation query on both clusters? Even if we provide a single KDC for both of the clusters, since the principle for same services in different clusters would be different, it should not be permitted for a single user to run a single job on data from both clusters at the same time. Because the required service ticket for accessing Hive on cluster 1 would be different that the hive on cluster 2. What about Ranger-KMS? Is there any manual way to integrate both Ranger-KMS instances? ... View more

Re: Why encryption in transit will be required whi...

by Contributor in Support Questions
‎02-19-2017 02:04 AM
‎02-19-2017 02:04 AM
What about RCP encryption? What would be the added value of enabling RPC encryption when we have TDE? ... View more

Why encryption in transit will be required while w...

by Contributor in Support Questions
‎02-18-2017 02:19 PM
1 Kudo
‎02-18-2017 02:19 PM
1 Kudo
Hi, I was wondering why we need to have encryption in transit while TDE has been provided already? As far as I understand, TDE is an end-to-end encryption mechanism so that HDFS data will be encrypted/decrypted at the client side. Therefore, data will be encrypted while transferring the wire from client to server and server to client. In this case, what would be the added value of using encryption in-transit separately? Regards. ... View more

Re: Integrate two different instance of Ranger

by Contributor in Support Questions
‎02-18-2017 08:06 AM
‎02-18-2017 08:06 AM
1- An authorised user on Ranger 1 needs to have access to Ranger 2 cluster (Without TDE) 2- An authorised user on Ranger 1 needs to have access to corresponding user encryption zone at Ranger 2 (with TDE) ... View more

Re: Integrate two different instance of Ranger

by Contributor in Support Questions
‎02-17-2017 01:15 PM
‎02-17-2017 01:15 PM
Basically, this is not a multi-cluster management. I am looking for a way to integrate two different Ranger instances. ... View more

Integrate two different instance of Ranger

by Contributor in Support Questions
‎02-17-2017 07:26 AM
‎02-17-2017 07:26 AM
Hi, I was wondering how can I integrate two different instances of Ranger? I am using two separate cluster each one manage by different Ranger. I am using TDE on both of cluster managed by Ranger-KMS. How can I integrate these two clusters from the encryption zone point of view? Let's say I have a central KDC shared between these two clusters. ... View more
Labels:

Ambari Metrics collector ephemeral ports on cluste...

by Contributor in Support Questions
‎02-08-2017 04:11 AM
1 Kudo
‎02-08-2017 04:11 AM
1 Kudo
We have an HDP cluster which is managed by Ambari. We have been asked to put a firewall and block unknown ports. We have noticed there is an interaction between Ambari Metrics collector and all of the nodes exactly in the opposite direction of Ambari Metrics designed architecture! Based on the architecture, the interaction should be from all of the machines in HDP cluster as a source to Ambari Metrics machine port 6188 as a destination. However, we've found out in addition to this connectivity, there is another type of interaction from source port 6188 on Ambari Metrics machine to all of the machines in HDP cluster with an ephemeral port as the destination port. I was wondering what the purpose of this interaction is and whether it makes sense to have such an interaction or not? ... View more
Labels:

HDP/ HDF Multi-tenancy with multiple storage tieri...

by Contributor in Support Questions
‎01-27-2017 06:38 AM
‎01-27-2017 06:38 AM
I am working on a design and implementation of Hadoop Multi-tenant solution with multiple storage tiering and different retention policy per tenant. I was wondering is there any reference architecture/best practice which has been already provided? Suppose we want to have 6 months retention policy on hot storage for the tenant 1 and 12 months retention policy on hot storage for the tenant 2. Is there any tool have been already provided or I have to consider it via Oozie job to move data from one tier to another tier based on the tenant retention policy? ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎01-08-2019 06:00 AM
Public Statistics
Date Registered ‎12-05-2016 11:57 AM
Last Visited ‎01-08-2019 06:00 AM
Total Messages Posted 52
Total Kudos Received 9