[
https://issues.apache.org/jira/browse/OOZIE-2900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16212694#comment-16212694
]
Attila Sasvari commented on OOZIE-2900:
---------------------------------------
I'd like to add some more background information.
In earlier Oozie version, to copy data between secure clusters with the
DistCpAction, I set the following configuration properties
- oozie.launcher.mapreduce.job.dfs.namenode.kerberos.principal.pattern: {{*}}
- oozie.launcher.mapreduce.job.hdfs-servers:
{{hdfs://REMOTE_CLUSTER:8020,hdfs://LOCAL_CLUSTER.com:8020}}
- oozie.launcher.mapreduce.job.hdfs-servers.token-renewal.exclude:
{{REMOTE_CLUSTER}}
MR ApplicationMaster got us HDFS_DELEGATION_TOKEN for both clusters via
[populateTokenCache()|https://github.com/apache/hadoop/blob/branch-2.6/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/JobSubmitter.java#L430]
using {{mapreduce.job.hdfs-servers}}. Now we are using LauncherAM to launch
actions:
{code}
java.io.IOException: Failed on local exception: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]; Host Details : local host is:
"asasvarigce.gce.cloudera.com/172.31.116.178"; destination host is:
"asasvarivpc.vpc.cloudera.com":8020;
at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:799)
at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1494)
at org.apache.hadoop.ipc.Client.call(Client.java:1436)
at org.apache.hadoop.ipc.Client.call(Client.java:1346)
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228)
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116)
at com.sun.proxy.$Proxy14.getFileInfo(Unknown Source)
at
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:873)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:422)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:165)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:157)
at
org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95)
at
org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:359)
at com.sun.proxy.$Proxy15.getFileInfo(Unknown Source)
at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1683)
at
org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1490)
at
org.apache.hadoop.hdfs.DistributedFileSystem$29.doCall(DistributedFileSystem.java:1487)
at
org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at
org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1502)
at org.apache.hadoop.fs.Globber.getFileStatus(Globber.java:65)
at org.apache.hadoop.fs.Globber.doGlob(Globber.java:270)
at org.apache.hadoop.fs.Globber.glob(Globber.java:149)
at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:2001)
at
org.apache.hadoop.tools.GlobbedCopyListing.doBuildListing(GlobbedCopyListing.java:77)
at org.apache.hadoop.tools.CopyListing.buildListing(CopyListing.java:86)
at
org.apache.hadoop.tools.DistCp.createInputFileListing(DistCp.java:368)
at org.apache.hadoop.tools.DistCp.prepareFileListing(DistCp.java:96)
at org.apache.hadoop.tools.DistCp.createAndSubmitJob(DistCp.java:205)
at org.apache.hadoop.tools.DistCp.execute(DistCp.java:182)
at org.apache.hadoop.tools.DistCp.run(DistCp.java:153)
at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
at org.apache.oozie.action.hadoop.DistcpMain.run(DistcpMain.java:78)
at
org.apache.oozie.action.hadoop.LauncherMain.run(LauncherMain.java:101)
at org.apache.oozie.action.hadoop.DistcpMain.main(DistcpMain.java:47)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.oozie.action.hadoop.LauncherAM.runActionMain(LauncherAM.java:410)
at
org.apache.oozie.action.hadoop.LauncherAM.access$300(LauncherAM.java:56)
at org.apache.oozie.action.hadoop.LauncherAM$2.run(LauncherAM.java:223)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at org.apache.oozie.action.hadoop.LauncherAM.run(LauncherAM.java:217)
at org.apache.oozie.action.hadoop.LauncherAM$1.run(LauncherAM.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at org.apache.oozie.action.hadoop.LauncherAM.main(LauncherAM.java:140)
Caused by: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]
at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:754)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at
org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:717)
at
org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:810)
at org.apache.hadoop.ipc.Client$Connection.access$3500(Client.java:408)
at org.apache.hadoop.ipc.Client.getConnection(Client.java:1551)
at org.apache.hadoop.ipc.Client.call(Client.java:1382)
... 52 more
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot
authenticate via:[TOKEN, KERBEROS]
at
org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:173)
at
org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:390)
at
org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:612)
at org.apache.hadoop.ipc.Client$Connection.access$2200(Client.java:408)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:797)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:793)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at
org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:793)
... 55 more
<<< Invocation of DistCp command completed <<<
No child hadoop job is executed.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.oozie.action.hadoop.LauncherAM.runActionMain(LauncherAM.java:410)
at
org.apache.oozie.action.hadoop.LauncherAM.access$300(LauncherAM.java:56)
at org.apache.oozie.action.hadoop.LauncherAM$2.run(LauncherAM.java:223)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at org.apache.oozie.action.hadoop.LauncherAM.run(LauncherAM.java:217)
at org.apache.oozie.action.hadoop.LauncherAM$1.run(LauncherAM.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at org.apache.oozie.action.hadoop.LauncherAM.main(LauncherAM.java:140)
Caused by: java.lang.RuntimeException: Returned value from distcp is non-zero
(-999)
at org.apache.oozie.action.hadoop.DistcpMain.run(DistcpMain.java:80)
at
org.apache.oozie.action.hadoop.LauncherMain.run(LauncherMain.java:101)
at org.apache.oozie.action.hadoop.DistcpMain.main(DistcpMain.java:47)
... 16 more
Failing Oozie Launcher, Returned value from distcp is non-zero (-999)
java.lang.RuntimeException: Returned value from distcp is non-zero (-999)
at org.apache.oozie.action.hadoop.DistcpMain.run(DistcpMain.java:80)
at
org.apache.oozie.action.hadoop.LauncherMain.run(LauncherMain.java:101)
at org.apache.oozie.action.hadoop.DistcpMain.main(DistcpMain.java:47)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.oozie.action.hadoop.LauncherAM.runActionMain(LauncherAM.java:410)
at
org.apache.oozie.action.hadoop.LauncherAM.access$300(LauncherAM.java:56)
at org.apache.oozie.action.hadoop.LauncherAM$2.run(LauncherAM.java:223)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at org.apache.oozie.action.hadoop.LauncherAM.run(LauncherAM.java:217)
at org.apache.oozie.action.hadoop.LauncherAM$1.run(LauncherAM.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1962)
at org.apache.oozie.action.hadoop.LauncherAM.main(LauncherAM.java:140)
{code}
That is why we need the HDFS delegation token for the remote cluster,
implementing something similar to org.apache.hadoop.mapreduce.JobSubmitter /
TokenCache somewhere in JavaActionExecutor / DistcpActionExecutor.
> Retrieve tokens for oozie.launcher.mapreduce.job.hdfs-servers before
> submission
> -------------------------------------------------------------------------------
>
> Key: OOZIE-2900
> URL: https://issues.apache.org/jira/browse/OOZIE-2900
> Project: Oozie
> Issue Type: Sub-task
> Affects Versions: 5.0.0
> Reporter: Peter Bacsko
> Assignee: Attila Sasvari
>
> We have to get tokens for oozie.launcher.mapreduce.job.hdfs-servers. Cannot
> do cross cluster distcp without that.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
