[
https://issues.apache.org/jira/browse/SPARK-21008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xing Shi updated SPARK-21008:
-----------------------------
Description:
On a security(Kerberos) enabled cluster, streaming applications renew HDFS
delegation tokens periodically and save them in
{{<userDir>/.sparkStaging/<applicationId>/}} directory on HDFS.
The path of the credentials file will written into checkpoint, and reloaded as
the *old applicationId* at application restarting, although the application has
changed to a new id.
This issue can be reproduced by restarting a checkpoint-enabled streaming
application on a kerberized cluster.
The application run well - but with thousands of
{{java.io.FileNotFoundException}} logged - and finally failed by token
expiration.
The log file is something like this:
{code:title=the_first_run.log}
17/06/07 14:52:06 INFO executor.CoarseGrainedExecutorBackend: Will periodically
update credentials from:
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035/credentials-19a7c11e-8c93-478c-ab0a-cdbfae5b2ae5
17/06/07 14:52:06 INFO security.CredentialUpdater: Scheduling credentials
refresh from HDFS in 92263 ms.
{code}
{code:title=after_restart.log}
# The AMCredentialRenewer renews & writes out the token successfully.
#
17/06/07 15:11:14 INFO security.AMCredentialRenewer: Scheduling login from
keytab in 96952 millis.
...
17/06/07 15:12:51 INFO security.AMCredentialRenewer: Attempting to login to KDC
using principal: xxx@XXX.LOCAL
17/06/07 15:12:51 INFO security.AMCredentialRenewer: Successfully logged into
KDC.
...
17/06/07 15:12:53 INFO security.AMCredentialRenewer: Writing out delegation
tokens to
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0036/credentials-044b83ea-b46b-4bd4-8e98-0e38928fd58c-1496816091985-1.tmp
17/06/07 15:12:53 INFO security.AMCredentialRenewer: Delegation Tokens written
out successfully. Renaming file to
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0036/credentials-044b83ea-b46b-4bd4-8e98-0e38928fd58c-1496816091985-1
17/06/07 15:12:53 INFO security.AMCredentialRenewer: Delegation token file
rename complete.
17/06/07 15:12:53 INFO security.AMCredentialRenewer: Scheduling login from
keytab in 110925 millis.
...
# But the CredentialUpdater looks for the token in another place.
#
17/06/07 15:11:24 INFO executor.CoarseGrainedExecutorBackend: Will periodically
update credentials from:
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035/credentials-19a7c11e-8c93-478c-ab0a-cdbfae5b2ae5
...
17/06/07 15:12:24 WARN yarn.YarnSparkHadoopUtil: Error while attempting to list
files from application staging dir
java.io.FileNotFoundException: File
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035 does
not exist.
at
org.apache.hadoop.hdfs.DistributedFileSystem.listStatusInternal(DistributedFileSystem.java:697)
at
org.apache.hadoop.hdfs.DistributedFileSystem.access$600(DistributedFileSystem.java:105)
at
org.apache.hadoop.hdfs.DistributedFileSystem$15.doCall(DistributedFileSystem.java:755)
at
org.apache.hadoop.hdfs.DistributedFileSystem$15.doCall(DistributedFileSystem.java:751)
at
org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at
org.apache.hadoop.hdfs.DistributedFileSystem.listStatus(DistributedFileSystem.java:751)
at org.apache.hadoop.fs.FileSystem.listStatus(FileSystem.java:1485)
at org.apache.hadoop.fs.FileSystem.listStatus(FileSystem.java:1525)
at
org.apache.spark.deploy.SparkHadoopUtil.listFilesSorted(SparkHadoopUtil.scala:257)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater.org$apache$spark$deploy$yarn$security$CredentialUpdater$$updateCredentialsIfRequired(CredentialUpdater.scala:72)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply$mcV$sp(CredentialUpdater.scala:53)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply(CredentialUpdater.scala:53)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply(CredentialUpdater.scala:53)
at org.apache.spark.util.Utils$.logUncaughtExceptions(Utils.scala:1962)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1.run(CredentialUpdater.scala:53)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
{code}
Notice that the applicationId after restart is
application_1496384469444_{color:red}0036{color} but the application still
attempt to read credentials from 0035's directory.
Recently I used Spark 1.6 in my cluster, and tested this issue with Spark 1.6.3
and 2.1.1. But it should affect all the versions from 1.5.x to current
master(2.3.x).
was:
On a security(Kerberos) enabled cluster, streaming applications renew HDFS
delegation tokens periodically and save them in
{{<userDir>/.sparkStaging/<applicationId>/}} directory on HDFS.
The path of the credentials file will written into checkpoint, and reloaded as
the *old applicationId* at application restarting, although the application has
changed to a new id.
This issue can be reproduced by restarting a checkpoint-enabled streaming
application on a kerberized cluster.
The application run well - but with thousands of
{{java.io.FileNotFoundException}} logged - and finally failed by token
expiration.
The log file is something like this:
{code:title=the_first_run.log}
17/06/07 14:52:06 INFO executor.CoarseGrainedExecutorBackend: Will periodically
update credentials from:
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035/credentials-19a7c11e-8c93-478c-ab0a-cdbfae5b2ae5
17/06/07 14:52:06 INFO security.CredentialUpdater: Scheduling credentials
refresh from HDFS in 92263 ms.
{code}
{code:title=after_restart.log}
# The AMCredentialRenewer renews & writes out the token successfully.
17/06/07 15:11:14 INFO security.AMCredentialRenewer: Scheduling login from
keytab in 96952 millis.
...
17/06/07 15:12:51 INFO security.AMCredentialRenewer: Attempting to login to KDC
using principal: xxx@XXX.LOCAL
17/06/07 15:12:51 INFO security.AMCredentialRenewer: Successfully logged into
KDC.
...
17/06/07 15:12:53 INFO security.AMCredentialRenewer: Writing out delegation
tokens to
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0036/credentials-044b83ea-b46b-4bd4-8e98-0e38928fd58c-1496816091985-1.tmp
17/06/07 15:12:53 INFO security.AMCredentialRenewer: Delegation Tokens written
out successfully. Renaming file to
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0036/credentials-044b83ea-b46b-4bd4-8e98-0e38928fd58c-1496816091985-1
17/06/07 15:12:53 INFO security.AMCredentialRenewer: Delegation token file
rename complete.
17/06/07 15:12:53 INFO security.AMCredentialRenewer: Scheduling login from
keytab in 110925 millis.
...
# But the CredentialUpdater looks for the token in another place.
17/06/07 15:11:24 INFO executor.CoarseGrainedExecutorBackend: Will periodically
update credentials from:
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035/credentials-19a7c11e-8c93-478c-ab0a-cdbfae5b2ae5
...
17/06/07 15:12:24 WARN yarn.YarnSparkHadoopUtil: Error while attempting to list
files from application staging dir
java.io.FileNotFoundException: File
hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035 does
not exist.
at
org.apache.hadoop.hdfs.DistributedFileSystem.listStatusInternal(DistributedFileSystem.java:697)
at
org.apache.hadoop.hdfs.DistributedFileSystem.access$600(DistributedFileSystem.java:105)
at
org.apache.hadoop.hdfs.DistributedFileSystem$15.doCall(DistributedFileSystem.java:755)
at
org.apache.hadoop.hdfs.DistributedFileSystem$15.doCall(DistributedFileSystem.java:751)
at
org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at
org.apache.hadoop.hdfs.DistributedFileSystem.listStatus(DistributedFileSystem.java:751)
at org.apache.hadoop.fs.FileSystem.listStatus(FileSystem.java:1485)
at org.apache.hadoop.fs.FileSystem.listStatus(FileSystem.java:1525)
at
org.apache.spark.deploy.SparkHadoopUtil.listFilesSorted(SparkHadoopUtil.scala:257)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater.org$apache$spark$deploy$yarn$security$CredentialUpdater$$updateCredentialsIfRequired(CredentialUpdater.scala:72)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply$mcV$sp(CredentialUpdater.scala:53)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply(CredentialUpdater.scala:53)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply(CredentialUpdater.scala:53)
at org.apache.spark.util.Utils$.logUncaughtExceptions(Utils.scala:1962)
at
org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1.run(CredentialUpdater.scala:53)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
{code}
Notice that the applicationId after restart is
application_1496384469444_{color:red}0036{color} but the application still
attempt to read credentials from 0035's directory.
Recently I used Spark 1.6 in my cluster, and tested this issue with Spark 1.6.3
and 2.1.1. But it should affect all the versions from 1.5.x to current
master(2.3.x).
> Streaming applications read stale credentials file when recovering from
> checkpoint.
> -----------------------------------------------------------------------------------
>
> Key: SPARK-21008
> URL: https://issues.apache.org/jira/browse/SPARK-21008
> Project: Spark
> Issue Type: Bug
> Components: DStreams
> Affects Versions: 1.6.3, 2.0.2, 2.1.1, 2.2.0
> Reporter: Xing Shi
>
> On a security(Kerberos) enabled cluster, streaming applications renew HDFS
> delegation tokens periodically and save them in
> {{<userDir>/.sparkStaging/<applicationId>/}} directory on HDFS.
> The path of the credentials file will written into checkpoint, and reloaded
> as the *old applicationId* at application restarting, although the
> application has changed to a new id.
> This issue can be reproduced by restarting a checkpoint-enabled streaming
> application on a kerberized cluster.
> The application run well - but with thousands of
> {{java.io.FileNotFoundException}} logged - and finally failed by token
> expiration.
> The log file is something like this:
> {code:title=the_first_run.log}
> 17/06/07 14:52:06 INFO executor.CoarseGrainedExecutorBackend: Will
> periodically update credentials from:
> hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035/credentials-19a7c11e-8c93-478c-ab0a-cdbfae5b2ae5
> 17/06/07 14:52:06 INFO security.CredentialUpdater: Scheduling credentials
> refresh from HDFS in 92263 ms.
> {code}
> {code:title=after_restart.log}
> # The AMCredentialRenewer renews & writes out the token successfully.
> #
> 17/06/07 15:11:14 INFO security.AMCredentialRenewer: Scheduling login from
> keytab in 96952 millis.
> ...
> 17/06/07 15:12:51 INFO security.AMCredentialRenewer: Attempting to login to
> KDC using principal: xxx@XXX.LOCAL
> 17/06/07 15:12:51 INFO security.AMCredentialRenewer: Successfully logged into
> KDC.
> ...
> 17/06/07 15:12:53 INFO security.AMCredentialRenewer: Writing out delegation
> tokens to
> hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0036/credentials-044b83ea-b46b-4bd4-8e98-0e38928fd58c-1496816091985-1.tmp
> 17/06/07 15:12:53 INFO security.AMCredentialRenewer: Delegation Tokens
> written out successfully. Renaming file to
> hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0036/credentials-044b83ea-b46b-4bd4-8e98-0e38928fd58c-1496816091985-1
> 17/06/07 15:12:53 INFO security.AMCredentialRenewer: Delegation token file
> rename complete.
> 17/06/07 15:12:53 INFO security.AMCredentialRenewer: Scheduling login from
> keytab in 110925 millis.
> ...
> # But the CredentialUpdater looks for the token in another place.
> #
> 17/06/07 15:11:24 INFO executor.CoarseGrainedExecutorBackend: Will
> periodically update credentials from:
> hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035/credentials-19a7c11e-8c93-478c-ab0a-cdbfae5b2ae5
> ...
> 17/06/07 15:12:24 WARN yarn.YarnSparkHadoopUtil: Error while attempting to
> list files from application staging dir
> java.io.FileNotFoundException: File
> hdfs://nameservice1/user/xxx/.sparkStaging/application_1496384469444_0035
> does not exist.
> at
> org.apache.hadoop.hdfs.DistributedFileSystem.listStatusInternal(DistributedFileSystem.java:697)
> at
> org.apache.hadoop.hdfs.DistributedFileSystem.access$600(DistributedFileSystem.java:105)
> at
> org.apache.hadoop.hdfs.DistributedFileSystem$15.doCall(DistributedFileSystem.java:755)
> at
> org.apache.hadoop.hdfs.DistributedFileSystem$15.doCall(DistributedFileSystem.java:751)
> at
> org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
> at
> org.apache.hadoop.hdfs.DistributedFileSystem.listStatus(DistributedFileSystem.java:751)
> at org.apache.hadoop.fs.FileSystem.listStatus(FileSystem.java:1485)
> at org.apache.hadoop.fs.FileSystem.listStatus(FileSystem.java:1525)
> at
> org.apache.spark.deploy.SparkHadoopUtil.listFilesSorted(SparkHadoopUtil.scala:257)
> at
> org.apache.spark.deploy.yarn.security.CredentialUpdater.org$apache$spark$deploy$yarn$security$CredentialUpdater$$updateCredentialsIfRequired(CredentialUpdater.scala:72)
> at
> org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply$mcV$sp(CredentialUpdater.scala:53)
> at
> org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply(CredentialUpdater.scala:53)
> at
> org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1$$anonfun$run$1.apply(CredentialUpdater.scala:53)
> at
> org.apache.spark.util.Utils$.logUncaughtExceptions(Utils.scala:1962)
> at
> org.apache.spark.deploy.yarn.security.CredentialUpdater$$anon$1.run(CredentialUpdater.scala:53)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> Notice that the applicationId after restart is
> application_1496384469444_{color:red}0036{color} but the application still
> attempt to read credentials from 0035's directory.
> Recently I used Spark 1.6 in my cluster, and tested this issue with Spark
> 1.6.3 and 2.1.1. But it should affect all the versions from 1.5.x to current
> master(2.3.x).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
