You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hbase.apache.org by Govind89 <go...@gmail.com> on 2018/10/23 18:21:05 UTC

Lookup Hbase Tbl from UDF (Beeline , Hbase,Delegation Tokens)

1
down vote
favorite
I have a requirement to write Custom UDF for data lookup from Hbase Table .

NOTE : I have done Unit Testing with HIVE . It seems to be working .

But when I use the same UDF Beeline, Its failed . By default Cloudera
restricts impersonation and allows only hive user for running queries in
Beeline. On Job startup , YarnChild is setting the following delegations
tokens.

I want to add token (Kind : HBASE_AUTH_TOKEN ) for dealing with Hbase.

Kind: mapreduce.job
Kind: HDFS_DELEGATION_TOKEN 
Kind: kms-dt
I researched and found out how HbaseStorageHandler is using Delegation Token
( i.e HBASE_AUTH_TOKEN ) for Hbase . So I used the same set of functions and
its not working either .

Functions from HbasestorageHandler (to obtain tokens to Job ) :



private void addHBaseDelegationToken(Configuration conf, JobConf jconf)
throws IOException {
        if (User.isHBaseSecurityEnabled(conf)) {
            try {
                logger.info("isHbaseSecurityEnabled :True ");
                User e = User.getCurrent();
                logger.info("isHbaseSecurityEnabled :User ==> " +
e.toString());
                Token authToken = getAuthToken(conf, e);
                logger.info("isHbaseSecurityEnabled :AuthToken==>
"+authToken.toString());
                Job job = new Job(conf);
                if(authToken == null) {
                    UserGroupInformation ugi =
UserGroupInformation.getLoginUser();
                   
ugi.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
                    e.obtainAuthTokenForJob(jconf);
  } else {
                    logger.info("authToken is not
null"+authToken.toString());
                    job.getCredentials().addToken(authToken.getService(),
authToken);
                }

                logger.info("obtained Token /....");
            } catch (InterruptedException var5) {
                throw new IOException("Error while obtaining hbase
delegation token", var5);
            }
        }

    }


private static Token<AuthenticationTokenIdentifier>
getAuthToken(Configuration conf, User user) throws IOException,
InterruptedException {
        ZooKeeperWatcher zkw = new ZooKeeperWatcher(conf,
"mr-init-credentials", (Abortable) null);

        Token var4;
        try {
            String e = ZKClusterId.readClusterIdZNode(zkw);
            logger.info("====== clusterID : " + e);
            var4 = (new AuthenticationTokenSelector()).selectToken(new
Text(e), user.getUGI().getTokens());
             if (var4 == null) {
                logger.info("var4 is null===========================");
            } else {
                logger.info("====== Hbase Token : " + var4.toString());
            }
        } catch (KeeperException var8) {
            throw new IOException(var8);
        } catch (NullPointerException np) {
            return null;
        } finally {
            zkw.close();
        }
        return var4;
 }


After calling addHBaseDelegationToken() in configure() of UDF. I am getting
the following exception .I am not sure How I can make hvie user to talk with
Hbase as hive.keytab is handled by Cloudera and its secured.

Any Inputs might be helpful. Thanks !


Exception StackTrace :

2018-10-11 04:48:07,625 WARN [main]
org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException
as:hive (auth:SIMPLE) cause:javax.security.sasl.SaslException: GSS initiate
failed [Caused by GSSException: No valid credentials provided (Mechanism
level: Failed to find any Kerberos tgt)] 2018-10-11 04:48:07,627 WARN [main]
org.apache.hadoop.hbase.ipc.RpcClientImpl: Exception encountered while
connecting to the server : javax.security.sasl.SaslException: GSS initiate
failed [Caused by GSSException: No valid credentials provided (Mechanism
level: Failed to find any Kerberos tgt)] 2018-10-11 04:48:07,628 FATAL
[main] org.apache.hadoop.hbase.ipc.RpcClientImpl: SASL authentication
failed. The most likely cause is missing or invalid credentials. Consider
'kinit'. javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)] at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at
org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:181)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:618)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$700(RpcClientImpl.java:163)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:744)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:741)
at java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.Subject.doAs(Subject.java:422) at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:741)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:907)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:874)
at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1246)
at
org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:227)
at
org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:336)
at
org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.execService(ClientProtos.java:34118)
at
org.apache.hadoop.hbase.protobuf.ProtobufUtil.execService(ProtobufUtil.java:1633)
at
org.apache.hadoop.hbase.ipc.RegionCoprocessorRpcChannel$1.call(RegionCoprocessorRpcChannel.java:104)
at
org.apache.hadoop.hbase.ipc.RegionCoprocessorRpcChannel$1.call(RegionCoprocessorRpcChannel.java:94)
at
org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:136)
at
org.apache.hadoop.hbase.ipc.RegionCoprocessorRpcChannel.callExecService(RegionCoprocessorRpcChannel.java:107)
at
org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel.callBlockingMethod(CoprocessorRpcChannel.java:73)
at
org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos$AuthenticationService$BlockingStub.getAuthenticationToken(AuthenticationProtos.java:4512)
at
org.apache.hadoop.hbase.security.token.TokenUtil.obtainToken(TokenUtil.java:86)
at
org.apache.hadoop.hbase.security.token.TokenUtil$1.run(TokenUtil.java:111)
at
org.apache.hadoop.hbase.security.token.TokenUtil$1.run(TokenUtil.java:108)
at java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.Subject.doAs(Subject.java:422) at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
at
org.apache.hadoop.hbase.security.User$SecureHadoopUser.runAs(User.java:340)
at
org.apache.hadoop.hbase.security.token.TokenUtil.obtainToken(TokenUtil.java:108)
at
com.barclaycardus.hadoop.utils.udfs.HbaseTblLookupUDF.configure(HbaseTblLookupUDF.java:131)
at
org.apache.hadoop.hive.ql.exec.MapredContext.setup(MapredContext.java:120)
at
org.apache.hadoop.hive.ql.exec.ExprNodeGenericFuncEvaluator.initialize(ExprNodeGenericFuncEvaluator.java:143)
at org.apache.hadoop.hive.ql.exec.Operator.initEvaluators(Operator.java:954)
at
org.apache.hadoop.hive.ql.exec.Operator.initEvaluatorsAndReturnStruct(Operator.java:980)
at
org.apache.hadoop.hive.ql.exec.SelectOperator.initializeOp(SelectOperator.java:63)
at org.apache.hadoop.hive.ql.exec.Operator.initialize(Operator.java:385) at
org.apache.hadoop.hive.ql.exec.Operator.initialize(Operator.java:469) at
org.apache.hadoop.hive.ql.exec.Operator.initializeChildren(Operator.java:425)
at
org.apache.hadoop.hive.ql.exec.TableScanOperator.initializeOp(TableScanOperator.java:196)
at org.apache.hadoop.hive.ql.exec.Operator.initialize(Operator.java:385) at
org.apache.hadoop.hive.ql.exec.MapOperator.initializeOp(MapOperator.java:431)
at org.apache.hadoop.hive.ql.exec.Operator.initialize(Operator.java:385) at
org.apache.hadoop.hive.ql.exec.mr.ExecMapper.configure(ExecMapper.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) at
org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:106)
at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:75)
at
org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133)
at org.apache.hadoop.mapred.MapRunner.configure(MapRunner.java:38) at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) at
org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:106)
at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:75)
at
org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133)
at org.apache.hadoop.mapred.MapTask.runOldMapper(MapTask.java:455) at
org.apache.hadoop.mapred.MapTask.run(MapTask.java:343) at
org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:164) at
java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.Subject.doAs(Subject.java:422) at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:158) Caused by:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt) at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 66 more


Already Tried below options :

https://github.com/apache/oozie/blob/master/core/src/main/java/org/apache/oozie/action/hadoop/HbaseCredentials.java

https://github.com/ibm-research-ireland/sparkoscope/blob/master/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/HBaseCredentialProvider.scala

But getting NULL as AuthToken as there is  no token HBASE_AUTH_TOKEN
available  for that user. 






--
Sent from: http://apache-hbase.679495.n3.nabble.com/HBase-User-f4020416.html