SAP HANA Spark Controller(SHSC) Kerberos token失效问题

最新推荐文章于 2023-02-16 10:50:01 发布
最新推荐文章于 2023-02-16 10:50:01 发布
阅读量862 收藏 2
点赞数
分类专栏: SAP HANA 文章标签: spark 大数据 hadoop
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u011109629/article/details/128554958
版权
问题描述:

SAP HANA Spark Controller(2.4.4)连接HDFS集群失败,hana_controller.log 日志显示以下报错:
org.apache.hadoop.hdfs.DistributedFileSystem.getDelegationToken(DistributedFileSystem.java:1814

分析与建议

该问题是kerberos的问题,与SHSC无关
建议升级至 SHSC 最新(当前是2.6.0 版本)

SAP 开发的解释如下

Kerberos (SHSC)

The SHSC uses the SparkContext as the entry to leverage Spark and subsequently connecting to Hive. And the related Kerberos configuration in a Hadoop
cluster for a long running Spark applications is pretty simple. Please see below references for further details:

Long-Running Applications

Configuring Spark on YARN for Long-Running Applications
SHSC only has to provide the spark.yarn.keytab and spark.yarn.principal for the process.

However, since SHSC doesn’t utilize the spark-submit entry point, but SparkContext as an entry point (also a valid method), the tokens aren’t renewed
automatically. Unlike spark-submit jobs, SHSC has to renew it manually within the existing SparkContext which SHSC does periodically.

As stated explained in SAP Note 3004055 SHSC doesn’t perform any sort of authentication or authorization, but only passes on the required Kerberos information
such as keytab, principal, and tokens.

In addition, you may also want to read Hadoop Delegation Tokens Explained.

Error Message:

In regards to the error messages that can be found from the SHSC logs. Those are written/reported very clearly by hadoop not SHSC
as can be seen from the call stack information such as org.apache.hadoop.* 

    org.apache.hadoop.security.authentication.client.AuthenticationException 
    org.apache.hadoop.hdfs.DistributedFileSystem.getDelegationToken(DistributedFileSystem.java:1814)

Please refer to the attchment called "SHSC_KerberosSequence_Error.png" illustrating the calling sequence and occurrance of the 
Kerberos issue. As one can see the authentication was already performed successfully from SHSC throughout the involved Hadoop components.
During query execution from Spark to Hadoop/HDFS the authentication issue occurrs with below call stack. 

22/11/08 11:53:23 DEBUG SAPHanaSpark-akka.actor.default-dispatcher-32 security.UserGroupInformation: PrivilegedActionException as:hanaes (auth:PROXY) via 
    hanaes/sunpaphmp03.sun.nec.co.jp@SUN.NEC.CO.JP (auth:KERBEROS) cause:java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
22/11/08 11:53:23 ERROR SAPHanaSpark-akka.actor.default-dispatcher-32 network.AsyncExecutor: Exception happened in Async Executor. Forwarding to Handler
    java.io.IOException: DestHost:destPort sunpaphmp02.sun.nec.co.jp:8020 , LocalHost:localPort SUNPAPHMP03.sun.nec.co.jp/10.179.8.32:0. Failed on local exception: 
    java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.apache.hadoop.net.NetUtils.wrapWithMessage(NetUtils.java:831)
    at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:806)
    at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1501)
    at org.apache.hadoop.ipc.Client.call(Client.java:1443)
    at org.apache.hadoop.ipc.Client.call(Client.java:1353)
    at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228)
    at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116)
    at com.sun.proxy.$Proxy9.getDelegationToken(Unknown Source)
    at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getDelegationToken(ClientNamenodeProtocolTranslatorPB.java:1071)
    at sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:422)
    at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:165)
    at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:157)
    at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95)
    at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:359)
    at com.sun.proxy.$Proxy10.getDelegationToken(Unknown Source)
    at org.apache.hadoop.hdfs.DFSClient.getDelegationToken(DFSClient.java:700)
    at org.apache.hadoop.hdfs.DistributedFileSystem.getDelegationToken(DistributedFileSystem.java:1814)
    at org.apache.hadoop.security.token.DelegationTokenIssuer.collectDelegationTokens(DelegationTokenIssuer.java:95)
    at org.apache.hadoop.security.token.DelegationTokenIssuer.addDelegationTokens(DelegationTokenIssuer.java:76)
    at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:143)
    at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:102)
    at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodes(TokenCache.java:81)
    at org.apache.hadoop.mapred.FileInputFormat.listStatus(FileInputFormat.java:216)
    at org.apache.hadoop.hive.ql.io.avro.AvroContainerInputFormat.listStatus(AvroContainerInputFormat.java:42)
    at org.apache.hadoop.mapred.FileInputFormat.getSplits(FileInputFormat.java:325)
    at org.apache.spark.rdd.HadoopRDD.getPartitions(HadoopRDD.scala:200)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:253)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:251)
    at scala.Option.getOrElse(Option.scala:121)
    at org.apache.spark.rdd.RDD.partitions(RDD.scala:251)
    at org.apache.spark.rdd.MapPartitionsRDD.getPartitions(MapPartitionsRDD.scala:46)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:253)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:251)
    at scala.Option.getOrElse(Option.scala:121)
    at org.apache.spark.rdd.RDD.partitions(RDD.scala:251)
    at org.apache.spark.rdd.MapPartitionsRDD.getPartitions(MapPartitionsRDD.scala:46)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:253)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:251)
    at scala.Option.getOrElse(Option.scala:121)
    at org.apache.spark.rdd.RDD.partitions(RDD.scala:251)
    at org.apache.spark.rdd.MapPartitionsRDD.getPartitions(MapPartitionsRDD.scala:46)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:253)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:251)
    at scala.Option.getOrElse(Option.scala:121)
    at org.apache.spark.rdd.RDD.partitions(RDD.scala:251)
    at org.apache.spark.rdd.MapPartitionsRDD.getPartitions(MapPartitionsRDD.scala:46)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:253)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:251)
    at scala.Option.getOrElse(Option.scala:121)
    at org.apache.spark.rdd.RDD.partitions(RDD.scala:251)
    at org.apache.spark.rdd.MapPartitionsRDD.getPartitions(MapPartitionsRDD.scala:46)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:253)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:251)
    at scala.Option.getOrElse(Option.scala:121)
    at org.apache.spark.rdd.RDD.partitions(RDD.scala:251)
    at org.apache.spark.rdd.MapPartitionsRDD.getPartitions(MapPartitionsRDD.scala:46)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:253)
    at org.apache.spark.rdd.RDD$$anonfun$partitions$2.apply(RDD.scala:251)
    at scala.Option.getOrElse(Option.scala:121)
    at org.apache.spark.rdd.RDD.partitions(RDD.scala:251)
    at org.apache.spark.sql.hana.DistributedDataSetImpl.coalesceToMaxPartitions(DistributedDataSetFactoryImpl.scala:178)
    at org.apache.spark.sql.hana.DistributedDataSetImpl.transferDatafromPartitions(DistributedDataSetFactoryImpl.scala:189)
    at com.sap.hana.spark.SparkFacade.dispatchQueryResultFn(SparkFacade.scala:302)
    at com.sap.hana.spark.SparkFacade.executeQueryAsync(SparkFacade.scala:395)
    at com.sap.hana.network.AsyncExecutor.executeJob(RequestRouter.scala:97)
    at com.sap.hana.network.AsyncExecutor$$anonfun$receive$1$$anon$2.run(RequestRouter.scala:53)
    at com.sap.hana.network.AsyncExecutor$$anonfun$receive$1$$anon$2.run(RequestRouter.scala:50)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:360)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1710)
    at com.sap.hana.network.AsyncExecutor$$anonfun$receive$1.applyOrElse(RequestRouter.scala:50)
    at akka.actor.Actor$class.aroundReceive(Actor.scala:465)
    at com.sap.hana.network.AsyncExecutor.aroundReceive(RequestRouter.scala:40)
    at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516)
    at akka.actor.ActorCell.invoke(ActorCell.scala:487)
    at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:238)
    at akka.dispatch.Mailbox.run(Mailbox.scala:220)
    at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:393)
    at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
    at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
    at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
    at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
    at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:757)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730)
    at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:720)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:813)
    at org.apache.hadoop.ipc.Client$Connection.access$3600(Client.java:410)
    at org.apache.hadoop.ipc.Client.getConnection(Client.java:1558)
    at org.apache.hadoop.ipc.Client.call(Client.java:1389)
    ... 81 more
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
    at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:173)
    at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:390)
    at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:614)
    at org.apache.hadoop.ipc.Client$Connection.access$2300(Client.java:410)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:800)
    at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:796)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730)
    at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:796)
    ... 84 more

If there would be an issue with missing tokens in a cache (which SHSC also doesn’t have) there should be related error messages
such as:

HDFS_DELEGATION_TOKEN can’t be found in cache
And the call stack also actually shows:

    at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:143)
    at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:102)
    at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodes(TokenCache.java:81)t
大好人ooo
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
SAP HANA SR配置手册
04-03
SAP HANA SR配置手册》是一份详细指导如何配置SAP HANA系统复制(System Replication)的重要参考资料。这份手册旨在确保SAP HANA数据库的高可用性(HA)和灾难恢复能力,通过系统复制技术,可以在主系统发生故障...
SAP HANA STUDIO X64 Version: 2.3.37
09-19
SAP HANA Studio是一款专为SAP HANA数据库设计的集成开发环境(IDE),它提供了全方位的工具和服务,便于开发者、管理员以及数据分析师对HANA系统进行管理和开发。这款工具在X64平台上运行,其Version 2.3.37确保了...
KerberosToken
06-15 701
BinarySecurityToken---KerberosToken在WS-Security规范出现之前,针对Web Service或者其他的分布式技术并不是没有安全协议来保证它们的安全。只是这些协议一旦跨越了企业边界往往会受到防火墙的影响,而不再起作用。在WS-Security中,并没有抛弃这些现有的协议,而是将这些Binary的Security Token通过Encoding的方式集成到XM
spark 提交至yarn异常超时 Client cannot authenticate via:[TOKEN, KERBEROS]
jast
08-07 1万+
spark-cluster提交任务,提示 exit code :10 异常,具体需要到容器日志中去查看 19/08/07 18:09:24 INFO yarn.Client: client token: N/A diagnostics: Application application_1565171057576_0008 failed 2 times due to AM Conta...
kerberos】org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN,
Mrerlou的博客
02-16 2016
在用SUSE 操作系统安装 CM 大数据平台,在集群开启 kerberos 后,使用 HDFS 命令报错如下: 环境信息 SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP5) 仔细看,在使用 klist 命令时,有个 他指向的路径是: 而在执行 命令时,有个 他指向的路径是 默认是去 目录下找 缓存。然后 SUSE 操作系统下 并不是放在 目录下,导致 客户端认为你没有进行 认证。所以报错。在中,我们增加了下面的参数以后
Hadoop集成kerberos后,报错:AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
热门推荐
张伯毅的专栏
03-28 1万+
1. 背景 Hadoop在安装完HDFS之后, WEB UI 访问正常.kinit -kt xxx 认证成功. 然后在命令行执行执行hadoop相关指令的时候,报错. 2. 报错信息 错误信息 : AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] [root@master01 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_MkHX3zi Defau
内存计算技术那家强?SPARK vs HANA
miller_lover的专栏
11-16 1537
最近业界有很多技术和产品都认为属于内存计算的范畴,由于我个人也从事于内存计算产品的研发,所以想借个机会,跟各位聊聊到底什么是内存计算技术,以及比较一些现在两种比较主流的内存计算技术Apache SparkSAP HANA,它们的特点和区别。 什么是内存计算技术? 关于内存计算,就像云计算和大数据一样,其实无论在百度百科还是Wikipedia都没有非常精确的描述,但是有几个共通的关键点
SAP HANA 内存使用分析
03-30
标题和描述中提到的知识点有:SAP HANA内存使用分析、SAP技术顾问或 Basis相关人员、通过SQL语句进行分析。 在SAP HANA数据库中,内存是最重要的资源之一。内存的使用情况对于SAP HANA系统的性能有着直接影响。因此...
saphana的jdbc驱动
05-08
java连接saphana的jdbc驱动,驱动类:com.sap.db.jdbc.Driver,连接URL:jdbc:sap://${ip}:${port}/${example}?reconnect=true
SAP HANA 优化计划 SAP HANA Troubleshooting and Performance Analysis
最新发布
01-19
SAP HANA以其强大的数据分析能力而闻名,能够以惊人的速度处理数据,但要充分发挥其潜力,系统需持续监控并确保性能问题处于最低水平。该指南针对SAP HANA的性能提升提供了详尽的指导,涵盖以下几个关键领域: 1. *...
SAP HANA studio window版本2.4.126
03-08
SAP HANA Studio是SAP公司为开发和管理SAP HANA数据库系统提供的一款集成开发环境(IDE)。在Windows平台上,版本2.4.126是该工具的一个特定更新,它包含了各种改进和增强功能,旨在提升开发人员的工作效率和数据库...
sap hana studio SAP HANA 数据库连接工具
10-29
sap hana studio SAP HANA 数据库连接工具 及安装方式
sap hana的jdbc驱动包以及测试连接的代码
04-01
SAP HANA是一款高性能的数据处理和分析平台,广泛应用于企业级大数据分析。JDBC(Java Database Connectivity)是Java编程语言中用于与各种数据库交互的一种标准接口。在这个场景中,"ngdbc.jar" 是SAP HANA提供的...
SAP HANA操作手册
12-12
SAPhana操作手册用于 内容比较繁琐请大家仔细查看内容
sap hana SFLIGHT样例数据
01-19
SAP HANA是一款高性能的数据处理和分析平台,它在企业级大数据分析、实时业务智能以及应用程序开发方面展现出强大的能力。SFLIGHT是SAP HANA中的一个标准示例数据库,用于展示其功能和特性。这个样例数据集包含了...
Spark的PIDController源码赏析及backpressure详解
大数据星球-浪尖
07-27 841
浪尖一直觉得spark 的源码值得我们细细品读,帮助解决我们生产中的问题,可以学习大牛的编程思路,学习spark架构设计,学习scala及java编程,到处都是成长。但是...
Kerberos 运维中遇到的问题
h952520296的博客
09-29 6106
记录一下有关 Kerberos 错误消息的信息,包括每个错误出现的原因以及解决此错误的方法。
spark+mysql+驱动_mysql – 在Spark中找不到合适的jdbc驱动程序
weixin_30725829的博客
01-19 316
我在用df.write.mode("append").jdbc("jdbc:mysql://ip:port/database","table_name",properties)插入MySQL中的表.另外,我在我的代码中添加了Class.forName(“com.mysql.jdbc.Driver”).当我提交我的Spark应用程序时:spark-submit --class MY_MAIN_CLA...
Hadoop安全实践
一个有情怀的程序猿博客
07-14 1071
前言 在2014年初,我们将线上使用的 Hadoop 1.0 集群切换到 Hadoop 2.2.0 稳定版, 与此同时部署了 Hadoop 的安全认证。本文主要介绍在 Hadoop 2.2.0 上部署安全认证的方案调研实施以及相应的解决方法。 背景 集群安全措施相对薄弱 最早部署Hadoop集群时并没有考虑安全问题,随着集群的不断扩大, 各部门对集群的使用需求增加,集群安全问题就显得颇为重要。说到安全问题,一般包括如下方面: 用户认证(Authentication) 即是对用户身份进行核对, ..
SAP HANA 基础教程
"SAP HANA 是一款内存数据平台,可作为本地设备或云端部署。它是一种革命性的平台,非常适合实时分析和开发部署实时应用。SAP HANA 的核心是其数据库,与市场上其他任何数据库引擎都有根本不同。本教程将教授 SAP ...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值