HADOOP-11593. Convert site documentation from apt to markdown (stragglers) (Masatake Iwasaki via aw)
This commit is contained in:
parent
7c782047c6
commit
b6fc1f3e43
|
@ -1,70 +0,0 @@
|
|||
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~~ you may not use this file except in compliance with the License.
|
||||
~~ You may obtain a copy of the License at
|
||||
~~
|
||||
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~~
|
||||
~~ Unless required by applicable law or agreed to in writing, software
|
||||
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~~ See the License for the specific language governing permissions and
|
||||
~~ limitations under the License. See accompanying LICENSE file.
|
||||
|
||||
---
|
||||
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Building It
|
||||
---
|
||||
---
|
||||
${maven.build.timestamp}
|
||||
|
||||
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Building It
|
||||
|
||||
* Requirements
|
||||
|
||||
* Java 6+
|
||||
|
||||
* Maven 3+
|
||||
|
||||
* Kerberos KDC (for running Kerberos test cases)
|
||||
|
||||
* Building
|
||||
|
||||
Use Maven goals: clean, test, compile, package, install
|
||||
|
||||
Available profiles: docs, testKerberos
|
||||
|
||||
* Testing
|
||||
|
||||
By default Kerberos testcases are not run.
|
||||
|
||||
The requirements to run Kerberos testcases are a running KDC, a keytab
|
||||
file with a client principal and a kerberos principal.
|
||||
|
||||
To run Kerberos tescases use the <<<testKerberos>>> Maven profile:
|
||||
|
||||
+---+
|
||||
$ mvn test -PtestKerberos
|
||||
+---+
|
||||
|
||||
The following Maven <<<-D>>> options can be used to change the default
|
||||
values:
|
||||
|
||||
* <<<hadoop-auth.test.kerberos.realm>>>: default value <<LOCALHOST>>
|
||||
|
||||
* <<<hadoop-auth.test.kerberos.client.principal>>>: default value <<client>>
|
||||
|
||||
* <<<hadoop-auth.test.kerberos.server.principal>>>: default value
|
||||
<<HTTP/localhost>> (it must start 'HTTP/')
|
||||
|
||||
* <<<hadoop-auth.test.kerberos.keytab.file>>>: default value
|
||||
<<${HOME}/${USER}.keytab>>
|
||||
|
||||
** Generating Documentation
|
||||
|
||||
To create the documentation use the <<<docs>>> Maven profile:
|
||||
|
||||
+---+
|
||||
$ mvn package -Pdocs
|
||||
+---+
|
||||
|
||||
The generated documentation is available at
|
||||
<<<hadoop-auth/target/site/>>>.
|
|
@ -1,377 +0,0 @@
|
|||
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~~ you may not use this file except in compliance with the License.
|
||||
~~ You may obtain a copy of the License at
|
||||
~~
|
||||
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~~
|
||||
~~ Unless required by applicable law or agreed to in writing, software
|
||||
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~~ See the License for the specific language governing permissions and
|
||||
~~ limitations under the License. See accompanying LICENSE file.
|
||||
|
||||
---
|
||||
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Server Side
|
||||
Configuration
|
||||
---
|
||||
---
|
||||
${maven.build.timestamp}
|
||||
|
||||
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Server Side
|
||||
Configuration
|
||||
|
||||
* Server Side Configuration Setup
|
||||
|
||||
The AuthenticationFilter filter is Hadoop Auth's server side component.
|
||||
|
||||
This filter must be configured in front of all the web application resources
|
||||
that required authenticated requests. For example:
|
||||
|
||||
The Hadoop Auth and dependent JAR files must be in the web application
|
||||
classpath (commonly the <<<WEB-INF/lib>>> directory).
|
||||
|
||||
Hadoop Auth uses SLF4J-API for logging. Auth Maven POM dependencies define
|
||||
the SLF4J API dependency but it does not define the dependency on a concrete
|
||||
logging implementation, this must be addded explicitly to the web
|
||||
application. For example, if the web applicationan uses Log4j, the
|
||||
SLF4J-LOG4J12 and LOG4J jar files must be part part of the web application
|
||||
classpath as well as the Log4j configuration file.
|
||||
|
||||
** Common Configuration parameters
|
||||
|
||||
* <<<config.prefix>>>: If specified, all other configuration parameter names
|
||||
must start with the prefix. The default value is no prefix.
|
||||
|
||||
* <<<[PREFIX.]type>>>: the authentication type keyword (<<<simple>>> or
|
||||
<<<kerberos>>>) or a Authentication handler implementation.
|
||||
|
||||
* <<<[PREFIX.]signature.secret>>>: When <<<signer.secret.provider>>> is set to
|
||||
<<<string>>> or not specified, this is the value for the secret used to sign
|
||||
the HTTP cookie.
|
||||
|
||||
* <<<[PREFIX.]token.validity>>>: The validity -in seconds- of the generated
|
||||
authentication token. The default value is <<<3600>>> seconds. This is also
|
||||
used for the rollover interval when <<<signer.secret.provider>>> is set to
|
||||
<<<random>>> or <<<zookeeper>>>.
|
||||
|
||||
* <<<[PREFIX.]cookie.domain>>>: domain to use for the HTTP cookie that stores
|
||||
the authentication token.
|
||||
|
||||
* <<<[PREFIX.]cookie.path>>>: path to use for the HTTP cookie that stores the
|
||||
authentication token.
|
||||
|
||||
* <<<signer.secret.provider>>>: indicates the name of the SignerSecretProvider
|
||||
class to use. Possible values are: <<<string>>>, <<<random>>>,
|
||||
<<<zookeeper>>>, or a classname. If not specified, the <<<string>>>
|
||||
implementation will be used; and failing that, the <<<random>>>
|
||||
implementation will be used.
|
||||
|
||||
** Kerberos Configuration
|
||||
|
||||
<<IMPORTANT>>: A KDC must be configured and running.
|
||||
|
||||
To use Kerberos SPNEGO as the authentication mechanism, the authentication
|
||||
filter must be configured with the following init parameters:
|
||||
|
||||
* <<<[PREFIX.]type>>>: the keyword <<<kerberos>>>.
|
||||
|
||||
* <<<[PREFIX.]kerberos.principal>>>: The web-application Kerberos principal
|
||||
name. The Kerberos principal name must start with <<<HTTP/...>>>. For
|
||||
example: <<<HTTP/localhost@LOCALHOST>>>. There is no default value.
|
||||
|
||||
* <<<[PREFIX.]kerberos.keytab>>>: The path to the keytab file containing
|
||||
the credentials for the kerberos principal. For example:
|
||||
<<</Users/tucu/tucu.keytab>>>. There is no default value.
|
||||
|
||||
<<Example>>:
|
||||
|
||||
+---+
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<filter-name>kerberosFilter</filter-name>
|
||||
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
|
||||
<init-param>
|
||||
<param-name>type</param-name>
|
||||
<param-value>kerberos</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.domain</param-name>
|
||||
<param-value>.foo.com</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.path</param-name>
|
||||
<param-value>/</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.principal</param-name>
|
||||
<param-value>HTTP/localhost@LOCALHOST</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.keytab</param-name>
|
||||
<param-value>/tmp/auth.keytab</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>kerberosFilter</filter-name>
|
||||
<url-pattern>/kerberos/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
+---+
|
||||
|
||||
** Pseudo/Simple Configuration
|
||||
|
||||
To use Pseudo/Simple as the authentication mechanism (trusting the value of
|
||||
the query string parameter 'user.name'), the authentication filter must be
|
||||
configured with the following init parameters:
|
||||
|
||||
* <<<[PREFIX.]type>>>: the keyword <<<simple>>>.
|
||||
|
||||
* <<<[PREFIX.]simple.anonymous.allowed>>>: is a boolean parameter that
|
||||
indicates if anonymous requests are allowed or not. The default value is
|
||||
<<<false>>>.
|
||||
|
||||
<<Example>>:
|
||||
|
||||
+---+
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<filter-name>simpleFilter</filter-name>
|
||||
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
|
||||
<init-param>
|
||||
<param-name>type</param-name>
|
||||
<param-value>simple</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.domain</param-name>
|
||||
<param-value>.foo.com</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.path</param-name>
|
||||
<param-value>/</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>simple.anonymous.allowed</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>simpleFilter</filter-name>
|
||||
<url-pattern>/simple/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
+---+
|
||||
|
||||
** AltKerberos Configuration
|
||||
|
||||
<<IMPORTANT>>: A KDC must be configured and running.
|
||||
|
||||
The AltKerberos authentication mechanism is a partially implemented derivative
|
||||
of the Kerberos SPNEGO authentication mechanism which allows a "mixed" form of
|
||||
authentication where Kerberos SPNEGO is used by non-browsers while an
|
||||
alternate form of authentication (to be implemented by the user) is used for
|
||||
browsers. To use AltKerberos as the authentication mechanism (besides
|
||||
providing an implementation), the authentication filter must be configured
|
||||
with the following init parameters, in addition to the previously mentioned
|
||||
Kerberos SPNEGO ones:
|
||||
|
||||
* <<<[PREFIX.]type>>>: the full class name of the implementation of
|
||||
AltKerberosAuthenticationHandler to use.
|
||||
|
||||
* <<<[PREFIX.]alt-kerberos.non-browser.user-agents>>>: a comma-separated
|
||||
list of which user-agents should be considered non-browsers.
|
||||
|
||||
<<Example>>:
|
||||
|
||||
+---+
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<filter-name>kerberosFilter</filter-name>
|
||||
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
|
||||
<init-param>
|
||||
<param-name>type</param-name>
|
||||
<param-value>org.my.subclass.of.AltKerberosAuthenticationHandler</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>alt-kerberos.non-browser.user-agents</param-name>
|
||||
<param-value>java,curl,wget,perl</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.domain</param-name>
|
||||
<param-value>.foo.com</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.path</param-name>
|
||||
<param-value>/</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.principal</param-name>
|
||||
<param-value>HTTP/localhost@LOCALHOST</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.keytab</param-name>
|
||||
<param-value>/tmp/auth.keytab</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>kerberosFilter</filter-name>
|
||||
<url-pattern>/kerberos/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
+---+
|
||||
|
||||
** SignerSecretProvider Configuration
|
||||
|
||||
The SignerSecretProvider is used to provide more advanced behaviors for the
|
||||
secret used for signing the HTTP Cookies.
|
||||
|
||||
These are the relevant configuration properties:
|
||||
|
||||
* <<<signer.secret.provider>>>: indicates the name of the
|
||||
SignerSecretProvider class to use. Possible values are: "string",
|
||||
"random", "zookeeper", or a classname. If not specified, the "string"
|
||||
implementation will be used; and failing that, the "random" implementation
|
||||
will be used.
|
||||
|
||||
* <<<[PREFIX.]signature.secret>>>: When <<<signer.secret.provider>>> is set
|
||||
to <<<string>>> or not specified, this is the value for the secret used to
|
||||
sign the HTTP cookie.
|
||||
|
||||
* <<<[PREFIX.]token.validity>>>: The validity -in seconds- of the generated
|
||||
authentication token. The default value is <<<3600>>> seconds. This is
|
||||
also used for the rollover interval when <<<signer.secret.provider>>> is
|
||||
set to <<<random>>> or <<<zookeeper>>>.
|
||||
|
||||
The following configuration properties are specific to the <<<zookeeper>>>
|
||||
implementation:
|
||||
|
||||
* <<<signer.secret.provider.zookeeper.connection.string>>>: Indicates the
|
||||
ZooKeeper connection string to connect with.
|
||||
|
||||
* <<<signer.secret.provider.zookeeper.path>>>: Indicates the ZooKeeper path
|
||||
to use for storing and retrieving the secrets. All servers
|
||||
that need to coordinate their secret should point to the same path
|
||||
|
||||
* <<<signer.secret.provider.zookeeper.auth.type>>>: Indicates the auth type
|
||||
to use. Supported values are <<<none>>> and <<<sasl>>>. The default
|
||||
value is <<<none>>>.
|
||||
|
||||
* <<<signer.secret.provider.zookeeper.kerberos.keytab>>>: Set this to the
|
||||
path with the Kerberos keytab file. This is only required if using
|
||||
Kerberos.
|
||||
|
||||
* <<<signer.secret.provider.zookeeper.kerberos.principal>>>: Set this to the
|
||||
Kerberos principal to use. This only required if using Kerberos.
|
||||
|
||||
<<Example>>:
|
||||
|
||||
+---+
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<!-- AuthenticationHandler configs not shown -->
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider</param-name>
|
||||
<param-value>string</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signature.secret</param-name>
|
||||
<param-value>my_secret</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
+---+
|
||||
|
||||
<<Example>>:
|
||||
|
||||
+---+
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<!-- AuthenticationHandler configs not shown -->
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider</param-name>
|
||||
<param-value>random</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
+---+
|
||||
|
||||
<<Example>>:
|
||||
|
||||
+---+
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<!-- AuthenticationHandler configs not shown -->
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider</param-name>
|
||||
<param-value>zookeeper</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.connection.string</param-name>
|
||||
<param-value>zoo1:2181,zoo2:2181,zoo3:2181</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.path</param-name>
|
||||
<param-value>/myapp/secrets</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.use.kerberos.acls</param-name>
|
||||
<param-value>true</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.kerberos.keytab</param-name>
|
||||
<param-value>/tmp/auth.keytab</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.kerberos.principal</param-name>
|
||||
<param-value>HTTP/localhost@LOCALHOST</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
+---+
|
||||
|
|
@ -1,133 +0,0 @@
|
|||
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~~ you may not use this file except in compliance with the License.
|
||||
~~ You may obtain a copy of the License at
|
||||
~~
|
||||
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~~
|
||||
~~ Unless required by applicable law or agreed to in writing, software
|
||||
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~~ See the License for the specific language governing permissions and
|
||||
~~ limitations under the License. See accompanying LICENSE file.
|
||||
|
||||
---
|
||||
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Examples
|
||||
---
|
||||
---
|
||||
${maven.build.timestamp}
|
||||
|
||||
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Examples
|
||||
|
||||
* Accessing a Hadoop Auth protected URL Using a browser
|
||||
|
||||
<<IMPORTANT:>> The browser must support HTTP Kerberos SPNEGO. For example,
|
||||
Firefox or Internet Explorer.
|
||||
|
||||
For Firefox access the low level configuration page by loading the
|
||||
<<<about:config>>> page. Then go to the
|
||||
<<<network.negotiate-auth.trusted-uris>>> preference and add the hostname or
|
||||
the domain of the web server that is HTTP Kerberos SPNEGO protected (if using
|
||||
multiple domains and hostname use comma to separate them).
|
||||
|
||||
* Accessing a Hadoop Auth protected URL Using <<<curl>>>
|
||||
|
||||
<<IMPORTANT:>> The <<<curl>>> version must support GSS, run <<<curl -V>>>.
|
||||
|
||||
+---+
|
||||
$ curl -V
|
||||
curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
|
||||
Protocols: tftp ftp telnet dict ldap http file https ftps
|
||||
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
|
||||
+---+
|
||||
|
||||
Login to the KDC using <<kinit>> and then use <<<curl>>> to fetch protected
|
||||
URL:
|
||||
|
||||
+---+
|
||||
$ kinit
|
||||
Please enter the password for tucu@LOCALHOST:
|
||||
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/hadoop-auth-examples/kerberos/who
|
||||
Enter host password for user 'tucu':
|
||||
|
||||
Hello Hadoop Auth Examples!
|
||||
+---+
|
||||
|
||||
* The <<<--negotiate>>> option enables SPNEGO in <<<curl>>>.
|
||||
|
||||
* The <<<-u foo>>> option is required but the user ignored (the principal
|
||||
that has been kinit-ed is used).
|
||||
|
||||
* The <<<-b>>> and <<<-c>>> are use to store and send HTTP Cookies.
|
||||
|
||||
* Using the Java Client
|
||||
|
||||
Use the <<<AuthenticatedURL>>> class to obtain an authenticated HTTP
|
||||
connection:
|
||||
|
||||
+---+
|
||||
...
|
||||
URL url = new URL("http://localhost:8080/hadoop-auth/kerberos/who");
|
||||
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
|
||||
...
|
||||
HttpURLConnection conn = new AuthenticatedURL(url, token).openConnection();
|
||||
...
|
||||
conn = new AuthenticatedURL(url, token).openConnection();
|
||||
...
|
||||
+---+
|
||||
|
||||
* Building and Running the Examples
|
||||
|
||||
Download Hadoop-Auth's source code, the examples are in the
|
||||
<<<src/main/examples>>> directory.
|
||||
|
||||
** Server Example:
|
||||
|
||||
Edit the <<<hadoop-auth-examples/src/main/webapp/WEB-INF/web.xml>>> and set the
|
||||
right configuration init parameters for the <<<AuthenticationFilter>>>
|
||||
definition configured for Kerberos (the right Kerberos principal and keytab
|
||||
file must be specified). Refer to the {{{./Configuration.html}Configuration
|
||||
document}} for details.
|
||||
|
||||
Create the web application WAR file by running the <<<mvn package>>> command.
|
||||
|
||||
Deploy the WAR file in a servlet container. For example, if using Tomcat,
|
||||
copy the WAR file to Tomcat's <<<webapps/>>> directory.
|
||||
|
||||
Start the servlet container.
|
||||
|
||||
** Accessing the server using <<<curl>>>
|
||||
|
||||
Try accessing protected resources using <<<curl>>>. The protected resources
|
||||
are:
|
||||
|
||||
+---+
|
||||
$ kinit
|
||||
Please enter the password for tucu@LOCALHOST:
|
||||
|
||||
$ curl http://localhost:8080/hadoop-auth-examples/anonymous/who
|
||||
|
||||
$ curl http://localhost:8080/hadoop-auth-examples/simple/who?user.name=foo
|
||||
|
||||
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/hadoop-auth-examples/kerberos/who
|
||||
+---+
|
||||
|
||||
** Accessing the server using the Java client example
|
||||
|
||||
+---+
|
||||
$ kinit
|
||||
Please enter the password for tucu@LOCALHOST:
|
||||
|
||||
$ cd examples
|
||||
|
||||
$ mvn exec:java -Durl=http://localhost:8080/hadoop-auth-examples/kerberos/who
|
||||
|
||||
....
|
||||
|
||||
Token value: "u=tucu,p=tucu@LOCALHOST,t=kerberos,e=1295305313146,s=sVZ1mpSnC5TKhZQE3QLN5p2DWBo="
|
||||
Status code: 200 OK
|
||||
|
||||
You are: user[tucu] principal[tucu@LOCALHOST]
|
||||
|
||||
....
|
||||
|
||||
+---+
|
|
@ -1,59 +0,0 @@
|
|||
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~~ you may not use this file except in compliance with the License.
|
||||
~~ You may obtain a copy of the License at
|
||||
~~
|
||||
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~~
|
||||
~~ Unless required by applicable law or agreed to in writing, software
|
||||
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~~ See the License for the specific language governing permissions and
|
||||
~~ limitations under the License. See accompanying LICENSE file.
|
||||
|
||||
---
|
||||
Hadoop Auth, Java HTTP SPNEGO ${project.version}
|
||||
---
|
||||
---
|
||||
${maven.build.timestamp}
|
||||
|
||||
Hadoop Auth, Java HTTP SPNEGO ${project.version}
|
||||
|
||||
Hadoop Auth is a Java library consisting of a client and a server
|
||||
components to enable Kerberos SPNEGO authentication for HTTP.
|
||||
|
||||
Hadoop Auth also supports additional authentication mechanisms on the client
|
||||
and the server side via 2 simple interfaces.
|
||||
|
||||
Additionally, it provides a partially implemented derivative of the Kerberos
|
||||
SPNEGO authentication to allow a "mixed" form of authentication where Kerberos
|
||||
SPNEGO is used by non-browsers while an alternate form of authentication
|
||||
(to be implemented by the user) is used for browsers.
|
||||
|
||||
* License
|
||||
|
||||
Hadoop Auth is distributed under {{{http://www.apache.org/licenses/}Apache
|
||||
License 2.0}}.
|
||||
|
||||
* How Does Auth Works?
|
||||
|
||||
Hadoop Auth enforces authentication on protected resources, once authentiation
|
||||
has been established it sets a signed HTTP Cookie that contains an
|
||||
authentication token with the user name, user principal, authentication type
|
||||
and expiration time.
|
||||
|
||||
Subsequent HTTP client requests presenting the signed HTTP Cookie have access
|
||||
to the protected resources until the HTTP Cookie expires.
|
||||
|
||||
The secret used to sign the HTTP Cookie has multiple implementations that
|
||||
provide different behaviors, including a hardcoded secret string, a rolling
|
||||
randomly generated secret, and a rolling randomly generated secret
|
||||
synchronized between multiple servers using ZooKeeper.
|
||||
|
||||
* User Documentation
|
||||
|
||||
* {{{./Examples.html}Examples}}
|
||||
|
||||
* {{{./Configuration.html}Configuration}}
|
||||
|
||||
* {{{./BuildingIt.html}Building It}}
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
Hadoop Auth, Java HTTP SPNEGO - Building It
|
||||
===========================================
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
* Java 6+
|
||||
* Maven 3+
|
||||
* Kerberos KDC (for running Kerberos test cases)
|
||||
|
||||
Building
|
||||
--------
|
||||
|
||||
Use Maven goals: clean, test, compile, package, install
|
||||
|
||||
Available profiles: docs, testKerberos
|
||||
|
||||
Testing
|
||||
-------
|
||||
|
||||
By default Kerberos testcases are not run.
|
||||
|
||||
The requirements to run Kerberos testcases are a running KDC, a keytab file with a client principal and a kerberos principal.
|
||||
|
||||
To run Kerberos tescases use the `testKerberos` Maven profile:
|
||||
|
||||
$ mvn test -PtestKerberos
|
||||
|
||||
The following Maven `-D` options can be used to change the default values:
|
||||
|
||||
* `hadoop-auth.test.kerberos.realm`: default value **LOCALHOST**
|
||||
* `hadoop-auth.test.kerberos.client.principal`: default value **client**
|
||||
* `hadoop-auth.test.kerberos.server.principal`: default value **HTTP/localhost** (it must start 'HTTP/')
|
||||
* `hadoop-auth.test.kerberos.keytab.file`: default value **$HOME/$USER.keytab**
|
||||
|
||||
### Generating Documentation
|
||||
|
||||
To create the documentation use the `docs` Maven profile:
|
||||
|
||||
$ mvn package -Pdocs
|
||||
|
||||
The generated documentation is available at `hadoop-auth/target/site/`.
|
|
@ -0,0 +1,341 @@
|
|||
<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
Hadoop Auth, Java HTTP SPNEGO - Server Side Configuration
|
||||
=========================================================
|
||||
|
||||
Server Side Configuration Setup
|
||||
-------------------------------
|
||||
|
||||
The AuthenticationFilter filter is Hadoop Auth's server side component.
|
||||
|
||||
This filter must be configured in front of all the web application resources that required authenticated requests. For example:
|
||||
|
||||
The Hadoop Auth and dependent JAR files must be in the web application classpath (commonly the `WEB-INF/lib` directory).
|
||||
|
||||
Hadoop Auth uses SLF4J-API for logging. Auth Maven POM dependencies define the SLF4J API dependency but it does not define the dependency on a concrete logging implementation, this must be addded explicitly to the web application. For example, if the web applicationan uses Log4j, the SLF4J-LOG4J12 and LOG4J jar files must be part part of the web application classpath as well as the Log4j configuration file.
|
||||
|
||||
### Common Configuration parameters
|
||||
|
||||
* `config.prefix`: If specified, all other configuration parameter names
|
||||
must start with the prefix. The default value is no prefix.
|
||||
|
||||
* `[PREFIX.]type`: the authentication type keyword (`simple` or \
|
||||
`kerberos`) or a Authentication handler implementation.
|
||||
|
||||
* `[PREFIX.]signature.secret`: When `signer.secret.provider` is set to
|
||||
`string` or not specified, this is the value for the secret used to sign
|
||||
the HTTP cookie.
|
||||
|
||||
* `[PREFIX.]token.validity`: The validity -in seconds- of the generated
|
||||
authentication token. The default value is `3600` seconds. This is also
|
||||
used for the rollover interval when `signer.secret.provider` is set to
|
||||
`random` or `zookeeper`.
|
||||
|
||||
* `[PREFIX.]cookie.domain`: domain to use for the HTTP cookie that stores
|
||||
the authentication token.
|
||||
|
||||
* `[PREFIX.]cookie.path`: path to use for the HTTP cookie that stores the
|
||||
authentication token.
|
||||
|
||||
* `signer.secret.provider`: indicates the name of the SignerSecretProvider
|
||||
class to use. Possible values are: `string`, `random`,
|
||||
`zookeeper`, or a classname. If not specified, the `string`
|
||||
implementation will be used; and failing that, the `random`
|
||||
implementation will be used.
|
||||
|
||||
### Kerberos Configuration
|
||||
|
||||
**IMPORTANT**: A KDC must be configured and running.
|
||||
|
||||
To use Kerberos SPNEGO as the authentication mechanism, the authentication filter must be configured with the following init parameters:
|
||||
|
||||
* `[PREFIX.]type`: the keyword `kerberos`.
|
||||
|
||||
* `[PREFIX.]kerberos.principal`: The web-application Kerberos principal
|
||||
name. The Kerberos principal name must start with `HTTP/...`. For
|
||||
example: `HTTP/localhost@LOCALHOST`. There is no default value.
|
||||
|
||||
* `[PREFIX.]kerberos.keytab`: The path to the keytab file containing
|
||||
the credentials for the kerberos principal. For example:
|
||||
`/Users/tucu/tucu.keytab`. There is no default value.
|
||||
|
||||
**Example**:
|
||||
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<filter-name>kerberosFilter</filter-name>
|
||||
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
|
||||
<init-param>
|
||||
<param-name>type</param-name>
|
||||
<param-value>kerberos</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.domain</param-name>
|
||||
<param-value>.foo.com</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.path</param-name>
|
||||
<param-value>/</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.principal</param-name>
|
||||
<param-value>HTTP/localhost@LOCALHOST</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.keytab</param-name>
|
||||
<param-value>/tmp/auth.keytab</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>kerberosFilter</filter-name>
|
||||
<url-pattern>/kerberos/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
|
||||
### Pseudo/Simple Configuration
|
||||
|
||||
To use Pseudo/Simple as the authentication mechanism (trusting the value of the query string parameter 'user.name'), the authentication filter must be configured with the following init parameters:
|
||||
|
||||
* `[PREFIX.]type`: the keyword `simple`.
|
||||
|
||||
* `[PREFIX.]simple.anonymous.allowed`: is a boolean parameter that
|
||||
indicates if anonymous requests are allowed or not. The default value is
|
||||
`false`.
|
||||
|
||||
**Example**:
|
||||
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<filter-name>simpleFilter</filter-name>
|
||||
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
|
||||
<init-param>
|
||||
<param-name>type</param-name>
|
||||
<param-value>simple</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.domain</param-name>
|
||||
<param-value>.foo.com</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.path</param-name>
|
||||
<param-value>/</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>simple.anonymous.allowed</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>simpleFilter</filter-name>
|
||||
<url-pattern>/simple/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
|
||||
### AltKerberos Configuration
|
||||
|
||||
**IMPORTANT**: A KDC must be configured and running.
|
||||
|
||||
The AltKerberos authentication mechanism is a partially implemented derivative of the Kerberos SPNEGO authentication mechanism which allows a "mixed" form of authentication where Kerberos SPNEGO is used by non-browsers while an alternate form of authentication (to be implemented by the user) is used for browsers. To use AltKerberos as the authentication mechanism (besides providing an implementation), the authentication filter must be configured with the following init parameters, in addition to the previously mentioned Kerberos SPNEGO ones:
|
||||
|
||||
* `[PREFIX.]type`: the full class name of the implementation of
|
||||
AltKerberosAuthenticationHandler to use.
|
||||
|
||||
* `[PREFIX.]alt-kerberos.non-browser.user-agents`: a comma-separated
|
||||
list of which user-agents should be considered non-browsers.
|
||||
|
||||
**Example**:
|
||||
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<filter-name>kerberosFilter</filter-name>
|
||||
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
|
||||
<init-param>
|
||||
<param-name>type</param-name>
|
||||
<param-value>org.my.subclass.of.AltKerberosAuthenticationHandler</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>alt-kerberos.non-browser.user-agents</param-name>
|
||||
<param-value>java,curl,wget,perl</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.domain</param-name>
|
||||
<param-value>.foo.com</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.path</param-name>
|
||||
<param-value>/</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.principal</param-name>
|
||||
<param-value>HTTP/localhost@LOCALHOST</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.keytab</param-name>
|
||||
<param-value>/tmp/auth.keytab</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>kerberosFilter</filter-name>
|
||||
<url-pattern>/kerberos/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
|
||||
### SignerSecretProvider Configuration
|
||||
|
||||
The SignerSecretProvider is used to provide more advanced behaviors for the secret used for signing the HTTP Cookies.
|
||||
|
||||
These are the relevant configuration properties:
|
||||
|
||||
* `signer.secret.provider`: indicates the name of the
|
||||
SignerSecretProvider class to use. Possible values are: "string",
|
||||
"random", "zookeeper", or a classname. If not specified, the "string"
|
||||
implementation will be used; and failing that, the "random" implementation
|
||||
will be used.
|
||||
|
||||
* `[PREFIX.]signature.secret`: When `signer.secret.provider` is set
|
||||
to `string` or not specified, this is the value for the secret used to
|
||||
sign the HTTP cookie.
|
||||
|
||||
* `[PREFIX.]token.validity`: The validity -in seconds- of the generated
|
||||
authentication token. The default value is `3600` seconds. This is
|
||||
also used for the rollover interval when `signer.secret.provider` is
|
||||
set to `random` or `zookeeper`.
|
||||
|
||||
The following configuration properties are specific to the `zookeeper` implementation:
|
||||
|
||||
* `signer.secret.provider.zookeeper.connection.string`: Indicates the
|
||||
ZooKeeper connection string to connect with.
|
||||
|
||||
* `signer.secret.provider.zookeeper.path`: Indicates the ZooKeeper path
|
||||
to use for storing and retrieving the secrets. All servers
|
||||
that need to coordinate their secret should point to the same path
|
||||
|
||||
* `signer.secret.provider.zookeeper.auth.type`: Indicates the auth type
|
||||
to use. Supported values are `none` and `sasl`. The default
|
||||
value is `none`.
|
||||
|
||||
* `signer.secret.provider.zookeeper.kerberos.keytab`: Set this to the
|
||||
path with the Kerberos keytab file. This is only required if using
|
||||
Kerberos.
|
||||
|
||||
* `signer.secret.provider.zookeeper.kerberos.principal`: Set this to the
|
||||
Kerberos principal to use. This only required if using Kerberos.
|
||||
|
||||
**Example**:
|
||||
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<!-- AuthenticationHandler configs not shown -->
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider</param-name>
|
||||
<param-value>string</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signature.secret</param-name>
|
||||
<param-value>my_secret</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
|
||||
**Example**:
|
||||
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<!-- AuthenticationHandler configs not shown -->
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider</param-name>
|
||||
<param-value>random</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
...
|
||||
</web-app>
|
||||
|
||||
**Example**:
|
||||
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
|
||||
...
|
||||
|
||||
<filter>
|
||||
<!-- AuthenticationHandler configs not shown -->
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider</param-name>
|
||||
<param-value>zookeeper</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.connection.string</param-name>
|
||||
<param-value>zoo1:2181,zoo2:2181,zoo3:2181</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.path</param-name>
|
||||
<param-value>/myapp/secrets</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.use.kerberos.acls</param-name>
|
||||
<param-value>true</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.kerberos.keytab</param-name>
|
||||
<param-value>/tmp/auth.keytab</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>signer.secret.provider.zookeeper.kerberos.principal</param-name>
|
||||
<param-value>HTTP/localhost@LOCALHOST</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
...
|
||||
</web-app>
|
|
@ -0,0 +1,109 @@
|
|||
<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
Hadoop Auth, Java HTTP SPNEGO - Examples
|
||||
========================================
|
||||
|
||||
Accessing a Hadoop Auth protected URL Using a browser
|
||||
-----------------------------------------------------
|
||||
|
||||
**IMPORTANT:** The browser must support HTTP Kerberos SPNEGO. For example, Firefox or Internet Explorer.
|
||||
|
||||
For Firefox access the low level configuration page by loading the `about:config` page. Then go to the `network.negotiate-auth.trusted-uris` preference and add the hostname or the domain of the web server that is HTTP Kerberos SPNEGO protected (if using multiple domains and hostname use comma to separate them).
|
||||
|
||||
Accessing a Hadoop Auth protected URL Using `curl`
|
||||
--------------------------------------------------
|
||||
|
||||
**IMPORTANT:** The `curl` version must support GSS, run `curl -V`.
|
||||
|
||||
$ curl -V
|
||||
curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
|
||||
Protocols: tftp ftp telnet dict ldap http file https ftps
|
||||
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
|
||||
|
||||
Login to the KDC using **kinit** and then use `curl` to fetch protected URL:
|
||||
|
||||
$ kinit
|
||||
Please enter the password for tucu@LOCALHOST:
|
||||
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/hadoop-auth-examples/kerberos/who
|
||||
Enter host password for user 'tucu':
|
||||
|
||||
Hello Hadoop Auth Examples!
|
||||
|
||||
* The `--negotiate` option enables SPNEGO in `curl`.
|
||||
|
||||
* The `-u foo` option is required but the user ignored (the principal
|
||||
that has been kinit-ed is used).
|
||||
|
||||
* The `-b` and `-c` are use to store and send HTTP Cookies.
|
||||
|
||||
Using the Java Client
|
||||
---------------------
|
||||
|
||||
Use the `AuthenticatedURL` class to obtain an authenticated HTTP connection:
|
||||
|
||||
...
|
||||
URL url = new URL("http://localhost:8080/hadoop-auth/kerberos/who");
|
||||
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
|
||||
...
|
||||
HttpURLConnection conn = new AuthenticatedURL(url, token).openConnection();
|
||||
...
|
||||
conn = new AuthenticatedURL(url, token).openConnection();
|
||||
...
|
||||
|
||||
Building and Running the Examples
|
||||
---------------------------------
|
||||
|
||||
Download Hadoop-Auth's source code, the examples are in the `src/main/examples` directory.
|
||||
|
||||
### Server Example:
|
||||
|
||||
Edit the `hadoop-auth-examples/src/main/webapp/WEB-INF/web.xml` and set the right configuration init parameters for the `AuthenticationFilter` definition configured for Kerberos (the right Kerberos principal and keytab file must be specified). Refer to the [Configuration document](./Configuration.html) for details.
|
||||
|
||||
Create the web application WAR file by running the `mvn package` command.
|
||||
|
||||
Deploy the WAR file in a servlet container. For example, if using Tomcat, copy the WAR file to Tomcat's `webapps/` directory.
|
||||
|
||||
Start the servlet container.
|
||||
|
||||
### Accessing the server using `curl`
|
||||
|
||||
Try accessing protected resources using `curl`. The protected resources are:
|
||||
|
||||
$ kinit
|
||||
Please enter the password for tucu@LOCALHOST:
|
||||
|
||||
$ curl http://localhost:8080/hadoop-auth-examples/anonymous/who
|
||||
|
||||
$ curl http://localhost:8080/hadoop-auth-examples/simple/who?user.name=foo
|
||||
|
||||
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/hadoop-auth-examples/kerberos/who
|
||||
|
||||
### Accessing the server using the Java client example
|
||||
|
||||
$ kinit
|
||||
Please enter the password for tucu@LOCALHOST:
|
||||
|
||||
$ cd examples
|
||||
|
||||
$ mvn exec:java -Durl=http://localhost:8080/hadoop-auth-examples/kerberos/who
|
||||
|
||||
....
|
||||
|
||||
Token value: "u=tucu,p=tucu@LOCALHOST,t=kerberos,e=1295305313146,s=sVZ1mpSnC5TKhZQE3QLN5p2DWBo="
|
||||
Status code: 200 OK
|
||||
|
||||
You are: user[tucu] principal[tucu@LOCALHOST]
|
||||
|
||||
....
|
|
@ -0,0 +1,43 @@
|
|||
<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
Hadoop Auth, Java HTTP SPNEGO
|
||||
=============================
|
||||
|
||||
Hadoop Auth is a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP.
|
||||
|
||||
Hadoop Auth also supports additional authentication mechanisms on the client and the server side via 2 simple interfaces.
|
||||
|
||||
Additionally, it provides a partially implemented derivative of the Kerberos SPNEGO authentication to allow a "mixed" form of authentication where Kerberos SPNEGO is used by non-browsers while an alternate form of authentication (to be implemented by the user) is used for browsers.
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
Hadoop Auth is distributed under [Apache License 2.0](http://www.apache.org/licenses/).
|
||||
|
||||
How Does Auth Works?
|
||||
--------------------
|
||||
|
||||
Hadoop Auth enforces authentication on protected resources, once authentiation has been established it sets a signed HTTP Cookie that contains an authentication token with the user name, user principal, authentication type and expiration time.
|
||||
|
||||
Subsequent HTTP client requests presenting the signed HTTP Cookie have access to the protected resources until the HTTP Cookie expires.
|
||||
|
||||
The secret used to sign the HTTP Cookie has multiple implementations that provide different behaviors, including a hardcoded secret string, a rolling randomly generated secret, and a rolling randomly generated secret synchronized between multiple servers using ZooKeeper.
|
||||
|
||||
User Documentation
|
||||
------------------
|
||||
|
||||
* [Examples](./Examples.html)
|
||||
* [Configuration](./Configuration.html)
|
||||
* [Building It](./BuildingIt.html)
|
|
@ -181,6 +181,9 @@ Trunk (Unreleased)
|
|||
HADOOP-11596. Allow smart-apply-patch.sh to add new files in binary git
|
||||
patches (raviprak)
|
||||
|
||||
HADOOP-11593. Convert site documentation from apt to markdown (stragglers)
|
||||
(Masatake Iwasaki via aw)
|
||||
|
||||
BUG FIXES
|
||||
|
||||
HADOOP-11473. test-patch says "-1 overall" even when all checks are +1
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,864 @@
|
|||
<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
#set ( $H3 = '###' )
|
||||
#set ( $H4 = '####' )
|
||||
#set ( $H5 = '#####' )
|
||||
|
||||
Hadoop Key Management Server (KMS) - Documentation Sets
|
||||
=======================================================
|
||||
|
||||
Hadoop KMS is a cryptographic key management server based on Hadoop's **KeyProvider** API.
|
||||
|
||||
It provides a client and a server components which communicate over HTTP using a REST API.
|
||||
|
||||
The client is a KeyProvider implementation interacts with the KMS using the KMS HTTP REST API.
|
||||
|
||||
KMS and its client have built-in security and they support HTTP SPNEGO Kerberos authentication and HTTPS secure transport.
|
||||
|
||||
KMS is a Java web-application and it runs using a pre-configured Tomcat bundled with the Hadoop distribution.
|
||||
|
||||
KMS Client Configuration
|
||||
------------------------
|
||||
|
||||
The KMS client `KeyProvider` uses the **kms** scheme, and the embedded URL must be the URL of the KMS. For example, for a KMS running on `http://localhost:16000/kms`, the KeyProvider URI is `kms://http@localhost:16000/kms`. And, for a KMS running on `https://localhost:16000/kms`, the KeyProvider URI is `kms://https@localhost:16000/kms`
|
||||
|
||||
KMS
|
||||
---
|
||||
|
||||
$H3 KMS Configuration
|
||||
|
||||
Configure the KMS backing KeyProvider properties in the `etc/hadoop/kms-site.xml` configuration file:
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.kms.key.provider.uri</name>
|
||||
<value>jceks://file@/${user.home}/kms.keystore</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.security.keystore.java-keystore-provider.password-file</name>
|
||||
<value>kms.keystore.password</value>
|
||||
</property>
|
||||
```
|
||||
|
||||
The password file is looked up in the Hadoop's configuration directory via the classpath.
|
||||
|
||||
NOTE: You need to restart the KMS for the configuration changes to take effect.
|
||||
|
||||
$H3 KMS Cache
|
||||
|
||||
KMS caches keys for short period of time to avoid excessive hits to the underlying key provider.
|
||||
|
||||
The Cache is enabled by default (can be dissabled by setting the `hadoop.kms.cache.enable` boolean property to false)
|
||||
|
||||
The cache is used with the following 3 methods only, `getCurrentKey()` and `getKeyVersion()` and `getMetadata()`.
|
||||
|
||||
For the `getCurrentKey()` method, cached entries are kept for a maximum of 30000 millisecond regardless the number of times the key is being access (to avoid stale keys to be considered current).
|
||||
|
||||
For the `getKeyVersion()` method, cached entries are kept with a default inactivity timeout of 600000 milliseconds (10 mins). This time out is configurable via the following property in the `etc/hadoop/kms-site.xml` configuration file:
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.kms.cache.enable</name>
|
||||
<value>true</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.cache.timeout.ms</name>
|
||||
<value>600000</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.current.key.cache.timeout.ms</name>
|
||||
<value>30000</value>
|
||||
</property>
|
||||
```
|
||||
|
||||
$H3 KMS Aggregated Audit logs
|
||||
|
||||
Audit logs are aggregated for API accesses to the GET\_KEY\_VERSION, GET\_CURRENT\_KEY, DECRYPT\_EEK, GENERATE\_EEK operations.
|
||||
|
||||
Entries are grouped by the (user,key,operation) combined key for a configurable aggregation interval after which the number of accesses to the specified end-point by the user for a given key is flushed to the audit log.
|
||||
|
||||
The Aggregation interval is configured via the property :
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.aggregation.delay.ms</name>
|
||||
<value>10000</value>
|
||||
</property>
|
||||
|
||||
$H3 Start/Stop the KMS
|
||||
|
||||
To start/stop KMS use KMS's bin/kms.sh script. For example:
|
||||
|
||||
hadoop-${project.version} $ sbin/kms.sh start
|
||||
|
||||
NOTE: Invoking the script without any parameters list all possible parameters (start, stop, run, etc.). The `kms.sh` script is a wrapper for Tomcat's `catalina.sh` script that sets the environment variables and Java System properties required to run KMS.
|
||||
|
||||
$H3 Embedded Tomcat Configuration
|
||||
|
||||
To configure the embedded Tomcat go to the `share/hadoop/kms/tomcat/conf`.
|
||||
|
||||
KMS pre-configures the HTTP and Admin ports in Tomcat's `server.xml` to 16000 and 16001.
|
||||
|
||||
Tomcat logs are also preconfigured to go to Hadoop's `logs/` directory.
|
||||
|
||||
The following environment variables (which can be set in KMS's `etc/hadoop/kms-env.sh` script) can be used to alter those values:
|
||||
|
||||
* KMS_HTTP_PORT
|
||||
* KMS_ADMIN_PORT
|
||||
* KMS_MAX_THREADS
|
||||
* KMS_LOGNOTE: You need to restart the KMS for the configuration changes to take effect.
|
||||
|
||||
$H3 Loading native libraries
|
||||
|
||||
The following environment variable (which can be set in KMS's `etc/hadoop/kms-env.sh` script) can be used to specify the location of any required native libraries. For eg. Tomact native Apache Portable Runtime (APR) libraries:
|
||||
|
||||
* JAVA_LIBRARY_PATH
|
||||
|
||||
$H3 KMS Security Configuration
|
||||
|
||||
$H4 Enabling Kerberos HTTP SPNEGO Authentication
|
||||
|
||||
Configure the Kerberos `etc/krb5.conf` file with the information of your KDC server.
|
||||
|
||||
Create a service principal and its keytab for the KMS, it must be an `HTTP` service principal.
|
||||
|
||||
Configure KMS `etc/hadoop/kms-site.xml` with the correct security values, for example:
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.type</name>
|
||||
<value>kerberos</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.kerberos.keytab</name>
|
||||
<value>${user.home}/kms.keytab</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.kerberos.principal</name>
|
||||
<value>HTTP/localhost</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.kerberos.name.rules</name>
|
||||
<value>DEFAULT</value>
|
||||
</property>
|
||||
```
|
||||
|
||||
NOTE: You need to restart the KMS for the configuration changes to take effect.
|
||||
|
||||
$H4 KMS Proxyuser Configuration
|
||||
|
||||
Each proxyuser must be configured in `etc/hadoop/kms-site.xml` using the following properties:
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.kms.proxyuser.#USER#.users</name>
|
||||
<value>*</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.proxyuser.#USER#.groups</name>
|
||||
<value>*</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.proxyuser.#USER#.hosts</name>
|
||||
<value>*</value>
|
||||
</property>
|
||||
```
|
||||
|
||||
`#USER#` is the username of the proxyuser to configure.
|
||||
|
||||
The `users` property indicates the users that can be impersonated.
|
||||
|
||||
The `groups` property indicates the groups users being impersonated must belong to.
|
||||
|
||||
At least one of the `users` or `groups` properties must be defined. If both are specified, then the configured proxyuser will be able to impersonate and user in the `users` list and any user belonging to one of the groups in the `groups` list.
|
||||
|
||||
The `hosts` property indicates from which host the proxyuser can make impersonation requests.
|
||||
|
||||
If `users`, `groups` or `hosts` has a `*`, it means there are no restrictions for the proxyuser regarding users, groups or hosts.
|
||||
|
||||
$H4 KMS over HTTPS (SSL)
|
||||
|
||||
To configure KMS to work over HTTPS the following 2 properties must be set in the `etc/hadoop/kms_env.sh` script (shown with default values):
|
||||
|
||||
* KMS_SSL_KEYSTORE_FILE=$HOME/.keystore
|
||||
* KMS_SSL_KEYSTORE_PASS=password
|
||||
|
||||
In the KMS `tomcat/conf` directory, replace the `server.xml` file with the provided `ssl-server.xml` file.
|
||||
|
||||
You need to create an SSL certificate for the KMS. As the `kms` Unix user, using the Java `keytool` command to create the SSL certificate:
|
||||
|
||||
$ keytool -genkey -alias tomcat -keyalg RSA
|
||||
|
||||
You will be asked a series of questions in an interactive prompt. It will create the keystore file, which will be named **.keystore** and located in the `kms` user home directory.
|
||||
|
||||
The password you enter for "keystore password" must match the value of the `KMS_SSL_KEYSTORE_PASS` environment variable set in the `kms-env.sh` script in the configuration directory.
|
||||
|
||||
The answer to "What is your first and last name?" (i.e. "CN") must be the hostname of the machine where the KMS will be running.
|
||||
|
||||
NOTE: You need to restart the KMS for the configuration changes to take effect.
|
||||
|
||||
$H4 KMS Access Control
|
||||
|
||||
KMS ACLs configuration are defined in the KMS `etc/hadoop/kms-acls.xml` configuration file. This file is hot-reloaded when it changes.
|
||||
|
||||
KMS supports both fine grained access control as well as blacklist for kms operations via a set ACL configuration properties.
|
||||
|
||||
A user accessing KMS is first checked for inclusion in the Access Control List for the requested operation and then checked for exclusion in the Black list for the operation before access is granted.
|
||||
|
||||
```xml
|
||||
<configuration>
|
||||
<property>
|
||||
<name>hadoop.kms.acl.CREATE</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for create-key operations.
|
||||
If the user is not in the GET ACL, the key material is not returned
|
||||
as part of the response.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.CREATE</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
Blacklist for create-key operations.
|
||||
If the user is in the Blacklist, the key material is not returned
|
||||
as part of the response.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.acl.DELETE</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for delete-key operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.DELETE</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
Blacklist for delete-key operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.acl.ROLLOVER</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for rollover-key operations.
|
||||
If the user is not in the GET ACL, the key material is not returned
|
||||
as part of the response.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.ROLLOVER</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
Blacklist for rollover-key operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.acl.GET</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for get-key-version and get-current-key operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.GET</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
ACL for get-key-version and get-current-key operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.acl.GET_KEYS</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for get-keys operation.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.GET_KEYS</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
Blacklist for get-keys operation.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.acl.GET_METADATA</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for get-key-metadata and get-keys-metadata operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.GET_METADATA</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
Blacklist for get-key-metadata and get-keys-metadata operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.acl.SET_KEY_MATERIAL</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
Complimentary ACL for CREATE and ROLLOVER operation to allow the client
|
||||
to provide the key material when creating or rolling a key.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.SET_KEY_MATERIAL</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
Complimentary Blacklist for CREATE and ROLLOVER operation to allow the client
|
||||
to provide the key material when creating or rolling a key.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.acl.GENERATE_EEK</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for generateEncryptedKey
|
||||
CryptoExtension operations
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.GENERATE_EEK</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
Blacklist for generateEncryptedKey
|
||||
CryptoExtension operations
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.acl.DECRYPT_EEK</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for decrypt EncryptedKey
|
||||
CryptoExtension operations
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.blacklist.DECRYPT_EEK</name>
|
||||
<value>hdfs,foo</value>
|
||||
<description>
|
||||
Blacklist for decrypt EncryptedKey
|
||||
CryptoExtension operations
|
||||
</description>
|
||||
</property>
|
||||
</configuration>
|
||||
```
|
||||
|
||||
$H4 Key Access Control
|
||||
|
||||
KMS supports access control for all non-read operations at the Key level. All Key Access operations are classified as :
|
||||
|
||||
* MANAGEMENT - createKey, deleteKey, rolloverNewVersion
|
||||
* GENERATE_EEK - generateEncryptedKey, warmUpEncryptedKeys
|
||||
* DECRYPT_EEK - decryptEncryptedKey
|
||||
* READ - getKeyVersion, getKeyVersions, getMetadata, getKeysMetadata, getCurrentKey
|
||||
* ALL - all of the above
|
||||
|
||||
These can be defined in the KMS `etc/hadoop/kms-acls.xml` as follows
|
||||
|
||||
For all keys for which a key access has not been explicitly configured, It is possible to configure a default key access control for a subset of the operation types.
|
||||
|
||||
It is also possible to configure a "whitelist" key ACL for a subset of the operation types. The whitelist key ACL is a whitelist in addition to the explicit or default per-key ACL. That is, if no per-key ACL is explicitly set, a user will be granted access if they are present in the default per-key ACL or the whitelist key ACL. If a per-key ACL is explicitly set, a user will be granted access if they are present in the per-key ACL or the whitelist key ACL.
|
||||
|
||||
If no ACL is configured for a specific key AND no default ACL is configured AND no root key ACL is configured for the requested operation, then access will be DENIED.
|
||||
|
||||
**NOTE:** The default and whitelist key ACL does not support `ALL` operation qualifier.
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>key.acl.testKey1.MANAGEMENT</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for create-key, deleteKey and rolloverNewVersion operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>key.acl.testKey2.GENERATE_EEK</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for generateEncryptedKey operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>key.acl.testKey3.DECRYPT_EEK</name>
|
||||
<value>admink3</value>
|
||||
<description>
|
||||
ACL for decryptEncryptedKey operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>key.acl.testKey4.READ</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for getKeyVersion, getKeyVersions, getMetadata, getKeysMetadata,
|
||||
getCurrentKey operations
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>key.acl.testKey5.ALL</name>
|
||||
<value>*</value>
|
||||
<description>
|
||||
ACL for ALL operations.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>whitelist.key.acl.MANAGEMENT</name>
|
||||
<value>admin1</value>
|
||||
<description>
|
||||
whitelist ACL for MANAGEMENT operations for all keys.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<!--
|
||||
'testKey3' key ACL is defined. Since a 'whitelist'
|
||||
key is also defined for DECRYPT_EEK, in addition to
|
||||
admink3, admin1 can also perform DECRYPT_EEK operations
|
||||
on 'testKey3'
|
||||
-->
|
||||
<property>
|
||||
<name>whitelist.key.acl.DECRYPT_EEK</name>
|
||||
<value>admin1</value>
|
||||
<description>
|
||||
whitelist ACL for DECRYPT_EEK operations for all keys.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>default.key.acl.MANAGEMENT</name>
|
||||
<value>user1,user2</value>
|
||||
<description>
|
||||
default ACL for MANAGEMENT operations for all keys that are not
|
||||
explicitly defined.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>default.key.acl.GENERATE_EEK</name>
|
||||
<value>user1,user2</value>
|
||||
<description>
|
||||
default ACL for GENERATE_EEK operations for all keys that are not
|
||||
explicitly defined.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>default.key.acl.DECRYPT_EEK</name>
|
||||
<value>user1,user2</value>
|
||||
<description>
|
||||
default ACL for DECRYPT_EEK operations for all keys that are not
|
||||
explicitly defined.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>default.key.acl.READ</name>
|
||||
<value>user1,user2</value>
|
||||
<description>
|
||||
default ACL for READ operations for all keys that are not
|
||||
explicitly defined.
|
||||
</description>
|
||||
</property>
|
||||
```
|
||||
|
||||
$H3 KMS Delegation Token Configuration
|
||||
|
||||
KMS delegation token secret manager can be configured with the following properties:
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.delegation-token.update-interval.sec</name>
|
||||
<value>86400</value>
|
||||
<description>
|
||||
How often the master key is rotated, in seconds. Default value 1 day.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.delegation-token.max-lifetime.sec</name>
|
||||
<value>604800</value>
|
||||
<description>
|
||||
Maximum lifetime of a delagation token, in seconds. Default value 7 days.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.delegation-token.renew-interval.sec</name>
|
||||
<value>86400</value>
|
||||
<description>
|
||||
Renewal interval of a delagation token, in seconds. Default value 1 day.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.delegation-token.removal-scan-interval.sec</name>
|
||||
<value>3600</value>
|
||||
<description>
|
||||
Scan interval to remove expired delegation tokens.
|
||||
</description>
|
||||
</property>
|
||||
```
|
||||
|
||||
$H3 Using Multiple Instances of KMS Behind a Load-Balancer or VIP
|
||||
|
||||
KMS supports multiple KMS instances behind a load-balancer or VIP for scalability and for HA purposes.
|
||||
|
||||
When using multiple KMS instances behind a load-balancer or VIP, requests from the same user may be handled by different KMS instances.
|
||||
|
||||
KMS instances behind a load-balancer or VIP must be specially configured to work properly as a single logical service.
|
||||
|
||||
$H4 HTTP Kerberos Principals Configuration
|
||||
|
||||
When KMS instances are behind a load-balancer or VIP, clients will use the hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the URL is used to construct the Kerberos service name of the server, `HTTP/#HOSTNAME#`. This means that all KMS instances must have a Kerberos service name with the load-balancer or VIP hostname.
|
||||
|
||||
In order to be able to access directly a specific KMS instance, the KMS instance must also have Keberos service name with its own hostname. This is required for monitoring and admin purposes.
|
||||
|
||||
Both Kerberos service principal credentials (for the load-balancer/VIP hostname and for the actual KMS instance hostname) must be in the keytab file configured for authentication. And the principal name specified in the configuration must be '\*'. For example:
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.kerberos.principal</name>
|
||||
<value>*</value>
|
||||
</property>
|
||||
```
|
||||
|
||||
**NOTE:** If using HTTPS, the SSL certificate used by the KMS instance must be configured to support multiple hostnames (see Java 7 `keytool` SAN extension support for details on how to do this).
|
||||
|
||||
$H4 HTTP Authentication Signature
|
||||
|
||||
KMS uses Hadoop Authentication for HTTP authentication. Hadoop Authentication issues a signed HTTP Cookie once the client has authenticated successfully. This HTTP Cookie has an expiration time, after which it will trigger a new authentication sequence. This is done to avoid triggering the authentication on every HTTP request of a client.
|
||||
|
||||
A KMS instance must verify the HTTP Cookie signatures signed by other KMS instances. To do this all KMS instances must share the signing secret.
|
||||
|
||||
This secret sharing can be done using a Zookeeper service which is configured in KMS with the following properties in the `kms-site.xml`:
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.signer.secret.provider</name>
|
||||
<value>zookeeper</value>
|
||||
<description>
|
||||
Indicates how the secret to sign the authentication cookies will be
|
||||
stored. Options are 'random' (default), 'string' and 'zookeeper'.
|
||||
If using a setup with multiple KMS instances, 'zookeeper' should be used.
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
|
||||
<value>/hadoop-kms/hadoop-auth-signature-secret</value>
|
||||
<description>
|
||||
The Zookeeper ZNode path where the KMS instances will store and retrieve
|
||||
the secret from.
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
|
||||
<value>#HOSTNAME#:#PORT#,...</value>
|
||||
<description>
|
||||
The Zookeeper connection string, a list of hostnames and port comma
|
||||
separated.
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
|
||||
<value>kerberos</value>
|
||||
<description>
|
||||
The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
|
||||
<value>/etc/hadoop/conf/kms.keytab</value>
|
||||
<description>
|
||||
The absolute path for the Kerberos keytab with the credentials to
|
||||
connect to Zookeeper.
|
||||
</description>
|
||||
</property>
|
||||
<property>
|
||||
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
|
||||
<value>kms/#HOSTNAME#</value>
|
||||
<description>
|
||||
The Kerberos service principal used to connect to Zookeeper.
|
||||
</description>
|
||||
</property>
|
||||
```
|
||||
|
||||
$H4 Delegation Tokens
|
||||
|
||||
TBD
|
||||
|
||||
$H3 KMS HTTP REST API
|
||||
|
||||
$H4 Create a Key
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
POST http://HOST:PORT/kms/v1/keys
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"name" : "<key-name>",
|
||||
"cipher" : "<cipher>",
|
||||
"length" : <length>, //int
|
||||
"material" : "<material>", //base64
|
||||
"description" : "<description>"
|
||||
}
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
201 CREATED
|
||||
LOCATION: http://HOST:PORT/kms/v1/key/<key-name>
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"name" : "versionName",
|
||||
"material" : "<material>", //base64, not present without GET ACL
|
||||
}
|
||||
|
||||
$H4 Rollover Key
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
POST http://HOST:PORT/kms/v1/key/<key-name>
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"material" : "<material>",
|
||||
}
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"name" : "versionName",
|
||||
"material" : "<material>", //base64, not present without GET ACL
|
||||
}
|
||||
|
||||
$H4 Delete Key
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
DELETE http://HOST:PORT/kms/v1/key/<key-name>
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
|
||||
$H4 Get Key Metadata
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
GET http://HOST:PORT/kms/v1/key/<key-name>/_metadata
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"name" : "<key-name>",
|
||||
"cipher" : "<cipher>",
|
||||
"length" : <length>, //int
|
||||
"description" : "<description>",
|
||||
"created" : <millis-epoc>, //long
|
||||
"versions" : <versions> //int
|
||||
}
|
||||
|
||||
$H4 Get Current Key
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
GET http://HOST:PORT/kms/v1/key/<key-name>/_currentversion
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"name" : "versionName",
|
||||
"material" : "<material>", //base64
|
||||
}
|
||||
|
||||
$H4 Generate Encrypted Key for Current KeyVersion
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
GET http://HOST:PORT/kms/v1/key/<key-name>/_eek?eek_op=generate&num_keys=<number-of-keys-to-generate>
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
[
|
||||
{
|
||||
"versionName" : "encryptionVersionName",
|
||||
"iv" : "<iv>", //base64
|
||||
"encryptedKeyVersion" : {
|
||||
"versionName" : "EEK",
|
||||
"material" : "<material>", //base64
|
||||
}
|
||||
},
|
||||
{
|
||||
"versionName" : "encryptionVersionName",
|
||||
"iv" : "<iv>", //base64
|
||||
"encryptedKeyVersion" : {
|
||||
"versionName" : "EEK",
|
||||
"material" : "<material>", //base64
|
||||
}
|
||||
},
|
||||
...
|
||||
]
|
||||
|
||||
$H4 Decrypt Encrypted Key
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
POST http://HOST:PORT/kms/v1/keyversion/<version-name>/_eek?ee_op=decrypt
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"name" : "<key-name>",
|
||||
"iv" : "<iv>", //base64
|
||||
"material" : "<material>", //base64
|
||||
}
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"name" : "EK",
|
||||
"material" : "<material>", //base64
|
||||
}
|
||||
|
||||
$H4 Get Key Version
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
GET http://HOST:PORT/kms/v1/keyversion/<version-name>
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"name" : "versionName",
|
||||
"material" : "<material>", //base64
|
||||
}
|
||||
|
||||
$H4 Get Key Versions
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
GET http://HOST:PORT/kms/v1/key/<key-name>/_versions
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
[
|
||||
{
|
||||
"name" : "versionName",
|
||||
"material" : "<material>", //base64
|
||||
},
|
||||
{
|
||||
"name" : "versionName",
|
||||
"material" : "<material>", //base64
|
||||
},
|
||||
...
|
||||
]
|
||||
|
||||
$H4 Get Key Names
|
||||
|
||||
*REQUEST:*
|
||||
|
||||
GET http://HOST:PORT/kms/v1/keys/names
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
[
|
||||
"<key-name>",
|
||||
"<key-name>",
|
||||
...
|
||||
]
|
||||
|
||||
$H4 Get Keys Metadata
|
||||
|
||||
GET http://HOST:PORT/kms/v1/keys/metadata?key=<key-name>&key=<key-name>,...
|
||||
|
||||
*RESPONSE:*
|
||||
|
||||
200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
[
|
||||
{
|
||||
"name" : "<key-name>",
|
||||
"cipher" : "<cipher>",
|
||||
"length" : <length>, //int
|
||||
"description" : "<description>",
|
||||
"created" : <millis-epoc>, //long
|
||||
"versions" : <versions> //int
|
||||
},
|
||||
{
|
||||
"name" : "<key-name>",
|
||||
"cipher" : "<cipher>",
|
||||
"length" : <length>, //int
|
||||
"description" : "<description>",
|
||||
"created" : <millis-epoc>, //long
|
||||
"versions" : <versions> //int
|
||||
},
|
||||
...
|
||||
]
|
|
@ -1,73 +0,0 @@
|
|||
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~~ you may not use this file except in compliance with the License.
|
||||
~~ You may obtain a copy of the License at
|
||||
~~
|
||||
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~~
|
||||
~~ Unless required by applicable law or agreed to in writing, software
|
||||
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~~ See the License for the specific language governing permissions and
|
||||
~~ limitations under the License. See accompanying LICENSE file.
|
||||
|
||||
---
|
||||
Apache Hadoop ${project.version}
|
||||
---
|
||||
---
|
||||
${maven.build.timestamp}
|
||||
|
||||
Apache Hadoop ${project.version}
|
||||
|
||||
Apache Hadoop ${project.version} consists of significant
|
||||
improvements over the previous stable release (hadoop-1.x).
|
||||
|
||||
Here is a short overview of the improvments to both HDFS and MapReduce.
|
||||
|
||||
* {HDFS Federation}
|
||||
|
||||
In order to scale the name service horizontally, federation uses multiple
|
||||
independent Namenodes/Namespaces. The Namenodes are federated, that is, the
|
||||
Namenodes are independent and don't require coordination with each other.
|
||||
The datanodes are used as common storage for blocks by all the Namenodes.
|
||||
Each datanode registers with all the Namenodes in the cluster. Datanodes
|
||||
send periodic heartbeats and block reports and handles commands from the
|
||||
Namenodes.
|
||||
|
||||
More details are available in the
|
||||
{{{./hadoop-project-dist/hadoop-hdfs/Federation.html}HDFS Federation}}
|
||||
document.
|
||||
|
||||
* {MapReduce NextGen aka YARN aka MRv2}
|
||||
|
||||
The new architecture introduced in hadoop-0.23, divides the two major
|
||||
functions of the JobTracker: resource management and job life-cycle management
|
||||
into separate components.
|
||||
|
||||
The new ResourceManager manages the global assignment of compute resources to
|
||||
applications and the per-application ApplicationMaster manages the
|
||||
application‚ scheduling and coordination.
|
||||
|
||||
An application is either a single job in the sense of classic MapReduce jobs
|
||||
or a DAG of such jobs.
|
||||
|
||||
The ResourceManager and per-machine NodeManager daemon, which manages the
|
||||
user processes on that machine, form the computation fabric.
|
||||
|
||||
The per-application ApplicationMaster is, in effect, a framework specific
|
||||
library and is tasked with negotiating resources from the ResourceManager and
|
||||
working with the NodeManager(s) to execute and monitor the tasks.
|
||||
|
||||
More details are available in the
|
||||
{{{./hadoop-yarn/hadoop-yarn-site/YARN.html}YARN}}
|
||||
document.
|
||||
|
||||
Getting Started
|
||||
|
||||
The Hadoop documentation includes the information you need to get started using
|
||||
Hadoop. Begin with the
|
||||
{{{./hadoop-project-dist/hadoop-common/SingleCluster.html}Single Node Setup}} which
|
||||
shows you how to set up a single-node Hadoop installation. Then move on to the
|
||||
{{{./hadoop-project-dist/hadoop-common/ClusterSetup.html}Cluster Setup}} to learn how
|
||||
to set up a multi-node Hadoop installation.
|
||||
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
Apache Hadoop ${project.version}
|
||||
================================
|
||||
|
||||
Apache Hadoop ${project.version} consists of significant
|
||||
improvements over the previous stable release (hadoop-1.x).
|
||||
|
||||
Here is a short overview of the improvments to both HDFS and MapReduce.
|
||||
|
||||
* HDFS Federation
|
||||
|
||||
In order to scale the name service horizontally, federation uses
|
||||
multiple independent Namenodes/Namespaces. The Namenodes are
|
||||
federated, that is, the Namenodes are independent and don't require
|
||||
coordination with each other. The datanodes are used as common storage
|
||||
for blocks by all the Namenodes. Each datanode registers with all the
|
||||
Namenodes in the cluster. Datanodes send periodic heartbeats and block
|
||||
reports and handles commands from the Namenodes.
|
||||
|
||||
More details are available in the
|
||||
[HDFS Federation](./hadoop-project-dist/hadoop-hdfs/Federation.html)
|
||||
document.
|
||||
|
||||
* MapReduce NextGen aka YARN aka MRv2
|
||||
|
||||
The new architecture introduced in hadoop-0.23, divides the two major
|
||||
functions of the JobTracker: resource management and job life-cycle
|
||||
management into separate components.
|
||||
|
||||
The new ResourceManager manages the global assignment of compute
|
||||
resources to applications and the per-application
|
||||
ApplicationMaster manages the application‚ scheduling and
|
||||
coordination.
|
||||
|
||||
An application is either a single job in the sense of classic
|
||||
MapReduce jobs or a DAG of such jobs.
|
||||
|
||||
The ResourceManager and per-machine NodeManager daemon, which
|
||||
manages the user processes on that machine, form the computation
|
||||
fabric.
|
||||
|
||||
The per-application ApplicationMaster is, in effect, a framework
|
||||
specific library and is tasked with negotiating resources from the
|
||||
ResourceManager and working with the NodeManager(s) to execute and
|
||||
monitor the tasks.
|
||||
|
||||
More details are available in the
|
||||
[YARN](./hadoop-yarn/hadoop-yarn-site/YARN.html) document.
|
||||
|
||||
Getting Started
|
||||
===============
|
||||
|
||||
The Hadoop documentation includes the information you need to get started using
|
||||
Hadoop. Begin with the
|
||||
[Single Node Setup](./hadoop-project-dist/hadoop-common/SingleCluster.html)
|
||||
which shows you how to set up a single-node Hadoop installation.
|
||||
Then move on to the
|
||||
[Cluster Setup](./hadoop-project-dist/hadoop-common/ClusterSetup.html)
|
||||
to learn how to set up a multi-node Hadoop installation.
|
|
@ -1,686 +0,0 @@
|
|||
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~~ you may not use this file except in compliance with the License.
|
||||
~~ You may obtain a copy of the License at
|
||||
~~
|
||||
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~~
|
||||
~~ Unless required by applicable law or agreed to in writing, software
|
||||
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~~ See the License for the specific language governing permissions and
|
||||
~~ limitations under the License. See accompanying LICENSE file.
|
||||
|
||||
---
|
||||
Hadoop OpenStack Support: Swift Object Store
|
||||
---
|
||||
---
|
||||
${maven.build.timestamp}
|
||||
|
||||
%{toc|section=1|fromDepth=0}
|
||||
|
||||
Hadoop OpenStack Support: Swift Object Store
|
||||
|
||||
* {Introduction}
|
||||
|
||||
{{{http://www.openstack.org/}OpenStack}} is an open source cloud infrastructure
|
||||
which can be accessed
|
||||
from multiple public IaaS providers, and deployed privately. It offers
|
||||
infrastructure services such as VM hosting (Nova), authentication (Keystone)
|
||||
and storage of binary objects (Swift).
|
||||
|
||||
This module enables Apache Hadoop applications -including MapReduce jobs,
|
||||
read and write data to and from instances of the
|
||||
{{{http://www.openstack.org/software/openstack-storage/}OpenStack Swift object store}}.
|
||||
|
||||
* Features
|
||||
|
||||
* Read and write of data stored in a Swift object store
|
||||
|
||||
* Support of a pseudo-hierachical file system (directories, subdirectories and
|
||||
files)
|
||||
|
||||
* Standard filesystem operations: <<<create>>>, <<<delete>>>, <<<mkdir>>>,
|
||||
<<<ls>>>, <<<mv>>>, <<<stat>>>.
|
||||
|
||||
* Can act as a source of data in a MapReduce job, or a sink.
|
||||
|
||||
* Support for multiple OpenStack services, and multiple containers from a
|
||||
single service.
|
||||
|
||||
* Supports in-cluster and remote access to Swift data.
|
||||
|
||||
* Supports OpenStack Keystone authentication with password or token.
|
||||
|
||||
* Released under the Apache Software License
|
||||
|
||||
* Tested against the Hadoop 3.x and 1.x branches, against multiple public
|
||||
OpenStack clusters: Rackspace US, Rackspace UK, HP Cloud.
|
||||
|
||||
* Tested against private OpenStack clusters, including scalability tests of
|
||||
large file uploads.
|
||||
|
||||
* Using the Hadoop Swift Filesystem Client
|
||||
|
||||
** Concepts: services and containers
|
||||
|
||||
OpenStack swift is an <Object Store>; also known as a <blobstore>. It stores
|
||||
arbitrary binary objects by name in a <container>.
|
||||
|
||||
The Hadoop Swift filesystem library adds another concept, the <service>, which
|
||||
defines which Swift blobstore hosts a container -and how to connect to it.
|
||||
|
||||
** Containers and Objects
|
||||
|
||||
* Containers are created by users with accounts on the Swift filestore, and hold
|
||||
<objects>.
|
||||
|
||||
* Objects can be zero bytes long, or they can contain data.
|
||||
|
||||
* Objects in the container can be up to 5GB; there is a special support for
|
||||
larger files than this, which merges multiple objects in to one.
|
||||
|
||||
* Each object is referenced by it's <name>; there is no notion of directories.
|
||||
|
||||
* You can use any characters in an object name that can be 'URL-encoded'; the
|
||||
maximum length of a name is 1034 characters -after URL encoding.
|
||||
|
||||
* Names can have <<</>>> characters in them, which are used to create the illusion of
|
||||
a directory structure. For example <<<dir/dir2/name>>>. Even though this looks
|
||||
like a directory, <it is still just a name>. There is no requirement to have
|
||||
any entries in the container called <<<dir>>> or <<<dir/dir2>>>
|
||||
|
||||
* That said. if the container has zero-byte objects that look like directory
|
||||
names above other objects, they can pretend to be directories. Continuing the
|
||||
example, a 0-byte object called <<<dir>>> would tell clients that it is a
|
||||
directory while <<<dir/dir2>>> or <<<dir/dir2/name>>> were present. This creates an
|
||||
illusion of containers holding a filesystem.
|
||||
|
||||
Client applications talk to Swift over HTTP or HTTPS, reading, writing and
|
||||
deleting objects using standard HTTP operations (GET, PUT and DELETE,
|
||||
respectively). There is also a COPY operation, that creates a new object in the
|
||||
container, with a new name, containing the old data. There is no rename
|
||||
operation itself, objects need to be copied -then the original entry deleted.
|
||||
|
||||
** Eventual Consistency
|
||||
|
||||
The Swift Filesystem is *eventually consistent*: an operation on an object may
|
||||
not be immediately visible to that client, or other clients. This is a
|
||||
consequence of the goal of the filesystem: to span a set of machines, across
|
||||
multiple datacenters, in such a way that the data can still be available when
|
||||
many of them fail. (In contrast, the Hadoop HDFS filesystem is *immediately
|
||||
consistent*, but it does not span datacenters.)
|
||||
|
||||
Eventual consistency can cause surprises for client applications that expect
|
||||
immediate consistency: after an object is deleted or overwritten, the object
|
||||
may still be visible -or the old data still retrievable. The Swift Filesystem
|
||||
client for Apache Hadoop attempts to handle this, in conjunction with the
|
||||
MapReduce engine, but there may be still be occasions when eventual consistency
|
||||
causes surprises.
|
||||
|
||||
** Non-atomic "directory" operations.
|
||||
|
||||
Hadoop expects some
|
||||
operations to be atomic, especially <<<rename()>>>, which is something
|
||||
the MapReduce layer relies on to commit the output of a job, renaming data
|
||||
from a temp directory to the final path. Because a rename
|
||||
is implemented as a copy of every blob under the directory's path, followed
|
||||
by a delete of the originals, the intermediate state of the operation
|
||||
will be visible to other clients. If two Reducer tasks to rename their temp
|
||||
directory to the final path, both operations may succeed, with the result that
|
||||
output directory contains mixed data. This can happen if MapReduce jobs
|
||||
are being run with <speculation> enabled and Swift used as the direct output
|
||||
of the MR job (it can also happen against Amazon S3).
|
||||
|
||||
Other consequences of the non-atomic operations are:
|
||||
|
||||
1. If a program is looking for the presence of the directory before acting
|
||||
on the data -it may start prematurely. This can be avoided by using
|
||||
other mechanisms to co-ordinate the programs, such as the presence of a file
|
||||
that is written <after> any bulk directory operations.
|
||||
|
||||
2. A <<<rename()>>> or <<<delete()>>> operation may include files added under
|
||||
the source directory tree during the operation, may unintentionally delete
|
||||
it, or delete the 0-byte swift entries that mimic directories and act
|
||||
as parents for the files. Try to avoid doing this.
|
||||
|
||||
The best ways to avoid all these problems is not using Swift as
|
||||
the filesystem between MapReduce jobs or other Hadoop workflows. It
|
||||
can act as a source of data, and a final destination, but it doesn't meet
|
||||
all of Hadoop's expectations of what a filesystem is -it's a <blobstore>.
|
||||
|
||||
* Working with Swift Object Stores in Hadoop
|
||||
|
||||
Once installed, the Swift FileSystem client can be used by any Hadoop application
|
||||
to read from or write to data stored in a Swift container.
|
||||
|
||||
Data stored in Swift can be used as the direct input to a MapReduce job
|
||||
-simply use the <<<swift:>>> URL (see below) to declare the source of the data.
|
||||
|
||||
This Swift Filesystem client is designed to work with multiple
|
||||
Swift object stores, both public and private. This allows the client to work
|
||||
with different clusters, reading and writing data to and from either of them.
|
||||
|
||||
It can also work with the same object stores using multiple login details.
|
||||
|
||||
These features are achieved by one basic concept: using a service name in
|
||||
the URI referring to a swift filesystem, and looking up all the connection and
|
||||
login details for that specific service. Different service names can be defined
|
||||
in the Hadoop XML configuration file, so defining different clusters, or
|
||||
providing different login details for the same object store(s).
|
||||
|
||||
|
||||
** Swift Filesystem URIs
|
||||
|
||||
Hadoop uses URIs to refer to files within a filesystem. Some common examples
|
||||
are:
|
||||
|
||||
+--
|
||||
local://etc/hosts
|
||||
hdfs://cluster1/users/example/data/set1
|
||||
hdfs://cluster2.example.org:8020/users/example/data/set1
|
||||
+--
|
||||
|
||||
The Swift Filesystem Client adds a new URL type <<<swift>>>. In a Swift Filesystem
|
||||
URL, the hostname part of a URL identifies the container and the service to
|
||||
work with; the path the name of the object. Here are some examples
|
||||
|
||||
+--
|
||||
swift://container.rackspace/my-object.csv
|
||||
swift://data.hpcloud/data/set1
|
||||
swift://dmitry.privatecloud/out/results
|
||||
+--
|
||||
|
||||
In the last two examples, the paths look like directories: it is not, they are
|
||||
simply the objects named <<<data/set1>>> and <<<out/results>>> respectively.
|
||||
|
||||
** Installing
|
||||
|
||||
The <<<hadoop-openstack>>> JAR must be on the classpath of the Hadoop program trying to
|
||||
talk to the Swift service. If installed in the classpath of the Hadoop
|
||||
MapReduce service, then all programs started by the MR engine will pick up the
|
||||
JAR automatically. This is the easiest way to give all Hadoop jobs access to
|
||||
Swift.
|
||||
|
||||
Alternatively, the JAR can be included as one of the JAR files that an
|
||||
application uses. This lets the Hadoop jobs work with a Swift object store even
|
||||
if the Hadoop cluster is not pre-configured for this.
|
||||
|
||||
The library also depends upon the Apache HttpComponents library, which
|
||||
must also be on the classpath.
|
||||
|
||||
** Configuring
|
||||
|
||||
To talk to a swift service, the user must must provide:
|
||||
|
||||
[[1]] The URL defining the container and the service.
|
||||
|
||||
[[1]] In the cluster/job configuration, the login details of that service.
|
||||
|
||||
Multiple service definitions can co-exist in the same configuration file: just
|
||||
use different names for them.
|
||||
|
||||
*** Example: Rackspace US, in-cluster access using API key
|
||||
|
||||
This service definition is for use in a Hadoop cluster deployed within Rackspace's
|
||||
US infrastructure.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.auth.url</name>
|
||||
<value>https://auth.api.rackspacecloud.com/v2.0/tokens</value>
|
||||
<description>Rackspace US (multiregion)</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.username</name>
|
||||
<value>user4</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.region</name>
|
||||
<value>DFW</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.apikey</name>
|
||||
<value>fe806aa86dfffe2f6ed8</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
Here the API key visible in the account settings API keys page is used to log
|
||||
in. No property for public/private access -the default is to use the private
|
||||
endpoint for Swift operations.
|
||||
|
||||
This configuration also selects one of the regions, DFW, for its data.
|
||||
|
||||
A reference to this service would use the <<<rackspace>>> service name:
|
||||
|
||||
---
|
||||
swift://hadoop-container.rackspace/
|
||||
---
|
||||
|
||||
*** Example: Rackspace UK: remote access with password authentication
|
||||
|
||||
This connects to Rackspace's UK ("LON") datacenter.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.service.rackspaceuk.auth.url</name>
|
||||
<value>https://lon.identity.api.rackspacecloud.com/v2.0/tokens</value>
|
||||
<description>Rackspace UK</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspaceuk.username</name>
|
||||
<value>user4</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspaceuk.password</name>
|
||||
<value>insert-password-here/value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.public</name>
|
||||
<value>true</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
This is a public access point connection, using a password over an API key.
|
||||
|
||||
A reference to this service would use the <<<rackspaceuk>>> service name:
|
||||
|
||||
+--
|
||||
swift://hadoop-container.rackspaceuk/
|
||||
+--
|
||||
|
||||
Because the public endpoint is used, if this service definition is used within
|
||||
the London datacenter, all accesses will be billed at the public
|
||||
upload/download rates, <irrespective of where the Hadoop cluster is>.
|
||||
|
||||
*** Example: HP cloud service definition
|
||||
|
||||
Here is an example that connects to the HP Cloud object store.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.auth.url</name>
|
||||
<value>https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens
|
||||
</value>
|
||||
<description>HP Cloud</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.tenant</name>
|
||||
<value>FE806AA86</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.username</name>
|
||||
<value>FE806AA86DFFFE2F6ED8</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.password</name>
|
||||
<value>secret-password-goes-here</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.public</name>
|
||||
<value>true</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
A reference to this service would use the <<<hpcloud>>> service name:
|
||||
|
||||
+--
|
||||
swift://hadoop-container.hpcloud/
|
||||
+--
|
||||
|
||||
** General Swift Filesystem configuration options
|
||||
|
||||
Some configuration options apply to the Swift client, independent of
|
||||
the specific Swift filesystem chosen.
|
||||
|
||||
*** Blocksize fs.swift.blocksize
|
||||
|
||||
Swift does not break up files into blocks, except in the special case of files
|
||||
over 5GB in length. Accordingly, there isn't a notion of a "block size"
|
||||
to define where the data is kept.
|
||||
|
||||
Hadoop's MapReduce layer depends on files declaring their block size,
|
||||
so that it knows how to partition work. Too small a blocksize means that
|
||||
many mappers work on small pieces of data; too large a block size means
|
||||
that only a few mappers get started.
|
||||
|
||||
The block size value reported by Swift, therefore, controls the basic workload
|
||||
partioning of the MapReduce engine -and can be an important parameter to
|
||||
tune for performance of the cluster.
|
||||
|
||||
The property has a unit of kilobytes; the default value is <<<32*1024>>>: 32 MB
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.blocksize</name>
|
||||
<value>32768</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
This blocksize has no influence on how files are stored in Swift; it only controls
|
||||
what the reported size of blocks are - a value used in Hadoop MapReduce to
|
||||
divide work.
|
||||
|
||||
Note that the MapReduce engine's split logic can be tuned independently by setting
|
||||
the <<<mapred.min.split.size>>> and <<<mapred.max.split.size>>> properties,
|
||||
which can be done in specific job configurations.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>mapred.min.split.size</name>
|
||||
<value>524288</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>mapred.max.split.size</name>
|
||||
<value>1048576</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
In an Apache Pig script, these properties would be set as:
|
||||
|
||||
---
|
||||
mapred.min.split.size 524288
|
||||
mapred.max.split.size 1048576
|
||||
---
|
||||
|
||||
*** Partition size fs.swift.partsize
|
||||
|
||||
The Swift filesystem client breaks very large files into partitioned files,
|
||||
uploading each as it progresses, and writing any remaning data and an XML
|
||||
manifest when a partitioned file is closed.
|
||||
|
||||
The partition size defaults to 4608 MB; 4.5GB, the maximum filesize that
|
||||
Swift can support.
|
||||
|
||||
It is possible to set a smaller partition size, in the <<<fs.swift.partsize>>>
|
||||
option. This takes a value in KB.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.partsize</name>
|
||||
<value>1024</value>
|
||||
<description>upload every MB</description>
|
||||
</property>
|
||||
+--
|
||||
|
||||
When should this value be changed from its default?
|
||||
|
||||
While there is no need to ever change it for basic operation of
|
||||
the Swift filesystem client, it can be tuned
|
||||
|
||||
* If a Swift filesystem is location aware, then breaking a file up into
|
||||
smaller partitions scatters the data round the cluster. For best performance,
|
||||
the property <<<fs.swift.blocksize>>> should be set to a smaller value than the
|
||||
partition size of files.
|
||||
|
||||
* When writing to an unpartitioned file, the entire write is done in the
|
||||
<<<close()>>> operation. When a file is partitioned, the outstanding data to
|
||||
be written whenever the outstanding amount of data is greater than the
|
||||
partition size. This means that data will be written more incrementally
|
||||
|
||||
*** Request size fs.swift.requestsize
|
||||
|
||||
The Swift filesystem client reads files in HTTP GET operations, asking for
|
||||
a block of data at a time.
|
||||
|
||||
The default value is 64KB. A larger value may be more efficient over faster
|
||||
networks, as it reduces the overhead of setting up the HTTP operation.
|
||||
|
||||
However, if the file is read with many random accesses, requests for
|
||||
data will be made from different parts of the file -discarding some of the
|
||||
previously requested data. The benefits of larger request sizes may be wasted.
|
||||
|
||||
The property <<<fs.swift.requestsize>>> sets the request size in KB.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.requestsize</name>
|
||||
<value>128</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
*** Connection timeout fs.swift.connect.timeout
|
||||
|
||||
This sets the timeout in milliseconds to connect to a Swift service.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.connect.timeout</name>
|
||||
<value>15000</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
A shorter timeout means that connection failures are raised faster -but
|
||||
may trigger more false alarms. A longer timeout is more resilient to network
|
||||
problems -and may be needed when talking to remote filesystems.
|
||||
|
||||
*** Connection timeout fs.swift.socket.timeout
|
||||
|
||||
This sets the timeout in milliseconds to wait for data from a connected socket.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.socket.timeout</name>
|
||||
<value>60000</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
A shorter timeout means that connection failures are raised faster -but
|
||||
may trigger more false alarms. A longer timeout is more resilient to network
|
||||
problems -and may be needed when talking to remote filesystems.
|
||||
|
||||
*** Connection Retry Count fs.swift.connect.retry.count
|
||||
|
||||
This sets the number of times to try to connect to a service whenever
|
||||
an HTTP request is made.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.connect.retry.count</name>
|
||||
<value>3</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
The more retries, the more resilient it is to transient outages -and the
|
||||
less rapid it is at detecting and reporting server connectivity problems.
|
||||
|
||||
*** Connection Throttle Delay fs.swift.connect.throttle.delay
|
||||
|
||||
This property adds a delay between bulk file copy and delete operations,
|
||||
to prevent requests being throttled or blocked by the remote service
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.connect.throttle.delay</name>
|
||||
<value>0</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
It is measured in milliseconds; "0" means do not add any delay.
|
||||
|
||||
Throttling is enabled on the public endpoints of some Swift services.
|
||||
If <<<rename()>>> or <<<delete()>>> operations fail with
|
||||
<<<SwiftThrottledRequestException>>>
|
||||
exceptions, try setting this property.
|
||||
|
||||
*** HTTP Proxy
|
||||
|
||||
If the client can only access the Swift filesystem via a web proxy
|
||||
server, the client configuration must specify the proxy via
|
||||
the <<<fs.swift.connect.proxy.host>>> and <<<fs.swift.connect.proxy.port>>>
|
||||
properties.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>fs.swift.proxy.host</name>
|
||||
<value>web-proxy</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.proxy.port</name>
|
||||
<value>8088</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
If the host is declared, the proxy port must be set to a valid integer value.
|
||||
|
||||
|
||||
** Troubleshooting
|
||||
|
||||
*** ClassNotFoundException
|
||||
|
||||
The <<<hadoop-openstack>>> JAR -or any dependencies- may not be on your classpath.
|
||||
|
||||
If it is a remote MapReduce job that is failing, make sure that the JAR is
|
||||
installed on the servers in the cluster -or that the job submission process
|
||||
uploads the JAR file to the distributed cache.
|
||||
|
||||
*** Failure to Authenticate
|
||||
|
||||
A <<<SwiftAuthenticationFailedException>>> is thrown when the client
|
||||
cannot authenticate with the OpenStack keystone server. This could be
|
||||
because the URL in the service definition is wrong, or because
|
||||
the supplied credentials are invalid.
|
||||
|
||||
[[1]] Check the authentication URL through <<<curl>>> or your browser
|
||||
|
||||
[[1]] Use a Swift client such as CyberDuck to validate your credentials
|
||||
|
||||
[[1]] If you have included a tenant ID, try leaving it out. Similarly,
|
||||
try adding it if you had not included it.
|
||||
|
||||
[[1]] Try switching from API key authentication to password-based authentication,
|
||||
by setting the password.
|
||||
|
||||
[[1]] Change your credentials. As with Amazon AWS clients, some credentials
|
||||
don't seem to like going over the network.
|
||||
|
||||
*** Timeout connecting to the Swift Service
|
||||
|
||||
This happens if the client application is running outside an OpenStack cluster,
|
||||
where it does not have access to the private hostname/IP address for filesystem
|
||||
operations. Set the <<<public>>> flag to true -but remember to set it to false
|
||||
for use in-cluster.
|
||||
|
||||
** Warnings
|
||||
|
||||
[[1]] Do not share your login details with anyone, which means do not log the
|
||||
details, or check the XML configuration files into any revision control system
|
||||
to which you do not have exclusive access.
|
||||
|
||||
[[1]] Similarly, do not use your real account details in any documentation *or any
|
||||
bug reports submitted online*
|
||||
|
||||
[[1]] Prefer the apikey authentication over passwords as it is easier
|
||||
to revoke a key -and some service providers allow you to set
|
||||
an automatic expiry date on a key when issued.
|
||||
|
||||
[[1]] Do not use the public service endpoint from within a public OpenStack
|
||||
cluster, as it will run up large bills.
|
||||
|
||||
[[1]] Remember: it's not a real filesystem or hierarchical directory structure.
|
||||
Some operations (directory rename and delete) take time and are not atomic or
|
||||
isolated from other operations taking place.
|
||||
|
||||
[[1]] Append is not supported.
|
||||
|
||||
[[1]] Unix-style permissions are not supported. All accounts with write access to
|
||||
a repository have unlimited access; the same goes for those with read access.
|
||||
|
||||
[[1]] In the public clouds, do not make the containers public unless you are happy
|
||||
with anyone reading your data, and are prepared to pay the costs of their
|
||||
downloads.
|
||||
|
||||
** Limits
|
||||
|
||||
* Maximum length of an object path: 1024 characters
|
||||
|
||||
* Maximum size of a binary object: no absolute limit. Files > 5GB are
|
||||
partitioned into separate files in the native filesystem, and merged during
|
||||
retrieval. <Warning:> the partitioned/large file support is the
|
||||
most complex part of the Hadoop/Swift FS integration, and, along with
|
||||
authentication, the most troublesome to support.
|
||||
|
||||
** Testing the hadoop-openstack module
|
||||
|
||||
The <<<hadoop-openstack>>> can be remotely tested against any public
|
||||
or private cloud infrastructure which supports the OpenStack Keystone
|
||||
authentication mechanism. It can also be tested against private
|
||||
OpenStack clusters. OpenStack Development teams are strongly encouraged to test
|
||||
the Hadoop swift filesystem client against any version of Swift that they
|
||||
are developing or deploying, to stress their cluster and to identify
|
||||
bugs early.
|
||||
|
||||
The module comes with a large suite of JUnit tests -tests that are
|
||||
only executed if the source tree includes credentials to test against a
|
||||
specific cluster.
|
||||
|
||||
After checking out the Hadoop source tree, create the file:
|
||||
|
||||
+--
|
||||
hadoop-tools/hadoop-openstack/src/test/resources/auth-keys.xml
|
||||
+--
|
||||
|
||||
Into this file, insert the credentials needed to bond to the test filesystem,
|
||||
as decribed above.
|
||||
|
||||
Next set the property <<<test.fs.swift.name>>> to the URL of a
|
||||
swift container to test against. The tests expect exclusive access
|
||||
to this container -do not keep any other data on it, or expect it
|
||||
to be preserved.
|
||||
|
||||
+--
|
||||
<property>
|
||||
<name>test.fs.swift.name</name>
|
||||
<value>swift://test.myswift/</value>
|
||||
</property>
|
||||
+--
|
||||
|
||||
In the base hadoop directory, run:
|
||||
|
||||
+--
|
||||
mvn clean install -DskipTests
|
||||
+--
|
||||
|
||||
This builds a set of Hadoop JARs consistent with the <<<hadoop-openstack>>>
|
||||
module that is about to be tested.
|
||||
|
||||
In the <<<hadoop-tools/hadoop-openstack>>> directory run
|
||||
|
||||
+--
|
||||
mvn test -Dtest=TestSwiftRestClient
|
||||
+--
|
||||
|
||||
This runs some simple tests which include authenticating
|
||||
against the remote swift service. If these tests fail, so will all
|
||||
the rest. If it does fail: check your authentication.
|
||||
|
||||
Once this test succeeds, you can run the full test suite
|
||||
|
||||
+--
|
||||
mvn test
|
||||
+--
|
||||
|
||||
Be advised that these tests can take an hour or more, especially against a
|
||||
remote Swift service -or one that throttles bulk operations.
|
||||
|
||||
Once the <<<auth-keys.xml>>> file is in place, the <<<mvn test>>> runs from
|
||||
the Hadoop source base directory will automatically run these OpenStack tests
|
||||
While this ensures that no regressions have occurred, it can also add significant
|
||||
time to test runs, and may run up bills, depending on who is providing\
|
||||
the Swift storage service. We recommend having a separate source tree
|
||||
set up purely for the Swift tests, and running it manually or by the CI tooling
|
||||
at a lower frequency than normal test runs.
|
||||
|
||||
Finally: Apache Hadoop is an open source project. Contributions of code
|
||||
-including more tests- are very welcome.
|
|
@ -0,0 +1,544 @@
|
|||
<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
* [Hadoop OpenStack Support: Swift Object Store](#Hadoop_OpenStack_Support:_Swift_Object_Store)
|
||||
* [Introduction](#Introduction)
|
||||
* [Features](#Features)
|
||||
* [Using the Hadoop Swift Filesystem Client](#Using_the_Hadoop_Swift_Filesystem_Client)
|
||||
* [Concepts: services and containers](#Concepts:_services_and_containers)
|
||||
* [Containers and Objects](#Containers_and_Objects)
|
||||
* [Eventual Consistency](#Eventual_Consistency)
|
||||
* [Non-atomic "directory" operations.](#Non-atomic_directory_operations.)
|
||||
* [Working with Swift Object Stores in Hadoop](#Working_with_Swift_Object_Stores_in_Hadoop)
|
||||
* [Swift Filesystem URIs](#Swift_Filesystem_URIs)
|
||||
* [Installing](#Installing)
|
||||
* [Configuring](#Configuring)
|
||||
* [Example: Rackspace US, in-cluster access using API key](#Example:_Rackspace_US_in-cluster_access_using_API_key)
|
||||
* [Example: Rackspace UK: remote access with password authentication](#Example:_Rackspace_UK:_remote_access_with_password_authentication)
|
||||
* [Example: HP cloud service definition](#Example:_HP_cloud_service_definition)
|
||||
* [General Swift Filesystem configuration options](#General_Swift_Filesystem_configuration_options)
|
||||
* [Blocksize fs.swift.blocksize](#Blocksize_fs.swift.blocksize)
|
||||
* [Partition size fs.swift.partsize](#Partition_size_fs.swift.partsize)
|
||||
* [Request size fs.swift.requestsize](#Request_size_fs.swift.requestsize)
|
||||
* [Connection timeout fs.swift.connect.timeout](#Connection_timeout_fs.swift.connect.timeout)
|
||||
* [Connection timeout fs.swift.socket.timeout](#Connection_timeout_fs.swift.socket.timeout)
|
||||
* [Connection Retry Count fs.swift.connect.retry.count](#Connection_Retry_Count_fs.swift.connect.retry.count)
|
||||
* [Connection Throttle Delay fs.swift.connect.throttle.delay](#Connection_Throttle_Delay_fs.swift.connect.throttle.delay)
|
||||
* [HTTP Proxy](#HTTP_Proxy)
|
||||
* [Troubleshooting](#Troubleshooting)
|
||||
* [ClassNotFoundException](#ClassNotFoundException)
|
||||
* [Failure to Authenticate](#Failure_to_Authenticate)
|
||||
* [Timeout connecting to the Swift Service](#Timeout_connecting_to_the_Swift_Service)
|
||||
* [Warnings](#Warnings)
|
||||
* [Limits](#Limits)
|
||||
* [Testing the hadoop-openstack module](#Testing_the_hadoop-openstack_module)
|
||||
|
||||
Hadoop OpenStack Support: Swift Object Store
|
||||
============================================
|
||||
|
||||
Introduction
|
||||
------------
|
||||
|
||||
[OpenStack](http://www.openstack.org/) is an open source cloud infrastructure which can be accessed from multiple public IaaS providers, and deployed privately. It offers infrastructure services such as VM hosting (Nova), authentication (Keystone) and storage of binary objects (Swift).
|
||||
|
||||
This module enables Apache Hadoop applications -including MapReduce jobs, read and write data to and from instances of the [OpenStack Swift object store](http://www.openstack.org/software/openstack-storage/).
|
||||
|
||||
Features
|
||||
--------
|
||||
|
||||
* Read and write of data stored in a Swift object store
|
||||
|
||||
* Support of a pseudo-hierachical file system (directories, subdirectories and
|
||||
files)
|
||||
|
||||
* Standard filesystem operations: `create`, `delete`, `mkdir`,
|
||||
`ls`, `mv`, `stat`.
|
||||
|
||||
* Can act as a source of data in a MapReduce job, or a sink.
|
||||
|
||||
* Support for multiple OpenStack services, and multiple containers from a
|
||||
single service.
|
||||
|
||||
* Supports in-cluster and remote access to Swift data.
|
||||
|
||||
* Supports OpenStack Keystone authentication with password or token.
|
||||
|
||||
* Released under the Apache Software License
|
||||
|
||||
* Tested against the Hadoop 3.x and 1.x branches, against multiple public
|
||||
OpenStack clusters: Rackspace US, Rackspace UK, HP Cloud.
|
||||
|
||||
* Tested against private OpenStack clusters, including scalability tests of
|
||||
large file uploads.
|
||||
|
||||
Using the Hadoop Swift Filesystem Client
|
||||
----------------------------------------
|
||||
|
||||
### Concepts: services and containers
|
||||
|
||||
OpenStack swift is an *Object Store*; also known as a *blobstore*. It stores arbitrary binary objects by name in a *container*.
|
||||
|
||||
The Hadoop Swift filesystem library adds another concept, the *service*, which defines which Swift blobstore hosts a container -and how to connect to it.
|
||||
|
||||
### Containers and Objects
|
||||
|
||||
* Containers are created by users with accounts on the Swift filestore, and hold
|
||||
*objects*.
|
||||
|
||||
* Objects can be zero bytes long, or they can contain data.
|
||||
|
||||
* Objects in the container can be up to 5GB; there is a special support for
|
||||
larger files than this, which merges multiple objects in to one.
|
||||
|
||||
* Each object is referenced by it's *name*; there is no notion of directories.
|
||||
|
||||
* You can use any characters in an object name that can be 'URL-encoded'; the
|
||||
maximum length of a name is 1034 characters -after URL encoding.
|
||||
|
||||
* Names can have `/` characters in them, which are used to create the illusion of
|
||||
a directory structure. For example `dir/dir2/name`. Even though this looks
|
||||
like a directory, *it is still just a name*. There is no requirement to have
|
||||
any entries in the container called `dir` or `dir/dir2`
|
||||
|
||||
* That said. if the container has zero-byte objects that look like directory
|
||||
names above other objects, they can pretend to be directories. Continuing the
|
||||
example, a 0-byte object called `dir` would tell clients that it is a
|
||||
directory while `dir/dir2` or `dir/dir2/name` were present. This creates an
|
||||
illusion of containers holding a filesystem.
|
||||
|
||||
Client applications talk to Swift over HTTP or HTTPS, reading, writing and deleting objects using standard HTTP operations (GET, PUT and DELETE, respectively). There is also a COPY operation, that creates a new object in the container, with a new name, containing the old data. There is no rename operation itself, objects need to be copied -then the original entry deleted.
|
||||
|
||||
### Eventual Consistency
|
||||
|
||||
The Swift Filesystem is \*eventually consistent\*: an operation on an object may not be immediately visible to that client, or other clients. This is a consequence of the goal of the filesystem: to span a set of machines, across multiple datacenters, in such a way that the data can still be available when many of them fail. (In contrast, the Hadoop HDFS filesystem is \*immediately consistent\*, but it does not span datacenters.)
|
||||
|
||||
Eventual consistency can cause surprises for client applications that expect immediate consistency: after an object is deleted or overwritten, the object may still be visible -or the old data still retrievable. The Swift Filesystem client for Apache Hadoop attempts to handle this, in conjunction with the MapReduce engine, but there may be still be occasions when eventual consistency causes surprises.
|
||||
|
||||
### Non-atomic "directory" operations.
|
||||
|
||||
Hadoop expects some operations to be atomic, especially `rename()`, which is something the MapReduce layer relies on to commit the output of a job, renaming data from a temp directory to the final path. Because a rename is implemented as a copy of every blob under the directory's path, followed by a delete of the originals, the intermediate state of the operation will be visible to other clients. If two Reducer tasks to rename their temp directory to the final path, both operations may succeed, with the result that output directory contains mixed data. This can happen if MapReduce jobs are being run with *speculation* enabled and Swift used as the direct output of the MR job (it can also happen against Amazon S3).
|
||||
|
||||
Other consequences of the non-atomic operations are:
|
||||
|
||||
1. If a program is looking for the presence of the directory before acting
|
||||
on the data -it may start prematurely. This can be avoided by using
|
||||
other mechanisms to co-ordinate the programs, such as the presence of a file
|
||||
that is written *after* any bulk directory operations.
|
||||
|
||||
2. A `rename()` or `delete()` operation may include files added under
|
||||
the source directory tree during the operation, may unintentionally delete
|
||||
it, or delete the 0-byte swift entries that mimic directories and act
|
||||
as parents for the files. Try to avoid doing this.
|
||||
|
||||
The best ways to avoid all these problems is not using Swift as the filesystem between MapReduce jobs or other Hadoop workflows. It can act as a source of data, and a final destination, but it doesn't meet all of Hadoop's expectations of what a filesystem is -it's a *blobstore*.
|
||||
|
||||
Working with Swift Object Stores in Hadoop
|
||||
------------------------------------------
|
||||
|
||||
Once installed, the Swift FileSystem client can be used by any Hadoop application to read from or write to data stored in a Swift container.
|
||||
|
||||
Data stored in Swift can be used as the direct input to a MapReduce job -simply use the `swift:` URL (see below) to declare the source of the data.
|
||||
|
||||
This Swift Filesystem client is designed to work with multiple Swift object stores, both public and private. This allows the client to work with different clusters, reading and writing data to and from either of them.
|
||||
|
||||
It can also work with the same object stores using multiple login details.
|
||||
|
||||
These features are achieved by one basic concept: using a service name in the URI referring to a swift filesystem, and looking up all the connection and login details for that specific service. Different service names can be defined in the Hadoop XML configuration file, so defining different clusters, or providing different login details for the same object store(s).
|
||||
|
||||
### Swift Filesystem URIs
|
||||
|
||||
Hadoop uses URIs to refer to files within a filesystem. Some common examples are:
|
||||
|
||||
local://etc/hosts
|
||||
hdfs://cluster1/users/example/data/set1
|
||||
hdfs://cluster2.example.org:8020/users/example/data/set1
|
||||
|
||||
The Swift Filesystem Client adds a new URL type `swift`. In a Swift Filesystem URL, the hostname part of a URL identifies the container and the service to work with; the path the name of the object. Here are some examples
|
||||
|
||||
swift://container.rackspace/my-object.csv
|
||||
swift://data.hpcloud/data/set1
|
||||
swift://dmitry.privatecloud/out/results
|
||||
|
||||
In the last two examples, the paths look like directories: it is not, they are simply the objects named `data/set1` and `out/results` respectively.
|
||||
|
||||
### Installing
|
||||
|
||||
The `hadoop-openstack` JAR must be on the classpath of the Hadoop program trying to talk to the Swift service. If installed in the classpath of the Hadoop MapReduce service, then all programs started by the MR engine will pick up the JAR automatically. This is the easiest way to give all Hadoop jobs access to Swift.
|
||||
|
||||
Alternatively, the JAR can be included as one of the JAR files that an application uses. This lets the Hadoop jobs work with a Swift object store even if the Hadoop cluster is not pre-configured for this.
|
||||
|
||||
The library also depends upon the Apache HttpComponents library, which must also be on the classpath.
|
||||
|
||||
### Configuring
|
||||
|
||||
To talk to a swift service, the user must must provide:
|
||||
|
||||
1. The URL defining the container and the service.
|
||||
|
||||
2. In the cluster/job configuration, the login details of that service.
|
||||
|
||||
Multiple service definitions can co-exist in the same configuration file: just use different names for them.
|
||||
|
||||
#### Example: Rackspace US, in-cluster access using API key
|
||||
|
||||
This service definition is for use in a Hadoop cluster deployed within Rackspace's US infrastructure.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.auth.url</name>
|
||||
<value>https://auth.api.rackspacecloud.com/v2.0/tokens</value>
|
||||
<description>Rackspace US (multiregion)</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.username</name>
|
||||
<value>user4</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.region</name>
|
||||
<value>DFW</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.apikey</name>
|
||||
<value>fe806aa86dfffe2f6ed8</value>
|
||||
</property>
|
||||
|
||||
Here the API key visible in the account settings API keys page is used to log in. No property for public/private access -the default is to use the private endpoint for Swift operations.
|
||||
|
||||
This configuration also selects one of the regions, DFW, for its data.
|
||||
|
||||
A reference to this service would use the `rackspace` service name:
|
||||
|
||||
swift://hadoop-container.rackspace/
|
||||
|
||||
#### Example: Rackspace UK: remote access with password authentication
|
||||
|
||||
This connects to Rackspace's UK ("LON") datacenter.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspaceuk.auth.url</name>
|
||||
<value>https://lon.identity.api.rackspacecloud.com/v2.0/tokens</value>
|
||||
<description>Rackspace UK</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspaceuk.username</name>
|
||||
<value>user4</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspaceuk.password</name>
|
||||
<value>insert-password-here/value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.rackspace.public</name>
|
||||
<value>true</value>
|
||||
</property>
|
||||
|
||||
This is a public access point connection, using a password over an API key.
|
||||
|
||||
A reference to this service would use the `rackspaceuk` service name:
|
||||
|
||||
swift://hadoop-container.rackspaceuk/
|
||||
|
||||
Because the public endpoint is used, if this service definition is used within the London datacenter, all accesses will be billed at the public upload/download rates, *irrespective of where the Hadoop cluster is*.
|
||||
|
||||
#### Example: HP cloud service definition
|
||||
|
||||
Here is an example that connects to the HP Cloud object store.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.auth.url</name>
|
||||
<value>https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens
|
||||
</value>
|
||||
<description>HP Cloud</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.tenant</name>
|
||||
<value>FE806AA86</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.username</name>
|
||||
<value>FE806AA86DFFFE2F6ED8</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.password</name>
|
||||
<value>secret-password-goes-here</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.service.hpcloud.public</name>
|
||||
<value>true</value>
|
||||
</property>
|
||||
|
||||
A reference to this service would use the `hpcloud` service name:
|
||||
|
||||
swift://hadoop-container.hpcloud/
|
||||
|
||||
### General Swift Filesystem configuration options
|
||||
|
||||
Some configuration options apply to the Swift client, independent of the specific Swift filesystem chosen.
|
||||
|
||||
#### Blocksize fs.swift.blocksize
|
||||
|
||||
Swift does not break up files into blocks, except in the special case of files over 5GB in length. Accordingly, there isn't a notion of a "block size" to define where the data is kept.
|
||||
|
||||
Hadoop's MapReduce layer depends on files declaring their block size, so that it knows how to partition work. Too small a blocksize means that many mappers work on small pieces of data; too large a block size means that only a few mappers get started.
|
||||
|
||||
The block size value reported by Swift, therefore, controls the basic workload partioning of the MapReduce engine -and can be an important parameter to tune for performance of the cluster.
|
||||
|
||||
The property has a unit of kilobytes; the default value is `32*1024`: 32 MB
|
||||
|
||||
<property>
|
||||
<name>fs.swift.blocksize</name>
|
||||
<value>32768</value>
|
||||
</property>
|
||||
|
||||
This blocksize has no influence on how files are stored in Swift; it only controls what the reported size of blocks are - a value used in Hadoop MapReduce to divide work.
|
||||
|
||||
Note that the MapReduce engine's split logic can be tuned independently by setting the `mapred.min.split.size` and `mapred.max.split.size` properties, which can be done in specific job configurations.
|
||||
|
||||
<property>
|
||||
<name>mapred.min.split.size</name>
|
||||
<value>524288</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>mapred.max.split.size</name>
|
||||
<value>1048576</value>
|
||||
</property>
|
||||
|
||||
In an Apache Pig script, these properties would be set as:
|
||||
|
||||
mapred.min.split.size 524288
|
||||
mapred.max.split.size 1048576
|
||||
|
||||
#### Partition size fs.swift.partsize
|
||||
|
||||
The Swift filesystem client breaks very large files into partitioned files, uploading each as it progresses, and writing any remaning data and an XML manifest when a partitioned file is closed.
|
||||
|
||||
The partition size defaults to 4608 MB; 4.5GB, the maximum filesize that Swift can support.
|
||||
|
||||
It is possible to set a smaller partition size, in the `fs.swift.partsize` option. This takes a value in KB.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.partsize</name>
|
||||
<value>1024</value>
|
||||
<description>upload every MB</description>
|
||||
</property>
|
||||
|
||||
When should this value be changed from its default?
|
||||
|
||||
While there is no need to ever change it for basic operation of the Swift filesystem client, it can be tuned
|
||||
|
||||
* If a Swift filesystem is location aware, then breaking a file up into
|
||||
smaller partitions scatters the data round the cluster. For best performance,
|
||||
the property `fs.swift.blocksize` should be set to a smaller value than the
|
||||
partition size of files.
|
||||
|
||||
* When writing to an unpartitioned file, the entire write is done in the
|
||||
`close()` operation. When a file is partitioned, the outstanding data to
|
||||
be written whenever the outstanding amount of data is greater than the
|
||||
partition size. This means that data will be written more incrementally
|
||||
|
||||
#### Request size fs.swift.requestsize
|
||||
|
||||
The Swift filesystem client reads files in HTTP GET operations, asking for a block of data at a time.
|
||||
|
||||
The default value is 64KB. A larger value may be more efficient over faster networks, as it reduces the overhead of setting up the HTTP operation.
|
||||
|
||||
However, if the file is read with many random accesses, requests for data will be made from different parts of the file -discarding some of the previously requested data. The benefits of larger request sizes may be wasted.
|
||||
|
||||
The property `fs.swift.requestsize` sets the request size in KB.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.requestsize</name>
|
||||
<value>128</value>
|
||||
</property>
|
||||
|
||||
#### Connection timeout fs.swift.connect.timeout
|
||||
|
||||
This sets the timeout in milliseconds to connect to a Swift service.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.connect.timeout</name>
|
||||
<value>15000</value>
|
||||
</property>
|
||||
|
||||
A shorter timeout means that connection failures are raised faster -but may trigger more false alarms. A longer timeout is more resilient to network problems -and may be needed when talking to remote filesystems.
|
||||
|
||||
#### Connection timeout fs.swift.socket.timeout
|
||||
|
||||
This sets the timeout in milliseconds to wait for data from a connected socket.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.socket.timeout</name>
|
||||
<value>60000</value>
|
||||
</property>
|
||||
|
||||
A shorter timeout means that connection failures are raised faster -but may trigger more false alarms. A longer timeout is more resilient to network problems -and may be needed when talking to remote filesystems.
|
||||
|
||||
#### Connection Retry Count fs.swift.connect.retry.count
|
||||
|
||||
This sets the number of times to try to connect to a service whenever an HTTP request is made.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.connect.retry.count</name>
|
||||
<value>3</value>
|
||||
</property>
|
||||
|
||||
The more retries, the more resilient it is to transient outages -and the less rapid it is at detecting and reporting server connectivity problems.
|
||||
|
||||
#### Connection Throttle Delay fs.swift.connect.throttle.delay
|
||||
|
||||
This property adds a delay between bulk file copy and delete operations, to prevent requests being throttled or blocked by the remote service
|
||||
|
||||
<property>
|
||||
<name>fs.swift.connect.throttle.delay</name>
|
||||
<value>0</value>
|
||||
</property>
|
||||
|
||||
It is measured in milliseconds; "0" means do not add any delay.
|
||||
|
||||
Throttling is enabled on the public endpoints of some Swift services. If `rename()` or `delete()` operations fail with `SwiftThrottledRequestException` exceptions, try setting this property.
|
||||
|
||||
#### HTTP Proxy
|
||||
|
||||
If the client can only access the Swift filesystem via a web proxy server, the client configuration must specify the proxy via the `fs.swift.connect.proxy.host` and `fs.swift.connect.proxy.port` properties.
|
||||
|
||||
<property>
|
||||
<name>fs.swift.proxy.host</name>
|
||||
<value>web-proxy</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>fs.swift.proxy.port</name>
|
||||
<value>8088</value>
|
||||
</property>
|
||||
|
||||
If the host is declared, the proxy port must be set to a valid integer value.
|
||||
|
||||
### Troubleshooting
|
||||
|
||||
#### ClassNotFoundException
|
||||
|
||||
The `hadoop-openstack` JAR -or any dependencies- may not be on your classpath.
|
||||
|
||||
If it is a remote MapReduce job that is failing, make sure that the JAR is installed on the servers in the cluster -or that the job submission process uploads the JAR file to the distributed cache.
|
||||
|
||||
#### Failure to Authenticate
|
||||
|
||||
A `SwiftAuthenticationFailedException` is thrown when the client cannot authenticate with the OpenStack keystone server. This could be because the URL in the service definition is wrong, or because the supplied credentials are invalid.
|
||||
|
||||
1. Check the authentication URL through `curl` or your browser
|
||||
|
||||
2. Use a Swift client such as CyberDuck to validate your credentials
|
||||
|
||||
3. If you have included a tenant ID, try leaving it out. Similarly,
|
||||
try adding it if you had not included it.
|
||||
|
||||
4. Try switching from API key authentication to password-based authentication,
|
||||
by setting the password.
|
||||
|
||||
5. Change your credentials. As with Amazon AWS clients, some credentials
|
||||
don't seem to like going over the network.
|
||||
|
||||
#### Timeout connecting to the Swift Service
|
||||
|
||||
This happens if the client application is running outside an OpenStack cluster, where it does not have access to the private hostname/IP address for filesystem operations. Set the `public` flag to true -but remember to set it to false for use in-cluster.
|
||||
|
||||
### Warnings
|
||||
|
||||
1. Do not share your login details with anyone, which means do not log the
|
||||
details, or check the XML configuration files into any revision control system
|
||||
to which you do not have exclusive access.
|
||||
|
||||
2. Similarly, do not use your real account details in any
|
||||
documentation \*or any bug reports submitted online\*
|
||||
|
||||
3. Prefer the apikey authentication over passwords as it is easier
|
||||
to revoke a key -and some service providers allow you to set
|
||||
an automatic expiry date on a key when issued.
|
||||
|
||||
4. Do not use the public service endpoint from within a public OpenStack
|
||||
cluster, as it will run up large bills.
|
||||
|
||||
5. Remember: it's not a real filesystem or hierarchical directory structure.
|
||||
Some operations (directory rename and delete) take time and are not atomic or
|
||||
isolated from other operations taking place.
|
||||
|
||||
6. Append is not supported.
|
||||
|
||||
7. Unix-style permissions are not supported. All accounts with write access to
|
||||
a repository have unlimited access; the same goes for those with read access.
|
||||
|
||||
8. In the public clouds, do not make the containers public unless you are happy
|
||||
with anyone reading your data, and are prepared to pay the costs of their
|
||||
downloads.
|
||||
|
||||
### Limits
|
||||
|
||||
* Maximum length of an object path: 1024 characters
|
||||
|
||||
* Maximum size of a binary object: no absolute limit. Files \> 5GB are
|
||||
partitioned into separate files in the native filesystem, and merged during
|
||||
retrieval. *Warning:* the partitioned/large file support is the
|
||||
most complex part of the Hadoop/Swift FS integration, and, along with
|
||||
authentication, the most troublesome to support.
|
||||
|
||||
### Testing the hadoop-openstack module
|
||||
|
||||
The `hadoop-openstack` can be remotely tested against any public or private cloud infrastructure which supports the OpenStack Keystone authentication mechanism. It can also be tested against private OpenStack clusters. OpenStack Development teams are strongly encouraged to test the Hadoop swift filesystem client against any version of Swift that they are developing or deploying, to stress their cluster and to identify bugs early.
|
||||
|
||||
The module comes with a large suite of JUnit tests -tests that are only executed if the source tree includes credentials to test against a specific cluster.
|
||||
|
||||
After checking out the Hadoop source tree, create the file:
|
||||
|
||||
hadoop-tools/hadoop-openstack/src/test/resources/auth-keys.xml
|
||||
|
||||
Into this file, insert the credentials needed to bond to the test filesystem, as decribed above.
|
||||
|
||||
Next set the property `test.fs.swift.name` to the URL of a swift container to test against. The tests expect exclusive access to this container -do not keep any other data on it, or expect it to be preserved.
|
||||
|
||||
<property>
|
||||
<name>test.fs.swift.name</name>
|
||||
<value>swift://test.myswift/</value>
|
||||
</property>
|
||||
|
||||
In the base hadoop directory, run:
|
||||
|
||||
mvn clean install -DskipTests
|
||||
|
||||
This builds a set of Hadoop JARs consistent with the `hadoop-openstack` module that is about to be tested.
|
||||
|
||||
In the `hadoop-tools/hadoop-openstack` directory run
|
||||
|
||||
mvn test -Dtest=TestSwiftRestClient
|
||||
|
||||
This runs some simple tests which include authenticating against the remote swift service. If these tests fail, so will all the rest. If it does fail: check your authentication.
|
||||
|
||||
Once this test succeeds, you can run the full test suite
|
||||
|
||||
mvn test
|
||||
|
||||
Be advised that these tests can take an hour or more, especially against a remote Swift service -or one that throttles bulk operations.
|
||||
|
||||
Once the `auth-keys.xml` file is in place, the `mvn test` runs from the Hadoop source base directory will automatically run these OpenStack tests While this ensures that no regressions have occurred, it can also add significant time to test runs, and may run up bills, depending on who is providingthe Swift storage service. We recommend having a separate source tree set up purely for the Swift tests, and running it manually or by the CI tooling at a lower frequency than normal test runs.
|
||||
|
||||
Finally: Apache Hadoop is an open source project. Contributions of code -including more tests- are very welcome.
|
|
@ -0,0 +1,30 @@
|
|||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#banner {
|
||||
height: 93px;
|
||||
background: none;
|
||||
}
|
||||
|
||||
#bannerLeft img {
|
||||
margin-left: 30px;
|
||||
margin-top: 10px;
|
||||
}
|
||||
|
||||
#bannerRight img {
|
||||
margin: 17px;
|
||||
}
|
||||
|
|
@ -1,439 +0,0 @@
|
|||
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~~ you may not use this file except in compliance with the License.
|
||||
~~ You may obtain a copy of the License at
|
||||
~~
|
||||
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~~
|
||||
~~ Unless required by applicable law or agreed to in writing, software
|
||||
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~~ See the License for the specific language governing permissions and
|
||||
~~ limitations under the License.
|
||||
|
||||
---
|
||||
Yarn Scheduler Load Simulator (SLS)
|
||||
---
|
||||
---
|
||||
${maven.build.timestamp}
|
||||
|
||||
Yarn Scheduler Load Simulator (SLS)
|
||||
|
||||
%{toc|section=1|fromDepth=0}
|
||||
|
||||
* Overview
|
||||
|
||||
** Overview
|
||||
|
||||
The Yarn scheduler is a fertile area of interest with different
|
||||
implementations, e.g., Fifo, Capacity and Fair schedulers. Meanwhile, several
|
||||
optimizations are also made to improve scheduler performance for different
|
||||
scenarios and workload. Each scheduler algorithm has its own set of features,
|
||||
and drives scheduling decisions by many factors, such as fairness, capacity
|
||||
guarantee, resource availability, etc. It is very important to evaluate a
|
||||
scheduler algorithm very well before we deploy in a production cluster.
|
||||
Unfortunately, currently it is non-trivial to evaluate a scheduler algorithm.
|
||||
Evaluating in a real cluster is always time and cost consuming, and it is
|
||||
also very hard to find a large-enough cluster. Hence, a simulator which can
|
||||
predict how well a scheduler algorithm for some specific workload would be
|
||||
quite useful.
|
||||
|
||||
The Yarn Scheduler Load Simulator (SLS) is such a tool, which can simulate
|
||||
large-scale Yarn clusters and application loads in a single machine.This
|
||||
simulator would be invaluable in furthering Yarn by providing a tool for
|
||||
researchers and developers to prototype new scheduler features and predict
|
||||
their behavior and performance with reasonable amount of confidence,
|
||||
thereby aiding rapid innovation.
|
||||
|
||||
The simulator will exercise the real Yarn <<<ResourceManager>>> removing the
|
||||
network factor by simulating <<<NodeManagers>>> and <<<ApplicationMasters>>>
|
||||
via handling and dispatching <<<NM>>>/<<<AMs>>> heartbeat events from within
|
||||
the same JVM. To keep tracking of scheduler behavior and performance, a
|
||||
scheduler wrapper will wrap the real scheduler.
|
||||
|
||||
The size of the cluster and the application load can be loaded from
|
||||
configuration files, which are generated from job history files directly by
|
||||
adopting {{{https://hadoop.apache.org/docs/stable/rumen.html}Apache Rumen}}.
|
||||
|
||||
The simulator will produce real time metrics while executing, including:
|
||||
|
||||
* Resource usages for whole cluster and each queue, which can be utilized to
|
||||
configure cluster and queue's capacity.
|
||||
|
||||
* The detailed application execution trace (recorded in relation to simulated
|
||||
time), which can be analyzed to understand/validate the scheduler behavior
|
||||
(individual jobs turn around time, throughput, fairness, capacity guarantee,
|
||||
etc.).
|
||||
|
||||
* Several key metrics of scheduler algorithm, such as time cost of each
|
||||
scheduler operation (allocate, handle, etc.), which can be utilized by Hadoop
|
||||
developers to find the code spots and scalability limits.
|
||||
|
||||
** Goals
|
||||
|
||||
* Exercise the scheduler at scale without a real cluster using real job
|
||||
traces.
|
||||
|
||||
* Being able to simulate real workloads.
|
||||
|
||||
** Architecture
|
||||
|
||||
The following figure illustrates the implementation architecture of the
|
||||
simulator.
|
||||
|
||||
[images/sls_arch.png] The architecture of the simulator
|
||||
|
||||
The simulator takes input of workload traces, and fetches the cluster and
|
||||
applications information. For each NM and AM, the simulator builds a simulator
|
||||
to simulate their running. All NM/AM simulators run in a thread pool. The
|
||||
simulator reuses Yarn Resource Manager, and builds a wrapper out of the
|
||||
scheduler. The Scheduler Wrapper can track the scheduler behaviors and
|
||||
generates several logs, which are the outputs of the simulator and can be
|
||||
further analyzed.
|
||||
|
||||
** Usecases
|
||||
|
||||
* Engineering
|
||||
|
||||
* Verify correctness of scheduler algorithm under load
|
||||
|
||||
* Cheap/practical way for finding code hotspots/critical-path.
|
||||
|
||||
* Validate the impact of changes and new features.
|
||||
|
||||
* Determine what drives the scheduler scalability limits.
|
||||
|
||||
[]
|
||||
|
||||
* QA
|
||||
|
||||
* Validate scheduler behavior for "large" clusters and several workload
|
||||
profiles.
|
||||
|
||||
* Solutions/Sales.
|
||||
|
||||
* Sizing model for predefined/typical workloads.
|
||||
|
||||
* Cluster sizing tool using real customer data (job traces).
|
||||
|
||||
* Determine minimum SLAs under a particular workload.
|
||||
|
||||
* Usage
|
||||
|
||||
This section will show how to use the simulator. Here let <<<$HADOOP_ROOT>>>
|
||||
represent the Hadoop install directory. If you build Hadoop yourself,
|
||||
<<<$HADOOP_ROOT>>> is <<<hadoop-dist/target/hadoop-$VERSION>>>. The simulator
|
||||
is located at <<<$HADOOP_ROOT/share/hadoop/tools/sls>>>. The fold <<<sls>>>
|
||||
containers four directories: <<<bin>>>, <<<html>>>, <<<sample-conf>>>, and
|
||||
<<<sample-data>>>
|
||||
|
||||
* <<<bin>>>: contains running scripts for the simulator.
|
||||
|
||||
* <<<html>>>: contains several html/css/js files we needed for real-time
|
||||
tracking.
|
||||
|
||||
* <<<sample-conf>>>: specifies the simulator configurations.
|
||||
|
||||
* <<<sample-data>>>: provides an example rumen trace, which can be used to
|
||||
generate inputs of the simulator.
|
||||
|
||||
[]
|
||||
|
||||
The following sections will describe how to use the simulator step by step.
|
||||
Before start, make sure that command <<<hadoop>>> is included in your
|
||||
<<<$PATH>>> environment parameter.
|
||||
|
||||
** Step 1: Configure Hadoop and the simulator
|
||||
|
||||
Before we start, make sure Hadoop and the simulator are configured well.
|
||||
All configuration files for Hadoop and the simulator should be placed in
|
||||
directory <<<$HADOOP_ROOT/etc/hadoop>>>, where the <<<ResourceManager>>>
|
||||
and Yarn scheduler load their configurations. Directory
|
||||
<<<$HADOOP_ROOT/share/hadoop/tools/sls/sample-conf/>>> provides several
|
||||
example configurations, that can be used to start a demo.
|
||||
|
||||
For configuration of Hadoop and Yarn scheduler, users can refer to Yarn’s
|
||||
website ({{{http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/}
|
||||
http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/}}).
|
||||
|
||||
For the simulator, it loads configuration information from file
|
||||
<<<$HADOOP_ROOT/etc/hadoop/sls-runner.xml>>>.
|
||||
|
||||
Here we illustrate each configuration parameter in <<<sls-runner.xml>>>.
|
||||
Note that <<<$HADOOP_ROOT/share/hadoop/tools/sls/sample-conf/sls-runner.xml>>>
|
||||
contains all the default values for these configuration parameters.
|
||||
|
||||
* <<<yarn.sls.runner.pool.size>>>
|
||||
|
||||
The simulator uses a thread pool to simulate the <<<NM>>> and <<<AM>>> running
|
||||
, and this parameter specifies the number of threads in the pool.
|
||||
|
||||
* <<<yarn.sls.nm.memory.mb>>>
|
||||
|
||||
The total memory for each <<<NMSimulator>>>.
|
||||
|
||||
* <<<yarn.sls.nm.vcores>>>
|
||||
|
||||
The total vCores for each <<<NMSimulator>>>.
|
||||
|
||||
* <<<yarn.sls.nm.heartbeat.interval.ms>>>
|
||||
|
||||
The heartbeat interval for each <<<NMSimulator>>>.
|
||||
|
||||
* <<<yarn.sls.am.heartbeat.interval.ms>>>
|
||||
|
||||
The heartbeat interval for each <<<AMSimulator>>>.
|
||||
|
||||
* <<<yarn.sls.am.type.mapreduce>>>
|
||||
|
||||
The <<<AMSimulator>>> implementation for MapReduce-like applications.
|
||||
Users can specify implementations for other type of applications.
|
||||
|
||||
* <<<yarn.sls.container.memory.mb>>>
|
||||
|
||||
The memory required for each container simulator.
|
||||
|
||||
* <<<yarn.sls.container.vcores>>>
|
||||
|
||||
The vCores required for each container simulator.
|
||||
|
||||
* <<<yarn.sls.runner.metrics.switch>>>
|
||||
|
||||
The simulator introduces {{{http://metrics.codahale.com/}Metrics}} to measure
|
||||
the behaviors of critical components and operations. This field specifies
|
||||
whether we open (<<<ON>>>) or close (<<<OFF>>>) the Metrics running.
|
||||
|
||||
* <<<yarn.sls.metrics.web.address.port>>>
|
||||
|
||||
The port used by simulator to provide real-time tracking. The default value is
|
||||
10001.
|
||||
|
||||
* <<<org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler>>>
|
||||
|
||||
The implementation of scheduler metrics of Fifo Scheduler.
|
||||
|
||||
* <<<org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler>>>
|
||||
|
||||
The implementation of scheduler metrics of Fair Scheduler.
|
||||
|
||||
* <<<org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler>>>
|
||||
|
||||
The implementation of scheduler metrics of Capacity Scheduler.
|
||||
|
||||
** Step 2: Run the simulator
|
||||
|
||||
The simulator supports two types of input files: the rumen traces and its own
|
||||
input traces. The script to start the simulator is <<<slsrun.sh>>>.
|
||||
|
||||
+----+
|
||||
$ cd $HADOOP_ROOT/share/hadoop/tools/sls
|
||||
$ bin/slsrun.sh
|
||||
--input-rumen|--input-sls=<TRACE_FILE1,TRACE_FILE2,...>
|
||||
--output-dir=<SLS_SIMULATION_OUTPUT_DIRECTORY> [--nodes=<SLS_NODES_FILE>]
|
||||
[--track-jobs=<JOBID1,JOBID2,...>] [--print-simulation]
|
||||
+----+
|
||||
|
||||
* <<<--input-rumen>>>: The input rumen trace files. Users can input multiple
|
||||
files, separated by comma. One example trace is provided in
|
||||
<<<$HADOOP_ROOT/share/hadoop/tools/sls/sample-data/2jobs2min-rumen-jh.json>>>.
|
||||
|
||||
* <<<--input-sls>>>: Simulator its own file format. The simulator also
|
||||
provides a tool to convert rumen traces to sls traces (<<<rumen2sls.sh>>>).
|
||||
Refer to appendix for an example of sls input json file.
|
||||
|
||||
* <<<--output-dir>>>: The output directory for generated running logs and
|
||||
metrics.
|
||||
|
||||
* <<<--nodes>>>: The cluster topology. By default, the simulator will use the
|
||||
topology fetched from the input json files. Users can specifies a new topology
|
||||
by setting this parameter. Refer to the appendix for the topology file format.
|
||||
|
||||
* <<<--track-jobs>>>: The particular jobs that will be tracked during
|
||||
simulator running, spearated by comma.
|
||||
|
||||
* <<<--print-simulation>>>: Whether to print out simulation information
|
||||
before simulator running, including number of nodes, applications, tasks,
|
||||
and information for each application.
|
||||
|
||||
In comparison to rumen format, here the sls format is much simpler and users
|
||||
can easily generate various workload. The simulator also provides a tool to
|
||||
convert rumen traces to sls traces.
|
||||
|
||||
+----+
|
||||
$ bin/rumen2sls.sh
|
||||
--rumen-file=<RUMEN_FILE>
|
||||
--output-dir=<SLS_OUTPUT_DIRECTORY>
|
||||
[--output-prefix=<SLS_FILE_PREFIX>]
|
||||
+----+
|
||||
|
||||
* <<<--rumen-file>>>: The rumen format file. One example trace is provided
|
||||
in directory <<<sample-data>>>.
|
||||
|
||||
* <<<--output-dir>>>: The output directory of generated simulation traces.
|
||||
Two files will be generated in this output directory, including one trace
|
||||
file including all job and task information, and another file showing the
|
||||
topology information.
|
||||
|
||||
* <<<--output-prefix>>>: The prefix of the generated files. The default value
|
||||
is ”sls”, and the two generated files are <<<sls-jobs.json>>> and
|
||||
<<<sls-nodes.json>>>.
|
||||
|
||||
* Metrics
|
||||
|
||||
The Yarn Scheduler Load Simulator has integrated
|
||||
{{{http://metrics.codahale.com/}Metrics}} to measure the behaviors of critical
|
||||
components and operations, including running applications and containers,
|
||||
cluster available resources, scheduler operation timecost, et al. If the
|
||||
switch <<<yarn.sls.runner.metrics.switch>>> is set <<<ON>>>, <<<Metrics>>>
|
||||
will run and output it logs in <<<--output-dir>>> directory specified by users.
|
||||
Users can track these information during simulator running, and can also
|
||||
analyze these logs after running to evaluate the scheduler performance.
|
||||
|
||||
** Real-time Tracking
|
||||
|
||||
The simulator provides an interface for tracking its running in real-time.
|
||||
Users can go to <<<http://host:port/simulate>>> to track whole running,
|
||||
and <<<http://host:port/track>>> to track a particular job or queue. Here
|
||||
the <<<host>>> is the place when we run the simulator, and <<<port>>> is
|
||||
the value configured by <<<yarn.sls.metrics.web.address.port>>> (default value
|
||||
is 10001).
|
||||
|
||||
Here we'll illustrate each chart shown in the webpage.
|
||||
|
||||
The first figure describes the number of running applications and containers.
|
||||
|
||||
[images/sls_running_apps_containers.png] Number of running applications/containers
|
||||
|
||||
The second figure describes the allocated and available resources (memory)
|
||||
in the cluster.
|
||||
|
||||
[images/sls_cluster_memory.png] Cluster Resource (Memory)
|
||||
|
||||
The third figure describes the allocated resource for each queue. Here we have
|
||||
three queues: sls_queue_1, sls_queue_2, and sls_queue_3.The first two queues
|
||||
are configured with 25% share, while the last one has 50% share.
|
||||
|
||||
[images/sls_queue_allocated_memory.png] Queue Allocated Resource (Memory)
|
||||
|
||||
The fourth figure describes the timecost for each scheduler operation.
|
||||
|
||||
[images/sls_scheduler_operation_timecost.png] Scheduler Opertion Timecost
|
||||
|
||||
Finally, we measure the memory used by the simulator.
|
||||
|
||||
[images/sls_JVM.png] JVM Memory
|
||||
|
||||
The simulator also provides an interface for tracking some particular
|
||||
jobs and queues. Go to <<<http://<Host>:<Port>/track>>> to get these
|
||||
information.
|
||||
|
||||
Here the first figure illustrates the resource usage information for queue
|
||||
<<<SLS_Queue_1>>>.
|
||||
|
||||
[images/sls_track_queue.png] Tracking Queue <<<sls_queue_3>>>
|
||||
|
||||
The second figure illustrates the resource usage information for job
|
||||
<<<job_1369942127770_0653>>>.
|
||||
|
||||
[images/sls_track_job.png] Tracking Job <<<job_1369942127770_0653>>>
|
||||
|
||||
** Offline Analysis
|
||||
|
||||
After the simulator finishes, all logs are saved in the output directory
|
||||
specified by <<<--output-dir>>> in
|
||||
<<<$HADOOP_ROOT/share/hadoop/tools/sls/bin/slsrun.sh>>>.
|
||||
|
||||
* File <<<realtimetrack.json>>>: records all real-time tracking logs every 1
|
||||
second.
|
||||
|
||||
* File <<<jobruntime.csv>>>: records all jobs’ start and end time in the
|
||||
simulator.
|
||||
|
||||
* Folder <<<metrics>>>: logs generated by the Metrics.
|
||||
|
||||
[]
|
||||
|
||||
Users can also reproduce those real-time tracking charts in offline mode.
|
||||
Just upload the <<<realtimetrack.json>>> to
|
||||
<<<$HADOOP_ROOT/share/hadoop/tools/sls/html/showSimulationTrace.html>>>.
|
||||
For browser security problem, need to put files <<<realtimetrack.json>>> and
|
||||
<<<showSimulationTrace.html>>> in the same directory.
|
||||
|
||||
* Appendix
|
||||
|
||||
** Resources
|
||||
|
||||
{{{https://issues.apache.org/jira/browse/YARN-1021}YARN-1021}} is the main
|
||||
JIRA that introduces Yarn Scheduler Load Simulator to Hadoop Yarn project.
|
||||
|
||||
** SLS JSON input file format
|
||||
|
||||
Here we provide an example format of the sls json file, which contains 2 jobs.
|
||||
The first job has 3 map tasks and the second one has 2 map tasks.
|
||||
|
||||
+----+
|
||||
{
|
||||
"am.type" : "mapreduce",
|
||||
"job.start.ms" : 0,
|
||||
"job.end.ms" : 95375,
|
||||
"job.queue.name" : "sls_queue_1",
|
||||
"job.id" : "job_1",
|
||||
"job.user" : "default",
|
||||
"job.tasks" : [ {
|
||||
"container.host" : "/default-rack/node1",
|
||||
"container.start.ms" : 6664,
|
||||
"container.end.ms" : 23707,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
}, {
|
||||
"container.host" : "/default-rack/node3",
|
||||
"container.start.ms" : 6665,
|
||||
"container.end.ms" : 21593,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
}, {
|
||||
"container.host" : "/default-rack/node2",
|
||||
"container.start.ms" : 68770,
|
||||
"container.end.ms" : 86613,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
} ]
|
||||
}
|
||||
{
|
||||
"am.type" : "mapreduce",
|
||||
"job.start.ms" : 105204,
|
||||
"job.end.ms" : 197256,
|
||||
"job.queue.name" : "sls_queue_2",
|
||||
"job.id" : "job_2",
|
||||
"job.user" : "default",
|
||||
"job.tasks" : [ {
|
||||
"container.host" : "/default-rack/node1",
|
||||
"container.start.ms" : 111822,
|
||||
"container.end.ms" : 133985,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
}, {
|
||||
"container.host" : "/default-rack/node2",
|
||||
"container.start.ms" : 111788,
|
||||
"container.end.ms" : 131377,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
} ]
|
||||
}
|
||||
+----+
|
||||
|
||||
** Simulator input topology file format
|
||||
|
||||
Here is an example input topology file which has 3 nodes organized in 1 rack.
|
||||
|
||||
+----+
|
||||
{
|
||||
"rack" : "default-rack",
|
||||
"nodes" : [ {
|
||||
"node" : "node1"
|
||||
}, {
|
||||
"node" : "node2"
|
||||
}, {
|
||||
"node" : "node3"
|
||||
}]
|
||||
}
|
||||
+----+
|
|
@ -0,0 +1,357 @@
|
|||
<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
Yarn Scheduler Load Simulator (SLS)
|
||||
===================================
|
||||
|
||||
* [Yarn Scheduler Load Simulator (SLS)](#Yarn_Scheduler_Load_Simulator_SLS)
|
||||
* [Overview](#Overview)
|
||||
* [Overview](#Overview)
|
||||
* [Goals](#Goals)
|
||||
* [Architecture](#Architecture)
|
||||
* [Usecases](#Usecases)
|
||||
* [Usage](#Usage)
|
||||
* [Step 1: Configure Hadoop and the simulator](#Step_1:_Configure_Hadoop_and_the_simulator)
|
||||
* [Step 2: Run the simulator](#Step_2:_Run_the_simulator)
|
||||
* [Metrics](#Metrics)
|
||||
* [Real-time Tracking](#Real-time_Tracking)
|
||||
* [Offline Analysis](#Offline_Analysis)
|
||||
* [Appendix](#Appendix)
|
||||
* [Resources](#Resources)
|
||||
* [SLS JSON input file format](#SLS_JSON_input_file_format)
|
||||
* [Simulator input topology file format](#Simulator_input_topology_file_format)
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
### Overview
|
||||
|
||||
The Yarn scheduler is a fertile area of interest with different implementations, e.g., Fifo, Capacity and Fair schedulers. Meanwhile, several optimizations are also made to improve scheduler performance for different scenarios and workload. Each scheduler algorithm has its own set of features, and drives scheduling decisions by many factors, such as fairness, capacity guarantee, resource availability, etc. It is very important to evaluate a scheduler algorithm very well before we deploy in a production cluster. Unfortunately, currently it is non-trivial to evaluate a scheduler algorithm. Evaluating in a real cluster is always time and cost consuming, and it is also very hard to find a large-enough cluster. Hence, a simulator which can predict how well a scheduler algorithm for some specific workload would be quite useful.
|
||||
|
||||
The Yarn Scheduler Load Simulator (SLS) is such a tool, which can simulate large-scale Yarn clusters and application loads in a single machine.This simulator would be invaluable in furthering Yarn by providing a tool for researchers and developers to prototype new scheduler features and predict their behavior and performance with reasonable amount of confidence, thereby aiding rapid innovation.
|
||||
o
|
||||
The simulator will exercise the real Yarn `ResourceManager` removing the network factor by simulating `NodeManagers` and `ApplicationMasters` via handling and dispatching `NM`/`AMs` heartbeat events from within the same JVM. To keep tracking of scheduler behavior and performance, a scheduler wrapper will wrap the real scheduler.
|
||||
|
||||
The size of the cluster and the application load can be loaded from configuration files, which are generated from job history files directly by adopting [Apache Rumen](https://hadoop.apache.org/docs/stable/rumen.html).
|
||||
|
||||
The simulator will produce real time metrics while executing, including:
|
||||
|
||||
* Resource usages for whole cluster and each queue, which can be utilized to
|
||||
configure cluster and queue's capacity.
|
||||
|
||||
* The detailed application execution trace (recorded in relation to simulated
|
||||
time), which can be analyzed to understand/validate the scheduler behavior
|
||||
(individual jobs turn around time, throughput, fairness, capacity guarantee,
|
||||
etc.).
|
||||
|
||||
* Several key metrics of scheduler algorithm, such as time cost of each
|
||||
scheduler operation (allocate, handle, etc.), which can be utilized by Hadoop
|
||||
developers to find the code spots and scalability limits.
|
||||
|
||||
### Goals
|
||||
|
||||
* Exercise the scheduler at scale without a real cluster using real job
|
||||
traces.
|
||||
|
||||
* Being able to simulate real workloads.
|
||||
|
||||
### Architecture
|
||||
|
||||
The following figure illustrates the implementation architecture of the simulator.
|
||||
|
||||
![The architecture of the simulator](images/sls_arch.png)
|
||||
|
||||
The simulator takes input of workload traces, and fetches the cluster and applications information. For each NM and AM, the simulator builds a simulator to simulate their running. All NM/AM simulators run in a thread pool. The simulator reuses Yarn Resource Manager, and builds a wrapper out of the scheduler. The Scheduler Wrapper can track the scheduler behaviors and generates several logs, which are the outputs of the simulator and can be further analyzed.
|
||||
|
||||
### Usecases
|
||||
|
||||
* Engineering
|
||||
* Verify correctness of scheduler algorithm under load
|
||||
* Cheap/practical way for finding code hotspots/critical-path.
|
||||
* Validate the impact of changes and new features.
|
||||
* Determine what drives the scheduler scalability limits.
|
||||
|
||||
* QA
|
||||
* Validate scheduler behavior for "large" clusters and several workload profiles.
|
||||
|
||||
* Solutions/Sales.
|
||||
* Sizing model for predefined/typical workloads.
|
||||
* Cluster sizing tool using real customer data (job traces).
|
||||
* Determine minimum SLAs under a particular workload.
|
||||
|
||||
Usage
|
||||
-----
|
||||
|
||||
This section will show how to use the simulator. Here let `$HADOOP_ROOT` represent the Hadoop install directory. If you build Hadoop yourself, `$HADOOP_ROOT` is `hadoop-dist/target/hadoop-$VERSION`. The simulator is located at `$HADOOP_ROOT/share/hadoop/tools/sls`. The fold `sls` containers four directories: `bin`, `html`, `sample-conf`, and `sample-data`
|
||||
|
||||
* `bin`: contains running scripts for the simulator.
|
||||
|
||||
* `html`: contains several html/css/js files we needed for real-time tracking.
|
||||
|
||||
* `sample-conf`: specifies the simulator configurations.
|
||||
|
||||
* `sample-data`: provides an example rumen trace, which can be used to
|
||||
generate inputs of the simulator.
|
||||
|
||||
The following sections will describe how to use the simulator step by step. Before start, make sure that command `hadoop` is included in your `$PATH` environment parameter.
|
||||
|
||||
### Step 1: Configure Hadoop and the simulator
|
||||
|
||||
Before we start, make sure Hadoop and the simulator are configured well. All configuration files for Hadoop and the simulator should be placed in directory `$HADOOP_ROOT/etc/hadoop`, where the `ResourceManager` and Yarn scheduler load their configurations. Directory `$HADOOP_ROOT/share/hadoop/tools/sls/sample-conf/` provides several example configurations, that can be used to start a demo.
|
||||
|
||||
For configuration of Hadoop and Yarn scheduler, users can refer to Yarn’s website (<http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/>).
|
||||
|
||||
For the simulator, it loads configuration information from file `$HADOOP_ROOT/etc/hadoop/sls-runner.xml`.
|
||||
|
||||
Here we illustrate each configuration parameter in `sls-runner.xml`. Note that `$HADOOP_ROOT/share/hadoop/tools/sls/sample-conf/sls-runner.xml` contains all the default values for these configuration parameters.
|
||||
|
||||
* `yarn.sls.runner.pool.size`
|
||||
|
||||
The simulator uses a thread pool to simulate the `NM` and `AM` running,
|
||||
and this parameter specifies the number of threads in the pool.
|
||||
|
||||
* `yarn.sls.nm.memory.mb`
|
||||
|
||||
The total memory for each `NMSimulator`.
|
||||
|
||||
* `yarn.sls.nm.vcores`
|
||||
|
||||
The total vCores for each `NMSimulator`.
|
||||
|
||||
* `yarn.sls.nm.heartbeat.interval.ms`
|
||||
|
||||
The heartbeat interval for each `NMSimulator`.
|
||||
|
||||
* `yarn.sls.am.heartbeat.interval.ms`
|
||||
|
||||
The heartbeat interval for each `AMSimulator`.
|
||||
|
||||
* `yarn.sls.am.type.mapreduce`
|
||||
|
||||
The `AMSimulator` implementation for MapReduce-like applications.
|
||||
Users can specify implementations for other type of applications.
|
||||
|
||||
* `yarn.sls.container.memory.mb`
|
||||
|
||||
The memory required for each container simulator.
|
||||
|
||||
* `yarn.sls.container.vcores`
|
||||
|
||||
The vCores required for each container simulator.
|
||||
|
||||
* `yarn.sls.runner.metrics.switch`
|
||||
|
||||
The simulator introduces [Metrics](http://metrics.codahale.com/) to measure
|
||||
the behaviors of critical components and operations. This field specifies
|
||||
whether we open (`ON`) or close (`OFF`) the Metrics running.
|
||||
|
||||
* `yarn.sls.metrics.web.address.port`
|
||||
|
||||
The port used by simulator to provide real-time tracking. The default value is
|
||||
10001.
|
||||
|
||||
* `org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler`
|
||||
|
||||
The implementation of scheduler metrics of Fifo Scheduler.
|
||||
|
||||
* `org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler`
|
||||
|
||||
The implementation of scheduler metrics of Fair Scheduler.
|
||||
|
||||
* `org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler`
|
||||
|
||||
The implementation of scheduler metrics of Capacity Scheduler.
|
||||
|
||||
### Step 2: Run the simulator
|
||||
|
||||
The simulator supports two types of input files: the rumen traces and its own input traces. The script to start the simulator is `slsrun.sh`.
|
||||
|
||||
$ cd $HADOOP_ROOT/share/hadoop/tools/sls
|
||||
$ bin/slsrun.sh
|
||||
--input-rumen |--input-sls=<TRACE_FILE1,TRACE_FILE2,...>
|
||||
--output-dir=<SLS_SIMULATION_OUTPUT_DIRECTORY> [--nodes=<SLS_NODES_FILE>]
|
||||
[--track-jobs=<JOBID1,JOBID2,...>] [--print-simulation]
|
||||
|
||||
* `--input-rumen`: The input rumen trace files. Users can input multiple
|
||||
files, separated by comma. One example trace is provided in
|
||||
`$HADOOP_ROOT/share/hadoop/tools/sls/sample-data/2jobs2min-rumen-jh.json`.
|
||||
|
||||
* `--input-sls`: Simulator its own file format. The simulator also
|
||||
provides a tool to convert rumen traces to sls traces (`rumen2sls.sh`).
|
||||
Refer to appendix for an example of sls input json file.
|
||||
|
||||
* `--output-dir`: The output directory for generated running logs and
|
||||
metrics.
|
||||
|
||||
* `--nodes`: The cluster topology. By default, the simulator will use the
|
||||
topology fetched from the input json files. Users can specifies a new topology
|
||||
by setting this parameter. Refer to the appendix for the topology file format.
|
||||
|
||||
* `--track-jobs`: The particular jobs that will be tracked during
|
||||
simulator running, spearated by comma.
|
||||
|
||||
* `--print-simulation`: Whether to print out simulation information
|
||||
before simulator running, including number of nodes, applications, tasks,
|
||||
and information for each application.
|
||||
|
||||
In comparison to rumen format, here the sls format is much simpler and users
|
||||
can easily generate various workload. The simulator also provides a tool to
|
||||
convert rumen traces to sls traces.
|
||||
|
||||
$ bin/rumen2sls.sh
|
||||
--rumen-file=<RUMEN_FILE>
|
||||
--output-dir=<SLS_OUTPUT_DIRECTORY>
|
||||
[--output-prefix=<SLS_FILE_PREFIX>]
|
||||
|
||||
* `--rumen-file`: The rumen format file. One example trace is provided
|
||||
in directory `sample-data`.
|
||||
|
||||
* `--output-dir`: The output directory of generated simulation traces.
|
||||
Two files will be generated in this output directory, including one trace
|
||||
file including all job and task information, and another file showing the
|
||||
topology information.
|
||||
|
||||
* `--output-prefix`: The prefix of the generated files. The default value
|
||||
is "sls", and the two generated files are `sls-jobs.json` and
|
||||
`sls-nodes.json`.
|
||||
|
||||
Metrics
|
||||
-------
|
||||
|
||||
The Yarn Scheduler Load Simulator has integrated [Metrics](http://metrics.codahale.com/) to measure the behaviors of critical components and operations, including running applications and containers, cluster available resources, scheduler operation timecost, et al. If the switch `yarn.sls.runner.metrics.switch` is set `ON`, `Metrics` will run and output it logs in `--output-dir` directory specified by users. Users can track these information during simulator running, and can also analyze these logs after running to evaluate the scheduler performance.
|
||||
|
||||
### Real-time Tracking
|
||||
|
||||
The simulator provides an interface for tracking its running in real-time. Users can go to `http://host:port/simulate` to track whole running, and `http://host:port/track` to track a particular job or queue. Here the `host` is the place when we run the simulator, and `port` is the value configured by `yarn.sls.metrics.web.address.port` (default value is 10001).
|
||||
|
||||
Here we'll illustrate each chart shown in the webpage.
|
||||
|
||||
The first figure describes the number of running applications and containers.
|
||||
|
||||
![Number of running applications/containers](images/sls_running_apps_containers.png)
|
||||
|
||||
The second figure describes the allocated and available resources (memory) in the cluster.
|
||||
|
||||
![Cluster Resource (Memory)](images/sls_cluster_memory.png)
|
||||
|
||||
The third figure describes the allocated resource for each queue. Here we have three queues: sls\_queue\_1, sls\_queue\_2, and sls\_queue\_3.The first two queues are configured with 25% share, while the last one has 50% share.
|
||||
|
||||
![Queue Allocated Resource (Memory)](images/sls_queue_allocated_memory.png)
|
||||
|
||||
The fourth figure describes the timecost for each scheduler operation.
|
||||
|
||||
![Scheduler Opertion Timecost](images/sls_scheduler_operation_timecost.png)
|
||||
|
||||
Finally, we measure the memory used by the simulator.
|
||||
|
||||
![JVM Memory](images/sls_JVM.png)
|
||||
|
||||
The simulator also provides an interface for tracking some particular jobs and queues. Go to `http://<Host>:<Port>/track` to get these information.
|
||||
|
||||
Here the first figure illustrates the resource usage information for queue `SLS_Queue_1`.
|
||||
|
||||
![Tracking Queue `sls_queue_3`](images/sls_track_queue.png)
|
||||
|
||||
The second figure illustrates the resource usage information for job `job_1369942127770_0653`.
|
||||
|
||||
![Tracking Job `job_1369942127770_0653`](images/sls_track_job.png)
|
||||
|
||||
### Offline Analysis
|
||||
|
||||
After the simulator finishes, all logs are saved in the output directory specified by `--output-dir` in `$HADOOP_ROOT/share/hadoop/tools/sls/bin/slsrun.sh`.
|
||||
|
||||
* File `realtimetrack.json`: records all real-time tracking logs every 1
|
||||
second.
|
||||
|
||||
* File `jobruntime.csv`: records all jobs’ start and end time in the
|
||||
simulator.
|
||||
|
||||
* Folder `metrics`: logs generated by the Metrics.
|
||||
|
||||
Users can also reproduce those real-time tracking charts in offline mode. Just upload the `realtimetrack.json` to `$HADOOP_ROOT/share/hadoop/tools/sls/html/showSimulationTrace.html`. For browser security problem, need to put files `realtimetrack.json` and `showSimulationTrace.html` in the same directory.
|
||||
|
||||
Appendix
|
||||
--------
|
||||
|
||||
### Resources
|
||||
|
||||
[YARN-1021](https://issues.apache.org/jira/browse/YARN-1021) is the main JIRA that introduces Yarn Scheduler Load Simulator to Hadoop Yarn project.
|
||||
|
||||
### SLS JSON input file format
|
||||
|
||||
Here we provide an example format of the sls json file, which contains 2 jobs. The first job has 3 map tasks and the second one has 2 map tasks.
|
||||
|
||||
{
|
||||
"am.type" : "mapreduce",
|
||||
"job.start.ms" : 0,
|
||||
"job.end.ms" : 95375,
|
||||
"job.queue.name" : "sls_queue_1",
|
||||
"job.id" : "job_1",
|
||||
"job.user" : "default",
|
||||
"job.tasks" : [ {
|
||||
"container.host" : "/default-rack/node1",
|
||||
"container.start.ms" : 6664,
|
||||
"container.end.ms" : 23707,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
}, {
|
||||
"container.host" : "/default-rack/node3",
|
||||
"container.start.ms" : 6665,
|
||||
"container.end.ms" : 21593,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
}, {
|
||||
"container.host" : "/default-rack/node2",
|
||||
"container.start.ms" : 68770,
|
||||
"container.end.ms" : 86613,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
} ]
|
||||
}
|
||||
{
|
||||
"am.type" : "mapreduce",
|
||||
"job.start.ms" : 105204,
|
||||
"job.end.ms" : 197256,
|
||||
"job.queue.name" : "sls_queue_2",
|
||||
"job.id" : "job_2",
|
||||
"job.user" : "default",
|
||||
"job.tasks" : [ {
|
||||
"container.host" : "/default-rack/node1",
|
||||
"container.start.ms" : 111822,
|
||||
"container.end.ms" : 133985,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
}, {
|
||||
"container.host" : "/default-rack/node2",
|
||||
"container.start.ms" : 111788,
|
||||
"container.end.ms" : 131377,
|
||||
"container.priority" : 20,
|
||||
"container.type" : "map"
|
||||
} ]
|
||||
}
|
||||
|
||||
### Simulator input topology file format
|
||||
|
||||
Here is an example input topology file which has 3 nodes organized in 1 rack.
|
||||
|
||||
{
|
||||
"rack" : "default-rack",
|
||||
"nodes" : [ {
|
||||
"node" : "node1"
|
||||
}, {
|
||||
"node" : "node2"
|
||||
}, {
|
||||
"node" : "node3"
|
||||
}]
|
||||
}
|
|
@ -1,792 +0,0 @@
|
|||
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~~ you may not use this file except in compliance with the License.
|
||||
~~ You may obtain a copy of the License at
|
||||
~~
|
||||
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~~
|
||||
~~ Unless required by applicable law or agreed to in writing, software
|
||||
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~~ See the License for the specific language governing permissions and
|
||||
~~ limitations under the License. See accompanying LICENSE file.
|
||||
|
||||
---
|
||||
Hadoop Streaming
|
||||
---
|
||||
---
|
||||
${maven.build.timestamp}
|
||||
|
||||
Hadoop Streaming
|
||||
|
||||
%{toc|section=1|fromDepth=0|toDepth=4}
|
||||
|
||||
* Hadoop Streaming
|
||||
|
||||
Hadoop streaming is a utility that comes with the Hadoop distribution. The
|
||||
utility allows you to create and run Map/Reduce jobs with any executable or
|
||||
script as the mapper and/or the reducer. For example:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /usr/bin/wc
|
||||
+---+
|
||||
|
||||
* How Streaming Works
|
||||
|
||||
In the above example, both the mapper and the reducer are executables that
|
||||
read the input from stdin (line by line) and emit the output to stdout. The
|
||||
utility will create a Map/Reduce job, submit the job to an appropriate
|
||||
cluster, and monitor the progress of the job until it completes.
|
||||
|
||||
When an executable is specified for mappers, each mapper task will launch the
|
||||
executable as a separate process when the mapper is initialized. As the
|
||||
mapper task runs, it converts its inputs into lines and feed the lines to the
|
||||
stdin of the process. In the meantime, the mapper collects the line oriented
|
||||
outputs from the stdout of the process and converts each line into a
|
||||
key/value pair, which is collected as the output of the mapper. By default,
|
||||
the <prefix of a line up to the first tab character> is the <<<key>>> and the
|
||||
rest of the line (excluding the tab character) will be the <<<value>>>. If
|
||||
there is no tab character in the line, then entire line is considered as key
|
||||
and the value is null. However, this can be customized by setting
|
||||
<<<-inputformat>>> command option, as discussed later.
|
||||
|
||||
When an executable is specified for reducers, each reducer task will launch
|
||||
the executable as a separate process then the reducer is initialized. As the
|
||||
reducer task runs, it converts its input key/values pairs into lines and
|
||||
feeds the lines to the stdin of the process. In the meantime, the reducer
|
||||
collects the line oriented outputs from the stdout of the process, converts
|
||||
each line into a key/value pair, which is collected as the output of the
|
||||
reducer. By default, the prefix of a line up to the first tab character is
|
||||
the key and the rest of the line (excluding the tab character) is the value.
|
||||
However, this can be customized by setting <<<-outputformat>>> command
|
||||
option, as discussed later.
|
||||
|
||||
This is the basis for the communication protocol between the Map/Reduce
|
||||
framework and the streaming mapper/reducer.
|
||||
|
||||
User can specify <<<stream.non.zero.exit.is.failure>>> as <<<true>>> or
|
||||
<<<false>>> to make a streaming task that exits with a non-zero status to be
|
||||
<<<Failure>>> or <<<Success>>> respectively. By default, streaming tasks
|
||||
exiting with non-zero status are considered to be failed tasks.
|
||||
|
||||
* Streaming Command Options
|
||||
|
||||
Streaming supports streaming command options as well as
|
||||
{{{Generic_Command_Options}generic command options}}. The general command
|
||||
line syntax is shown below.
|
||||
|
||||
<<Note:>> Be sure to place the generic options before the streaming options,
|
||||
otherwise the command will fail. For an example, see
|
||||
{{{Making_Archives_Available_to_Tasks}Making Archives Available to Tasks}}.
|
||||
|
||||
+---+
|
||||
hadoop command [genericOptions] [streamingOptions]
|
||||
+---+
|
||||
|
||||
The Hadoop streaming command options are listed here:
|
||||
|
||||
*-------------*--------------------*------------------------------------------*
|
||||
|| Parameter || Optional/Required || Description |
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -input directoryname or filename | Required | Input location for mapper
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -output directoryname | Required | Output location for reducer
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -mapper executable or JavaClassName | Required | Mapper executable
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -reducer executable or JavaClassName | Required | Reducer executable
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -file filename | Optional | Make the mapper, reducer, or combiner executable
|
||||
| | | available locally on the compute nodes
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -inputformat JavaClassName | Optional | Class you supply should return
|
||||
| | | key/value pairs of Text class. If not
|
||||
| | | specified, TextInputFormat is used as
|
||||
| | | the default
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -outputformat JavaClassName | Optional | Class you supply should take
|
||||
| | | key/value pairs of Text class. If
|
||||
| | | not specified, TextOutputformat is
|
||||
| | | used as the default
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -partitioner JavaClassName | Optional | Class that determines which reduce a
|
||||
| | | key is sent to
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -combiner streamingCommand | Optional | Combiner executable for map output
|
||||
| or JavaClassName | |
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -cmdenv name=value | Optional | Pass environment variable to streaming
|
||||
| | | commands
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -inputreader | Optional | For backwards-compatibility: specifies a record
|
||||
| | | reader class (instead of an input format class)
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -verbose | Optional | Verbose output
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -lazyOutput | Optional | Create output lazily. For example, if the output
|
||||
| | | format is based on FileOutputFormat, the output file
|
||||
| | | is created only on the first call to Context.write
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -numReduceTasks | Optional | Specify the number of reducers
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -mapdebug | Optional | Script to call when map task fails
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -reducedebug | Optional | Script to call when reduce task fails
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
|
||||
** Specifying a Java Class as the Mapper/Reducer
|
||||
|
||||
You can supply a Java class as the mapper and/or the reducer.
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-inputformat org.apache.hadoop.mapred.KeyValueTextInputFormat \
|
||||
-mapper org.apache.hadoop.mapred.lib.IdentityMapper \
|
||||
-reducer /usr/bin/wc
|
||||
+---+
|
||||
|
||||
You can specify <<<stream.non.zero.exit.is.failure>>> as <<<true>>> or
|
||||
<<<false>>> to make a streaming task that exits with a non-zero status to be
|
||||
<<<Failure>>> or <<<Success>>> respectively. By default, streaming tasks
|
||||
exiting with non-zero status are considered to be failed tasks.
|
||||
|
||||
** Packaging Files With Job Submissions
|
||||
|
||||
You can specify any executable as the mapper and/or the reducer. The
|
||||
executables do not need to pre-exist on the machines in the cluster; however,
|
||||
if they don't, you will need to use "-file" option to tell the framework to
|
||||
pack your executable files as a part of job submission. For example:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper myPythonScript.py \
|
||||
-reducer /usr/bin/wc \
|
||||
-file myPythonScript.py
|
||||
+---+
|
||||
|
||||
The above example specifies a user defined Python executable as the mapper.
|
||||
The option "-file myPythonScript.py" causes the python executable shipped
|
||||
to the cluster machines as a part of job submission.
|
||||
|
||||
In addition to executable files, you can also package other auxiliary files
|
||||
(such as dictionaries, configuration files, etc) that may be used by the
|
||||
mapper and/or the reducer. For example:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper myPythonScript.py \
|
||||
-reducer /usr/bin/wc \
|
||||
-file myPythonScript.py \
|
||||
-file myDictionary.txt
|
||||
+---+
|
||||
|
||||
** Specifying Other Plugins for Jobs
|
||||
|
||||
Just as with a normal Map/Reduce job, you can specify other plugins for a
|
||||
streaming job:
|
||||
|
||||
+---+
|
||||
-inputformat JavaClassName
|
||||
-outputformat JavaClassName
|
||||
-partitioner JavaClassName
|
||||
-combiner streamingCommand or JavaClassName
|
||||
+---+
|
||||
|
||||
The class you supply for the input format should return key/value pairs of
|
||||
Text class. If you do not specify an input format class, the TextInputFormat
|
||||
is used as the default. Since the TextInputFormat returns keys of
|
||||
LongWritable class, which are actually not part of the input data, the keys
|
||||
will be discarded; only the values will be piped to the streaming mapper.
|
||||
|
||||
The class you supply for the output format is expected to take key/value
|
||||
pairs of Text class. If you do not specify an output format class, the
|
||||
TextOutputFormat is used as the default.
|
||||
|
||||
** Setting Environment Variables
|
||||
|
||||
To set an environment variable in a streaming command use:
|
||||
|
||||
+---+
|
||||
-cmdenv EXAMPLE_DIR=/home/example/dictionaries/
|
||||
+---+
|
||||
|
||||
* Generic Command Options
|
||||
|
||||
Streaming supports {{{Streaming_Command_Options}streaming command options}}
|
||||
as well as generic command options. The general command line syntax is shown
|
||||
below.
|
||||
|
||||
<<Note:>> Be sure to place the generic options before the streaming options,
|
||||
otherwise the command will fail. For an example, see
|
||||
{{{Making_Archives_Available_to_Tasks}Making Archives Available to Tasks}}.
|
||||
|
||||
+---+
|
||||
hadoop command [genericOptions] [streamingOptions]
|
||||
+---+
|
||||
|
||||
The Hadoop generic command options you can use with streaming are listed
|
||||
here:
|
||||
|
||||
*-------------*--------------------*------------------------------------------*
|
||||
|| Parameter || Optional/Required || Description |
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -conf configuration_file | Optional | Specify an application configuration
|
||||
| | | file
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -D property=value | Optional | Use value for given property
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -fs host:port or local | Optional | Specify a namenode
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -files | Optional | Specify comma-separated files to be copied to the
|
||||
| | | Map/Reduce cluster
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -libjars | Optional | Specify comma-separated jar files to include in the
|
||||
| | | classpath
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
| -archives | Optional | Specify comma-separated archives to be unarchived on
|
||||
| | | the compute machines
|
||||
*-------------+--------------------+------------------------------------------+
|
||||
|
||||
** Specifying Configuration Variables with the -D Option
|
||||
|
||||
You can specify additional configuration variables by using
|
||||
"-D \<property\>=\<value\>".
|
||||
|
||||
*** Specifying Directories
|
||||
|
||||
To change the local temp directory use:
|
||||
|
||||
+---+
|
||||
-D dfs.data.dir=/tmp
|
||||
+---+
|
||||
|
||||
To specify additional local temp directories use:
|
||||
|
||||
+---+
|
||||
-D mapred.local.dir=/tmp/local
|
||||
-D mapred.system.dir=/tmp/system
|
||||
-D mapred.temp.dir=/tmp/temp
|
||||
+---+
|
||||
|
||||
<<Note:>> For more details on job configuration parameters see:
|
||||
{{{./mapred-default.xml}mapred-default.xml}}
|
||||
|
||||
*** Specifying Map-Only Jobs
|
||||
|
||||
Often, you may want to process input data using a map function only. To do
|
||||
this, simply set <<<mapreduce.job.reduces>>> to zero. The Map/Reduce
|
||||
framework will not create any reducer tasks. Rather, the outputs of the
|
||||
mapper tasks will be the final output of the job.
|
||||
|
||||
+---+
|
||||
-D mapreduce.job.reduces=0
|
||||
+---+
|
||||
|
||||
To be backward compatible, Hadoop Streaming also supports the "-reducer NONE"
|
||||
option, which is equivalent to "-D mapreduce.job.reduces=0".
|
||||
|
||||
*** Specifying the Number of Reducers
|
||||
|
||||
To specify the number of reducers, for example two, use:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D mapreduce.job.reduces=2 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /usr/bin/wc
|
||||
+---+
|
||||
|
||||
*** Customizing How Lines are Split into Key/Value Pairs
|
||||
|
||||
As noted earlier, when the Map/Reduce framework reads a line from the stdout
|
||||
of the mapper, it splits the line into a key/value pair. By default, the
|
||||
prefix of the line up to the first tab character is the key and the rest of
|
||||
the line (excluding the tab character) is the value.
|
||||
|
||||
However, you can customize this default. You can specify a field separator
|
||||
other than the tab character (the default), and you can specify the nth
|
||||
(n >= 1) character rather than the first character in a line (the default) as
|
||||
the separator between the key and value. For example:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D stream.map.output.field.separator=. \
|
||||
-D stream.num.map.output.key.fields=4 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /bin/cat
|
||||
+---+
|
||||
|
||||
In the above example, "-D stream.map.output.field.separator=." specifies "."
|
||||
as the field separator for the map outputs, and the prefix up to the fourth
|
||||
"." in a line will be the key and the rest of the line (excluding the fourth
|
||||
".") will be the value. If a line has less than four "."s, then the whole
|
||||
line will be the key and the value will be an empty Text object (like the one
|
||||
created by new Text("")).
|
||||
|
||||
Similarly, you can use "-D stream.reduce.output.field.separator=SEP" and
|
||||
"-D stream.num.reduce.output.fields=NUM" to specify the nth field separator
|
||||
in a line of the reduce outputs as the separator between the key and the
|
||||
value.
|
||||
|
||||
Similarly, you can specify "stream.map.input.field.separator" and
|
||||
"stream.reduce.input.field.separator" as the input separator for Map/Reduce
|
||||
inputs. By default the separator is the tab character.
|
||||
|
||||
** Working with Large Files and Archives
|
||||
|
||||
The -files and -archives options allow you to make files and archives
|
||||
available to the tasks. The argument is a URI to the file or archive that you
|
||||
have already uploaded to HDFS. These files and archives are cached across
|
||||
jobs. You can retrieve the host and fs_port values from the fs.default.name
|
||||
config variable.
|
||||
|
||||
<<Note:>> The -files and -archives options are generic options. Be sure to
|
||||
place the generic options before the command options, otherwise the command
|
||||
will fail.
|
||||
|
||||
*** Making Files Available to Tasks
|
||||
|
||||
The -files option creates a symlink in the current working directory of the
|
||||
tasks that points to the local copy of the file.
|
||||
|
||||
In this example, Hadoop automatically creates a symlink named testfile.txt in
|
||||
the current working directory of the tasks. This symlink points to the local
|
||||
copy of testfile.txt.
|
||||
|
||||
+---+
|
||||
-files hdfs://host:fs_port/user/testfile.txt
|
||||
+---+
|
||||
|
||||
User can specify a different symlink name for -files using #.
|
||||
|
||||
+---+
|
||||
-files hdfs://host:fs_port/user/testfile.txt#testfile
|
||||
+---+
|
||||
|
||||
Multiple entries can be specified like this:
|
||||
|
||||
+---+
|
||||
-files hdfs://host:fs_port/user/testfile1.txt,hdfs://host:fs_port/user/testfile2.txt
|
||||
+---+
|
||||
|
||||
*** Making Archives Available to Tasks
|
||||
|
||||
The -archives option allows you to copy jars locally to the current working
|
||||
directory of tasks and automatically unjar the files.
|
||||
|
||||
In this example, Hadoop automatically creates a symlink named testfile.jar in
|
||||
the current working directory of tasks. This symlink points to the directory
|
||||
that stores the unjarred contents of the uploaded jar file.
|
||||
|
||||
+---+
|
||||
-archives hdfs://host:fs_port/user/testfile.jar
|
||||
+---+
|
||||
|
||||
User can specify a different symlink name for -archives using #.
|
||||
|
||||
+---+
|
||||
-archives hdfs://host:fs_port/user/testfile.tgz#tgzdir
|
||||
+---+
|
||||
|
||||
In this example, the input.txt file has two lines specifying the names of the
|
||||
two files: cachedir.jar/cache.txt and cachedir.jar/cache2.txt. "cachedir.jar"
|
||||
is a symlink to the archived directory, which has the files "cache.txt" and
|
||||
"cache2.txt".
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-archives 'hdfs://hadoop-nn1.example.com/user/me/samples/cachefile/cachedir.jar' \
|
||||
-D mapreduce.job.maps=1 \
|
||||
-D mapreduce.job.reduces=1 \
|
||||
-D mapreduce.job.name="Experiment" \
|
||||
-input "/user/me/samples/cachefile/input.txt" \
|
||||
-output "/user/me/samples/cachefile/out" \
|
||||
-mapper "xargs cat" \
|
||||
-reducer "cat"
|
||||
|
||||
$ ls test_jar/
|
||||
cache.txt cache2.txt
|
||||
|
||||
$ jar cvf cachedir.jar -C test_jar/ .
|
||||
added manifest
|
||||
adding: cache.txt(in = 30) (out= 29)(deflated 3%)
|
||||
adding: cache2.txt(in = 37) (out= 35)(deflated 5%)
|
||||
|
||||
$ hdfs dfs -put cachedir.jar samples/cachefile
|
||||
|
||||
$ hdfs dfs -cat /user/me/samples/cachefile/input.txt
|
||||
cachedir.jar/cache.txt
|
||||
cachedir.jar/cache2.txt
|
||||
|
||||
$ cat test_jar/cache.txt
|
||||
This is just the cache string
|
||||
|
||||
$ cat test_jar/cache2.txt
|
||||
This is just the second cache string
|
||||
|
||||
$ hdfs dfs -ls /user/me/samples/cachefile/out
|
||||
Found 2 items
|
||||
-rw-r--r-- 1 me supergroup 0 2013-11-14 17:00 /user/me/samples/cachefile/out/_SUCCESS
|
||||
-rw-r--r-- 1 me supergroup 69 2013-11-14 17:00 /user/me/samples/cachefile/out/part-00000
|
||||
|
||||
$ hdfs dfs -cat /user/me/samples/cachefile/out/part-00000
|
||||
This is just the cache string
|
||||
This is just the second cache string
|
||||
+---+
|
||||
|
||||
* More Usage Examples
|
||||
|
||||
** Hadoop Partitioner Class
|
||||
|
||||
Hadoop has a library class,
|
||||
{{{../../api/org/apache/hadoop/mapred/lib/KeyFieldBasedPartitioner.html}
|
||||
KeyFieldBasedPartitioner}}, that is useful for many applications. This class
|
||||
allows the Map/Reduce framework to partition the map outputs based on certain
|
||||
key fields, not the whole keys. For example:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D stream.map.output.field.separator=. \
|
||||
-D stream.num.map.output.key.fields=4 \
|
||||
-D map.output.key.field.separator=. \
|
||||
-D mapreduce.partition.keypartitioner.options=-k1,2 \
|
||||
-D mapreduce.job.reduces=12 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /bin/cat \
|
||||
-partitioner org.apache.hadoop.mapred.lib.KeyFieldBasedPartitioner
|
||||
+---+
|
||||
|
||||
Here, <-D stream.map.output.field.separator=.> and
|
||||
<-D stream.num.map.output.key.fields=4> are as explained in previous example.
|
||||
The two variables are used by streaming to identify the key/value pair of
|
||||
mapper.
|
||||
|
||||
The map output keys of the above Map/Reduce job normally have four fields
|
||||
separated by ".". However, the Map/Reduce framework will partition the map
|
||||
outputs by the first two fields of the keys using the
|
||||
<-D mapred.text.key.partitioner.options=-k1,2> option. Here,
|
||||
<-D map.output.key.field.separator=.> specifies the separator for the
|
||||
partition. This guarantees that all the key/value pairs with the same first
|
||||
two fields in the keys will be partitioned into the same reducer.
|
||||
|
||||
<This is effectively equivalent to specifying the first two fields as the
|
||||
primary key and the next two fields as the secondary. The primary key is used
|
||||
for partitioning, and the combination of the primary and secondary keys is
|
||||
used for sorting.> A simple illustration is shown here:
|
||||
|
||||
Output of map (the keys)
|
||||
|
||||
+---+
|
||||
11.12.1.2
|
||||
11.14.2.3
|
||||
11.11.4.1
|
||||
11.12.1.1
|
||||
11.14.2.2
|
||||
+---+
|
||||
|
||||
Partition into 3 reducers (the first 2 fields are used as keys for partition)
|
||||
|
||||
+---+
|
||||
11.11.4.1
|
||||
-----------
|
||||
11.12.1.2
|
||||
11.12.1.1
|
||||
-----------
|
||||
11.14.2.3
|
||||
11.14.2.2
|
||||
+---+
|
||||
|
||||
Sorting within each partition for the reducer(all 4 fields used for sorting)
|
||||
|
||||
+---+
|
||||
11.11.4.1
|
||||
-----------
|
||||
11.12.1.1
|
||||
11.12.1.2
|
||||
-----------
|
||||
11.14.2.2
|
||||
11.14.2.3
|
||||
+---+
|
||||
|
||||
** Hadoop Comparator Class
|
||||
|
||||
Hadoop has a library class,
|
||||
{{{../../api/org/apache/hadoop/mapreduce/lib/partition/KeyFieldBasedComparator.html}
|
||||
KeyFieldBasedComparator}}, that is useful for many applications. This class
|
||||
provides a subset of features provided by the Unix/GNU Sort. For example:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D mapreduce.job.output.key.comparator.class=org.apache.hadoop.mapreduce.lib.partition.KeyFieldBasedComparator \
|
||||
-D stream.map.output.field.separator=. \
|
||||
-D stream.num.map.output.key.fields=4 \
|
||||
-D mapreduce.map.output.key.field.separator=. \
|
||||
-D mapreduce.partition.keycomparator.options=-k2,2nr \
|
||||
-D mapreduce.job.reduces=1 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /bin/cat
|
||||
+---+
|
||||
|
||||
The map output keys of the above Map/Reduce job normally have four fields
|
||||
separated by ".". However, the Map/Reduce framework will sort the outputs by
|
||||
the second field of the keys using the
|
||||
<-D mapreduce.partition.keycomparator.options=-k2,2nr> option. Here, <-n>
|
||||
specifies that the sorting is numerical sorting and <-r> specifies that the
|
||||
result should be reversed. A simple illustration is shown below:
|
||||
|
||||
Output of map (the keys)
|
||||
|
||||
+---+
|
||||
11.12.1.2
|
||||
11.14.2.3
|
||||
11.11.4.1
|
||||
11.12.1.1
|
||||
11.14.2.2
|
||||
+---+
|
||||
|
||||
Sorting output for the reducer (where second field used for sorting)
|
||||
|
||||
+---+
|
||||
11.14.2.3
|
||||
11.14.2.2
|
||||
11.12.1.2
|
||||
11.12.1.1
|
||||
11.11.4.1
|
||||
+---+
|
||||
|
||||
** Hadoop Aggregate Package
|
||||
|
||||
Hadoop has a library package called
|
||||
{{{../../org/apache/hadoop/mapred/lib/aggregate/package-summary.html}
|
||||
Aggregate}}. Aggregate provides a special reducer class and a special
|
||||
combiner class, and a list of simple aggregators that perform aggregations
|
||||
such as "sum", "max", "min" and so on over a sequence of values. Aggregate
|
||||
allows you to define a mapper plugin class that is expected to generate
|
||||
"aggregatable items" for each input key/value pair of the mappers. The
|
||||
combiner/reducer will aggregate those aggregatable items by invoking the
|
||||
appropriate aggregators.
|
||||
|
||||
To use Aggregate, simply specify "-reducer aggregate":
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper myAggregatorForKeyCount.py \
|
||||
-reducer aggregate \
|
||||
-file myAggregatorForKeyCount.py \
|
||||
+---+
|
||||
|
||||
The python program myAggregatorForKeyCount.py looks like:
|
||||
|
||||
+---+
|
||||
#!/usr/bin/python
|
||||
|
||||
import sys;
|
||||
|
||||
def generateLongCountToken(id):
|
||||
return "LongValueSum:" + id + "\t" + "1"
|
||||
|
||||
def main(argv):
|
||||
line = sys.stdin.readline();
|
||||
try:
|
||||
while line:
|
||||
line = line[:-1];
|
||||
fields = line.split("\t");
|
||||
print generateLongCountToken(fields[0]);
|
||||
line = sys.stdin.readline();
|
||||
except "end of file":
|
||||
return None
|
||||
if __name__ == "__main__":
|
||||
main(sys.argv)
|
||||
+---+
|
||||
|
||||
** Hadoop Field Selection Class
|
||||
|
||||
Hadoop has a library class,
|
||||
{{{../../api/org/apache/hadoop/mapred/lib/FieldSelectionMapReduce.html}
|
||||
FieldSelectionMapReduce}}, that effectively allows you to process text data
|
||||
like the unix "cut" utility. The map function defined in the class treats
|
||||
each input key/value pair as a list of fields. You can specify the field
|
||||
separator (the default is the tab character). You can select an arbitrary
|
||||
list of fields as the map output key, and an arbitrary list of fields as the
|
||||
map output value. Similarly, the reduce function defined in the class treats
|
||||
each input key/value pair as a list of fields. You can select an arbitrary
|
||||
list of fields as the reduce output key, and an arbitrary list of fields as
|
||||
the reduce output value. For example:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D mapreduce.map.output.key.field.separator=. \
|
||||
-D mapreduce.partition.keypartitioner.options=-k1,2 \
|
||||
-D mapreduce.fieldsel.data.field.separator=. \
|
||||
-D mapreduce.fieldsel.map.output.key.value.fields.spec=6,5,1-3:0- \
|
||||
-D mapreduce.fieldsel.reduce.output.key.value.fields.spec=0-2:5- \
|
||||
-D mapreduce.map.output.key.class=org.apache.hadoop.io.Text \
|
||||
-D mapreduce.job.reduces=12 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper org.apache.hadoop.mapred.lib.FieldSelectionMapReduce \
|
||||
-reducer org.apache.hadoop.mapred.lib.FieldSelectionMapReduce \
|
||||
-partitioner org.apache.hadoop.mapred.lib.KeyFieldBasedPartitioner
|
||||
+---+
|
||||
|
||||
The option "-D
|
||||
mapreduce.fieldsel.map.output.key.value.fields.spec=6,5,1-3:0-" specifies
|
||||
key/value selection for the map outputs. Key selection spec and value
|
||||
selection spec are separated by ":". In this case, the map output key will
|
||||
consist of fields 6, 5, 1, 2, and 3. The map output value will consist of all
|
||||
fields (0- means field 0 and all the subsequent fields).
|
||||
|
||||
The option "-D mapreduce.fieldsel.reduce.output.key.value.fields.spec=0-2:5-"
|
||||
specifies key/value selection for the reduce outputs. In this case, the
|
||||
reduce output key will consist of fields 0, 1, 2 (corresponding to the
|
||||
original fields 6, 5, 1). The reduce output value will consist of all fields
|
||||
starting from field 5 (corresponding to all the original fields).
|
||||
|
||||
* Frequently Asked Questions
|
||||
|
||||
** How do I use Hadoop Streaming to run an arbitrary set of (semi) independent
|
||||
tasks?
|
||||
|
||||
Often you do not need the full power of Map Reduce, but only need to run
|
||||
multiple instances of the same program - either on different parts of the
|
||||
data, or on the same data, but with different parameters. You can use Hadoop
|
||||
Streaming to do this.
|
||||
|
||||
** How do I process files, one per map?
|
||||
|
||||
As an example, consider the problem of zipping (compressing) a set of files
|
||||
across the hadoop cluster. You can achieve this by using Hadoop Streaming
|
||||
and custom mapper script:
|
||||
|
||||
* Generate a file containing the full HDFS path of the input files. Each map
|
||||
task would get one file name as input.
|
||||
|
||||
* Create a mapper script which, given a filename, will get the file to local
|
||||
disk, gzip the file and put it back in the desired output directory.
|
||||
|
||||
** How many reducers should I use?
|
||||
|
||||
See MapReduce Tutorial for details: {{{./MapReduceTutorial.html#Reducer}
|
||||
Reducer}}
|
||||
|
||||
** If I set up an alias in my shell script, will that work after -mapper?
|
||||
|
||||
For example, say I do: alias c1='cut -f1'. Will -mapper "c1" work?
|
||||
|
||||
Using an alias will not work, but variable substitution is allowed as shown
|
||||
in this example:
|
||||
|
||||
+---+
|
||||
$ hdfs dfs -cat /user/me/samples/student_marks
|
||||
alice 50
|
||||
bruce 70
|
||||
charlie 80
|
||||
dan 75
|
||||
|
||||
$ c2='cut -f2'; hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D mapreduce.job.name='Experiment' \
|
||||
-input /user/me/samples/student_marks \
|
||||
-output /user/me/samples/student_out \
|
||||
-mapper "$c2" -reducer 'cat'
|
||||
|
||||
$ hdfs dfs -cat /user/me/samples/student_out/part-00000
|
||||
50
|
||||
70
|
||||
75
|
||||
80
|
||||
+---+
|
||||
|
||||
** Can I use UNIX pipes?
|
||||
|
||||
For example, will -mapper "cut -f1 | sed s/foo/bar/g" work?
|
||||
|
||||
Currently this does not work and gives an "java.io.IOException: Broken pipe"
|
||||
error. This is probably a bug that needs to be investigated.
|
||||
|
||||
** What do I do if I get the "No space left on device" error?
|
||||
|
||||
For example, when I run a streaming job by distributing large executables
|
||||
(for example, 3.6G) through the -file option, I get a "No space left on
|
||||
device" error.
|
||||
|
||||
The jar packaging happens in a directory pointed to by the configuration
|
||||
variable stream.tmpdir. The default value of stream.tmpdir is /tmp. Set the
|
||||
value to a directory with more space:
|
||||
|
||||
+---+
|
||||
-D stream.tmpdir=/export/bigspace/...
|
||||
+---+
|
||||
|
||||
** How do I specify multiple input directories?
|
||||
|
||||
You can specify multiple input directories with multiple '-input' options:
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input '/user/foo/dir1' -input '/user/foo/dir2' \
|
||||
(rest of the command)
|
||||
+---+
|
||||
|
||||
** How do I generate output files with gzip format?
|
||||
|
||||
Instead of plain text files, you can generate gzip files as your generated
|
||||
output. Pass '-D mapreduce.output.fileoutputformat.compress=true -D
|
||||
mapreduce.output.fileoutputformat.compress.codec=org.apache.hadoop.io.compress.GzipCodec'
|
||||
as option to your streaming job.
|
||||
|
||||
** How do I provide my own input/output format with streaming?
|
||||
|
||||
You can specify your own custom class by packing them and putting the custom
|
||||
jar to \$\{HADOOP_CLASSPATH\}.
|
||||
|
||||
** How do I parse XML documents using streaming?
|
||||
|
||||
You can use the record reader StreamXmlRecordReader to process XML documents.
|
||||
|
||||
+---+
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-inputreader "StreamXmlRecord,begin=BEGIN_STRING,end=END_STRING" \
|
||||
(rest of the command)
|
||||
+---+
|
||||
|
||||
Anything found between BEGIN_STRING and END_STRING would be treated as one
|
||||
record for map tasks.
|
||||
|
||||
** How do I update counters in streaming applications?
|
||||
|
||||
A streaming process can use the stderr to emit counter information.
|
||||
<<<reporter:counter:\<group\>,\<counter\>,\<amount\>>>> should be sent to
|
||||
stderr to update the counter.
|
||||
|
||||
** How do I update status in streaming applications?
|
||||
|
||||
A streaming process can use the stderr to emit status information. To set a
|
||||
status, <<<reporter:status:\<message\>>>> should be sent to stderr.
|
||||
|
||||
** How do I get the Job variables in a streaming job's mapper/reducer?
|
||||
|
||||
See {{{./MapReduceTutorial.html#Configured_Parameters}
|
||||
Configured Parameters}}. During the execution of a streaming job, the names
|
||||
of the "mapred" parameters are transformed. The dots ( . ) become underscores
|
||||
( _ ). For example, mapreduce.job.id becomes mapreduce_job_id and
|
||||
mapreduce.job.jar becomes mapreduce_job_jar. In your code, use the parameter
|
||||
names with the underscores.
|
|
@ -0,0 +1,559 @@
|
|||
%<!---
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. See accompanying LICENSE file.
|
||||
-->
|
||||
|
||||
#set ( $H3 = '###' )
|
||||
#set ( $H4 = '####' )
|
||||
#set ( $H5 = '#####' )
|
||||
|
||||
Hadoop Streaming
|
||||
================
|
||||
|
||||
* [Hadoop Streaming](#Hadoop_Streaming)
|
||||
* [Hadoop Streaming](#Hadoop_Streaming)
|
||||
* [How Streaming Works](#How_Streaming_Works)
|
||||
* [Streaming Command Options](#Streaming_Command_Options)
|
||||
* [Specifying a Java Class as the Mapper/Reducer](#Specifying_a_Java_Class_as_the_MapperReducer)
|
||||
* [Packaging Files With Job Submissions](#Packaging_Files_With_Job_Submissions)
|
||||
* [Specifying Other Plugins for Jobs](#Specifying_Other_Plugins_for_Jobs)
|
||||
* [Setting Environment Variables](#Setting_Environment_Variables)
|
||||
* [Generic Command Options](#Generic_Command_Options)
|
||||
* [Specifying Configuration Variables with the -D Option](#Specifying_Configuration_Variables_with_the_-D_Option)
|
||||
* [Specifying Directories](#Specifying_Directories)
|
||||
* [Specifying Map-Only Jobs](#Specifying_Map-Only_Jobs)
|
||||
* [Specifying the Number of Reducers](#Specifying_the_Number_of_Reducers)
|
||||
* [Customizing How Lines are Split into Key/Value Pairs](#Customizing_How_Lines_are_Split_into_KeyValue_Pairs)
|
||||
* [Working with Large Files and Archives](#Working_with_Large_Files_and_Archives)
|
||||
* [Making Files Available to Tasks](#Making_Files_Available_to_Tasks)
|
||||
* [Making Archives Available to Tasks](#Making_Archives_Available_to_Tasks)
|
||||
* [More Usage Examples](#More_Usage_Examples)
|
||||
* [Hadoop Partitioner Class](#Hadoop_Partitioner_Class)
|
||||
* [Hadoop Comparator Class](#Hadoop_Comparator_Class)
|
||||
* [Hadoop Aggregate Package](#Hadoop_Aggregate_Package)
|
||||
* [Hadoop Field Selection Class](#Hadoop_Field_Selection_Class)
|
||||
* [Frequently Asked Questions](#Frequently_Asked_Questions)
|
||||
* [How do I use Hadoop Streaming to run an arbitrary set of (semi) independent tasks?](#How_do_I_use_Hadoop_Streaming_to_run_an_arbitrary_set_of_semi_independent_tasks)
|
||||
* [How do I process files, one per map?](#How_do_I_process_files_one_per_map)
|
||||
* [How many reducers should I use?](#How_many_reducers_should_I_use)
|
||||
* [If I set up an alias in my shell script, will that work after -mapper?](#If_I_set_up_an_alias_in_my_shell_script_will_that_work_after_-mapper)
|
||||
* [Can I use UNIX pipes?](#Can_I_use_UNIX_pipes)
|
||||
* [What do I do if I get the "No space left on device" error?](#What_do_I_do_if_I_get_the_No_space_left_on_device_error)
|
||||
* [How do I specify multiple input directories?](#How_do_I_specify_multiple_input_directories)
|
||||
* [How do I generate output files with gzip format?](#How_do_I_generate_output_files_with_gzip_format)
|
||||
* [How do I provide my own input/output format with streaming?](#How_do_I_provide_my_own_inputoutput_format_with_streaming)
|
||||
* [How do I parse XML documents using streaming?](#How_do_I_parse_XML_documents_using_streaming)
|
||||
* [How do I update counters in streaming applications?](#How_do_I_update_counters_in_streaming_applications)
|
||||
* [How do I update status in streaming applications?](#How_do_I_update_status_in_streaming_applications)
|
||||
* [How do I get the Job variables in a streaming job's mapper/reducer?](#How_do_I_get_the_Job_variables_in_a_streaming_jobs_mapperreducer)
|
||||
|
||||
Hadoop Streaming
|
||||
----------------
|
||||
|
||||
Hadoop streaming is a utility that comes with the Hadoop distribution. The utility allows you to create and run Map/Reduce jobs with any executable or script as the mapper and/or the reducer. For example:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /usr/bin/wc
|
||||
|
||||
How Streaming Works
|
||||
-------------------
|
||||
|
||||
In the above example, both the mapper and the reducer are executables that read the input from stdin (line by line) and emit the output to stdout. The utility will create a Map/Reduce job, submit the job to an appropriate cluster, and monitor the progress of the job until it completes.
|
||||
|
||||
When an executable is specified for mappers, each mapper task will launch the executable as a separate process when the mapper is initialized. As the mapper task runs, it converts its inputs into lines and feed the lines to the stdin of the process. In the meantime, the mapper collects the line oriented outputs from the stdout of the process and converts each line into a key/value pair, which is collected as the output of the mapper. By default, the *prefix of a line up to the first tab character* is the `key` and the rest of the line (excluding the tab character) will be the `value`. If there is no tab character in the line, then entire line is considered as key and the value is null. However, this can be customized by setting `-inputformat` command option, as discussed later.
|
||||
|
||||
When an executable is specified for reducers, each reducer task will launch the executable as a separate process then the reducer is initialized. As the reducer task runs, it converts its input key/values pairs into lines and feeds the lines to the stdin of the process. In the meantime, the reducer collects the line oriented outputs from the stdout of the process, converts each line into a key/value pair, which is collected as the output of the reducer. By default, the prefix of a line up to the first tab character is the key and the rest of the line (excluding the tab character) is the value. However, this can be customized by setting `-outputformat` command option, as discussed later.
|
||||
|
||||
This is the basis for the communication protocol between the Map/Reduce framework and the streaming mapper/reducer.
|
||||
|
||||
User can specify `stream.non.zero.exit.is.failure` as `true` or `false` to make a streaming task that exits with a non-zero status to be `Failure` or `Success` respectively. By default, streaming tasks exiting with non-zero status are considered to be failed tasks.
|
||||
|
||||
Streaming Command Options
|
||||
-------------------------
|
||||
|
||||
Streaming supports streaming command options as well as [generic command options](#Generic_Command_Options). The general command line syntax is shown below.
|
||||
|
||||
**Note:** Be sure to place the generic options before the streaming options, otherwise the command will fail. For an example, see [Making Archives Available to Tasks](#Making_Archives_Available_to_Tasks).
|
||||
|
||||
hadoop command [genericOptions] [streamingOptions]
|
||||
|
||||
The Hadoop streaming command options are listed here:
|
||||
|
||||
| Parameter | Optional/Required | Description |
|
||||
|:---- |:---- |:---- |
|
||||
| -input directoryname or filename | Required | Input location for mapper |
|
||||
| -output directoryname | Required | Output location for reducer |
|
||||
| -mapper executable or JavaClassName | Required | Mapper executable |
|
||||
| -reducer executable or JavaClassName | Required | Reducer executable |
|
||||
| -file filename | Optional | Make the mapper, reducer, or combiner executable available locally on the compute nodes |
|
||||
| -inputformat JavaClassName | Optional | Class you supply should return key/value pairs of Text class. If not specified, TextInputFormat is used as the default |
|
||||
| -outputformat JavaClassName | Optional | Class you supply should take key/value pairs of Text class. If not specified, TextOutputformat is used as the default |
|
||||
| -partitioner JavaClassName | Optional | Class that determines which reduce a key is sent to |
|
||||
| -combiner streamingCommand or JavaClassName | Optional | Combiner executable for map output |
|
||||
| -cmdenv name=value | Optional | Pass environment variable to streaming commands |
|
||||
| -inputreader | Optional | For backwards-compatibility: specifies a record reader class (instead of an input format class) |
|
||||
| -verbose | Optional | Verbose output |
|
||||
| -lazyOutput | Optional | Create output lazily. For example, if the output format is based on FileOutputFormat, the output file is created only on the first call to Context.write |
|
||||
| -numReduceTasks | Optional | Specify the number of reducers |
|
||||
| -mapdebug | Optional | Script to call when map task fails |
|
||||
| -reducedebug | Optional | Script to call when reduce task fails |
|
||||
|
||||
$H3 Specifying a Java Class as the Mapper/Reducer
|
||||
|
||||
You can supply a Java class as the mapper and/or the reducer.
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-inputformat org.apache.hadoop.mapred.KeyValueTextInputFormat \
|
||||
-mapper org.apache.hadoop.mapred.lib.IdentityMapper \
|
||||
-reducer /usr/bin/wc
|
||||
|
||||
You can specify `stream.non.zero.exit.is.failure` as `true` or `false` to make a streaming task that exits with a non-zero status to be `Failure` or `Success` respectively. By default, streaming tasks exiting with non-zero status are considered to be failed tasks.
|
||||
|
||||
$H3 Packaging Files With Job Submissions
|
||||
|
||||
You can specify any executable as the mapper and/or the reducer. The executables do not need to pre-exist on the machines in the cluster; however, if they don't, you will need to use "-file" option to tell the framework to pack your executable files as a part of job submission. For example:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper myPythonScript.py \
|
||||
-reducer /usr/bin/wc \
|
||||
-file myPythonScript.py
|
||||
|
||||
The above example specifies a user defined Python executable as the mapper. The option "-file myPythonScript.py" causes the python executable shipped to the cluster machines as a part of job submission.
|
||||
|
||||
In addition to executable files, you can also package other auxiliary files (such as dictionaries, configuration files, etc) that may be used by the mapper and/or the reducer. For example:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper myPythonScript.py \
|
||||
-reducer /usr/bin/wc \
|
||||
-file myPythonScript.py \
|
||||
-file myDictionary.txt
|
||||
|
||||
$H3 Specifying Other Plugins for Jobs
|
||||
|
||||
Just as with a normal Map/Reduce job, you can specify other plugins for a streaming job:
|
||||
|
||||
-inputformat JavaClassName
|
||||
-outputformat JavaClassName
|
||||
-partitioner JavaClassName
|
||||
-combiner streamingCommand or JavaClassName
|
||||
|
||||
The class you supply for the input format should return key/value pairs of Text class. If you do not specify an input format class, the TextInputFormat is used as the default. Since the TextInputFormat returns keys of LongWritable class, which are actually not part of the input data, the keys will be discarded; only the values will be piped to the streaming mapper.
|
||||
|
||||
The class you supply for the output format is expected to take key/value pairs of Text class. If you do not specify an output format class, the TextOutputFormat is used as the default.
|
||||
|
||||
$H3 Setting Environment Variables
|
||||
|
||||
To set an environment variable in a streaming command use:
|
||||
|
||||
-cmdenv EXAMPLE_DIR=/home/example/dictionaries/
|
||||
|
||||
Generic Command Options
|
||||
-----------------------
|
||||
|
||||
Streaming supports [streaming command options](#Streaming_Command_Options) as well as generic command options. The general command line syntax is shown below.
|
||||
|
||||
**Note:** Be sure to place the generic options before the streaming options, otherwise the command will fail. For an example, see [Making Archives Available to Tasks](#Making_Archives_Available_to_Tasks).
|
||||
|
||||
hadoop command [genericOptions] [streamingOptions]
|
||||
|
||||
The Hadoop generic command options you can use with streaming are listed here:
|
||||
|
||||
| Parameter | Optional/Required | Description |
|
||||
|:---- |:---- |:---- |
|
||||
| -conf configuration\_file | Optional | Specify an application configuration file |
|
||||
| -D property=value | Optional | Use value for given property |
|
||||
| -fs host:port or local | Optional | Specify a namenode |
|
||||
| -files | Optional | Specify comma-separated files to be copied to the Map/Reduce cluster |
|
||||
| -libjars | Optional | Specify comma-separated jar files to include in the classpath |
|
||||
| -archives | Optional | Specify comma-separated archives to be unarchived on the compute machines |
|
||||
|
||||
$H3 Specifying Configuration Variables with the -D Option
|
||||
|
||||
You can specify additional configuration variables by using "-D \<property\>=\<value\>".
|
||||
|
||||
$H4 Specifying Directories
|
||||
|
||||
To change the local temp directory use:
|
||||
|
||||
-D dfs.data.dir=/tmp
|
||||
|
||||
To specify additional local temp directories use:
|
||||
|
||||
-D mapred.local.dir=/tmp/local
|
||||
-D mapred.system.dir=/tmp/system
|
||||
-D mapred.temp.dir=/tmp/temp
|
||||
|
||||
**Note:** For more details on job configuration parameters see: [mapred-default.xml](./mapred-default.xml)
|
||||
|
||||
$H4 Specifying Map-Only Jobs
|
||||
|
||||
Often, you may want to process input data using a map function only. To do this, simply set `mapreduce.job.reduces` to zero. The Map/Reduce framework will not create any reducer tasks. Rather, the outputs of the mapper tasks will be the final output of the job.
|
||||
|
||||
-D mapreduce.job.reduces=0
|
||||
|
||||
To be backward compatible, Hadoop Streaming also supports the "-reducer NONE" option, which is equivalent to "-D mapreduce.job.reduces=0".
|
||||
|
||||
$H4 Specifying the Number of Reducers
|
||||
|
||||
To specify the number of reducers, for example two, use:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D mapreduce.job.reduces=2 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /usr/bin/wc
|
||||
|
||||
$H4 Customizing How Lines are Split into Key/Value Pairs
|
||||
|
||||
As noted earlier, when the Map/Reduce framework reads a line from the stdout of the mapper, it splits the line into a key/value pair. By default, the prefix of the line up to the first tab character is the key and the rest of the line (excluding the tab character) is the value.
|
||||
|
||||
However, you can customize this default. You can specify a field separator other than the tab character (the default), and you can specify the nth (n \>= 1) character rather than the first character in a line (the default) as the separator between the key and value. For example:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D stream.map.output.field.separator=. \
|
||||
-D stream.num.map.output.key.fields=4 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /bin/cat
|
||||
|
||||
In the above example, "-D stream.map.output.field.separator=." specifies "." as the field separator for the map outputs, and the prefix up to the fourth "." in a line will be the key and the rest of the line (excluding the fourth ".") will be the value. If a line has less than four "."s, then the whole line will be the key and the value will be an empty Text object (like the one created by new Text("")).
|
||||
|
||||
Similarly, you can use "-D stream.reduce.output.field.separator=SEP" and "-D stream.num.reduce.output.fields=NUM" to specify the nth field separator in a line of the reduce outputs as the separator between the key and the value.
|
||||
|
||||
Similarly, you can specify "stream.map.input.field.separator" and "stream.reduce.input.field.separator" as the input separator for Map/Reduce inputs. By default the separator is the tab character.
|
||||
|
||||
$H3 Working with Large Files and Archives
|
||||
|
||||
The -files and -archives options allow you to make files and archives available to the tasks. The argument is a URI to the file or archive that you have already uploaded to HDFS. These files and archives are cached across jobs. You can retrieve the host and fs\_port values from the fs.default.name config variable.
|
||||
|
||||
**Note:** The -files and -archives options are generic options. Be sure to place the generic options before the command options, otherwise the command will fail.
|
||||
|
||||
$H4 Making Files Available to Tasks
|
||||
|
||||
The -files option creates a symlink in the current working directory of the tasks that points to the local copy of the file.
|
||||
|
||||
In this example, Hadoop automatically creates a symlink named testfile.txt in the current working directory of the tasks. This symlink points to the local copy of testfile.txt.
|
||||
|
||||
-files hdfs://host:fs_port/user/testfile.txt
|
||||
|
||||
User can specify a different symlink name for -files using \#.
|
||||
|
||||
-files hdfs://host:fs_port/user/testfile.txt#testfile
|
||||
|
||||
Multiple entries can be specified like this:
|
||||
|
||||
-files hdfs://host:fs_port/user/testfile1.txt,hdfs://host:fs_port/user/testfile2.txt
|
||||
|
||||
$H4 Making Archives Available to Tasks
|
||||
|
||||
The -archives option allows you to copy jars locally to the current working directory of tasks and automatically unjar the files.
|
||||
|
||||
In this example, Hadoop automatically creates a symlink named testfile.jar in the current working directory of tasks. This symlink points to the directory that stores the unjarred contents of the uploaded jar file.
|
||||
|
||||
-archives hdfs://host:fs_port/user/testfile.jar
|
||||
|
||||
User can specify a different symlink name for -archives using \#.
|
||||
|
||||
-archives hdfs://host:fs_port/user/testfile.tgz#tgzdir
|
||||
|
||||
In this example, the input.txt file has two lines specifying the names of the two files: cachedir.jar/cache.txt and cachedir.jar/cache2.txt. "cachedir.jar" is a symlink to the archived directory, which has the files "cache.txt" and "cache2.txt".
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-archives 'hdfs://hadoop-nn1.example.com/user/me/samples/cachefile/cachedir.jar' \
|
||||
-D mapreduce.job.maps=1 \
|
||||
-D mapreduce.job.reduces=1 \
|
||||
-D mapreduce.job.name="Experiment" \
|
||||
-input "/user/me/samples/cachefile/input.txt" \
|
||||
-output "/user/me/samples/cachefile/out" \
|
||||
-mapper "xargs cat" \
|
||||
-reducer "cat"
|
||||
|
||||
$ ls test_jar/
|
||||
cache.txt cache2.txt
|
||||
|
||||
$ jar cvf cachedir.jar -C test_jar/ .
|
||||
added manifest
|
||||
adding: cache.txt(in = 30) (out= 29)(deflated 3%)
|
||||
adding: cache2.txt(in = 37) (out= 35)(deflated 5%)
|
||||
|
||||
$ hdfs dfs -put cachedir.jar samples/cachefile
|
||||
|
||||
$ hdfs dfs -cat /user/me/samples/cachefile/input.txt
|
||||
cachedir.jar/cache.txt
|
||||
cachedir.jar/cache2.txt
|
||||
|
||||
$ cat test_jar/cache.txt
|
||||
This is just the cache string
|
||||
|
||||
$ cat test_jar/cache2.txt
|
||||
This is just the second cache string
|
||||
|
||||
$ hdfs dfs -ls /user/me/samples/cachefile/out
|
||||
Found 2 items
|
||||
-rw-r--r-* 1 me supergroup 0 2013-11-14 17:00 /user/me/samples/cachefile/out/_SUCCESS
|
||||
-rw-r--r-* 1 me supergroup 69 2013-11-14 17:00 /user/me/samples/cachefile/out/part-00000
|
||||
|
||||
$ hdfs dfs -cat /user/me/samples/cachefile/out/part-00000
|
||||
This is just the cache string
|
||||
This is just the second cache string
|
||||
|
||||
More Usage Examples
|
||||
-------------------
|
||||
|
||||
$H3 Hadoop Partitioner Class
|
||||
|
||||
Hadoop has a library class, [KeyFieldBasedPartitioner](../../api/org/apache/hadoop/mapred/lib/KeyFieldBasedPartitioner.html), that is useful for many applications. This class allows the Map/Reduce framework to partition the map outputs based on certain key fields, not the whole keys. For example:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D stream.map.output.field.separator=. \
|
||||
-D stream.num.map.output.key.fields=4 \
|
||||
-D map.output.key.field.separator=. \
|
||||
-D mapreduce.partition.keypartitioner.options=-k1,2 \
|
||||
-D mapreduce.job.reduces=12 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /bin/cat \
|
||||
-partitioner org.apache.hadoop.mapred.lib.KeyFieldBasedPartitioner
|
||||
|
||||
Here, *-D stream.map.output.field.separator=.* and *-D stream.num.map.output.key.fields=4* are as explained in previous example. The two variables are used by streaming to identify the key/value pair of mapper.
|
||||
|
||||
The map output keys of the above Map/Reduce job normally have four fields separated by ".". However, the Map/Reduce framework will partition the map outputs by the first two fields of the keys using the *-D mapred.text.key.partitioner.options=-k1,2* option. Here, *-D map.output.key.field.separator=.* specifies the separator for the partition. This guarantees that all the key/value pairs with the same first two fields in the keys will be partitioned into the same reducer.
|
||||
|
||||
*This is effectively equivalent to specifying the first two fields as the primary key and the next two fields as the secondary. The primary key is used for partitioning, and the combination of the primary and secondary keys is used for sorting.* A simple illustration is shown here:
|
||||
|
||||
Output of map (the keys)
|
||||
|
||||
11.12.1.2
|
||||
11.14.2.3
|
||||
11.11.4.1
|
||||
11.12.1.1
|
||||
11.14.2.2
|
||||
|
||||
Partition into 3 reducers (the first 2 fields are used as keys for partition)
|
||||
|
||||
11.11.4.1
|
||||
-----------
|
||||
11.12.1.2
|
||||
11.12.1.1
|
||||
-----------
|
||||
11.14.2.3
|
||||
11.14.2.2
|
||||
|
||||
Sorting within each partition for the reducer(all 4 fields used for sorting)
|
||||
|
||||
11.11.4.1
|
||||
-----------
|
||||
11.12.1.1
|
||||
11.12.1.2
|
||||
-----------
|
||||
11.14.2.2
|
||||
11.14.2.3
|
||||
|
||||
$H3 Hadoop Comparator Class
|
||||
|
||||
Hadoop has a library class, [KeyFieldBasedComparator](../../api/org/apache/hadoop/mapreduce/lib/partition/KeyFieldBasedComparator.html), that is useful for many applications. This class provides a subset of features provided by the Unix/GNU Sort. For example:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D mapreduce.job.output.key.comparator.class=org.apache.hadoop.mapreduce.lib.partition.KeyFieldBasedComparator \
|
||||
-D stream.map.output.field.separator=. \
|
||||
-D stream.num.map.output.key.fields=4 \
|
||||
-D mapreduce.map.output.key.field.separator=. \
|
||||
-D mapreduce.partition.keycomparator.options=-k2,2nr \
|
||||
-D mapreduce.job.reduces=1 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper /bin/cat \
|
||||
-reducer /bin/cat
|
||||
|
||||
The map output keys of the above Map/Reduce job normally have four fields separated by ".". However, the Map/Reduce framework will sort the outputs by the second field of the keys using the *-D mapreduce.partition.keycomparator.options=-k2,2nr* option. Here, *-n* specifies that the sorting is numerical sorting and *-r* specifies that the result should be reversed. A simple illustration is shown below:
|
||||
|
||||
Output of map (the keys)
|
||||
|
||||
11.12.1.2
|
||||
11.14.2.3
|
||||
11.11.4.1
|
||||
11.12.1.1
|
||||
11.14.2.2
|
||||
|
||||
Sorting output for the reducer (where second field used for sorting)
|
||||
|
||||
11.14.2.3
|
||||
11.14.2.2
|
||||
11.12.1.2
|
||||
11.12.1.1
|
||||
11.11.4.1
|
||||
|
||||
$H3 Hadoop Aggregate Package
|
||||
|
||||
Hadoop has a library package called [Aggregate](../../org/apache/hadoop/mapred/lib/aggregate/package-summary.html). Aggregate provides a special reducer class and a special combiner class, and a list of simple aggregators that perform aggregations such as "sum", "max", "min" and so on over a sequence of values. Aggregate allows you to define a mapper plugin class that is expected to generate "aggregatable items" for each input key/value pair of the mappers. The combiner/reducer will aggregate those aggregatable items by invoking the appropriate aggregators.
|
||||
|
||||
To use Aggregate, simply specify "-reducer aggregate":
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper myAggregatorForKeyCount.py \
|
||||
-reducer aggregate \
|
||||
-file myAggregatorForKeyCount.py \
|
||||
|
||||
The python program myAggregatorForKeyCount.py looks like:
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
import sys;
|
||||
|
||||
def generateLongCountToken(id):
|
||||
return "LongValueSum:" + id + "\t" + "1"
|
||||
|
||||
def main(argv):
|
||||
line = sys.stdin.readline();
|
||||
try:
|
||||
while line:
|
||||
line = line[:-1];
|
||||
fields = line.split("\t");
|
||||
print generateLongCountToken(fields[0]);
|
||||
line = sys.stdin.readline();
|
||||
except "end of file":
|
||||
return None
|
||||
if __name__ == "__main__":
|
||||
main(sys.argv)
|
||||
|
||||
$H3 Hadoop Field Selection Class
|
||||
|
||||
Hadoop has a library class, [FieldSelectionMapReduce](../../api/org/apache/hadoop/mapred/lib/FieldSelectionMapReduce.html), that effectively allows you to process text data like the unix "cut" utility. The map function defined in the class treats each input key/value pair as a list of fields. You can specify the field separator (the default is the tab character). You can select an arbitrary list of fields as the map output key, and an arbitrary list of fields as the map output value. Similarly, the reduce function defined in the class treats each input key/value pair as a list of fields. You can select an arbitrary list of fields as the reduce output key, and an arbitrary list of fields as the reduce output value. For example:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D mapreduce.map.output.key.field.separator=. \
|
||||
-D mapreduce.partition.keypartitioner.options=-k1,2 \
|
||||
-D mapreduce.fieldsel.data.field.separator=. \
|
||||
-D mapreduce.fieldsel.map.output.key.value.fields.spec=6,5,1-3:0- \
|
||||
-D mapreduce.fieldsel.reduce.output.key.value.fields.spec=0-2:5- \
|
||||
-D mapreduce.map.output.key.class=org.apache.hadoop.io.Text \
|
||||
-D mapreduce.job.reduces=12 \
|
||||
-input myInputDirs \
|
||||
-output myOutputDir \
|
||||
-mapper org.apache.hadoop.mapred.lib.FieldSelectionMapReduce \
|
||||
-reducer org.apache.hadoop.mapred.lib.FieldSelectionMapReduce \
|
||||
-partitioner org.apache.hadoop.mapred.lib.KeyFieldBasedPartitioner
|
||||
|
||||
The option "-D mapreduce.fieldsel.map.output.key.value.fields.spec=6,5,1-3:0-" specifies key/value selection for the map outputs. Key selection spec and value selection spec are separated by ":". In this case, the map output key will consist of fields 6, 5, 1, 2, and 3. The map output value will consist of all fields (0- means field 0 and all the subsequent fields).
|
||||
|
||||
The option "-D mapreduce.fieldsel.reduce.output.key.value.fields.spec=0-2:5-" specifies key/value selection for the reduce outputs. In this case, the reduce output key will consist of fields 0, 1, 2 (corresponding to the original fields 6, 5, 1). The reduce output value will consist of all fields starting from field 5 (corresponding to all the original fields).
|
||||
|
||||
Frequently Asked Questions
|
||||
--------------------------
|
||||
|
||||
$H3 How do I use Hadoop Streaming to run an arbitrary set of (semi) independent tasks?
|
||||
|
||||
Often you do not need the full power of Map Reduce, but only need to run multiple instances of the same program - either on different parts of the data, or on the same data, but with different parameters. You can use Hadoop Streaming to do this.
|
||||
|
||||
$H3 How do I process files, one per map?
|
||||
|
||||
As an example, consider the problem of zipping (compressing) a set of files across the hadoop cluster. You can achieve this by using Hadoop Streaming and custom mapper script:
|
||||
|
||||
* Generate a file containing the full HDFS path of the input files. Each map
|
||||
task would get one file name as input.
|
||||
|
||||
* Create a mapper script which, given a filename, will get the file to local
|
||||
disk, gzip the file and put it back in the desired output directory.
|
||||
|
||||
$H3 How many reducers should I use?
|
||||
|
||||
See MapReduce Tutorial for details: [Reducer](./MapReduceTutorial.html#Reducer)
|
||||
|
||||
$H3 If I set up an alias in my shell script, will that work after -mapper?
|
||||
|
||||
For example, say I do: alias c1='cut -f1'. Will -mapper "c1" work?
|
||||
|
||||
Using an alias will not work, but variable substitution is allowed as shown in this example:
|
||||
|
||||
$ hdfs dfs -cat /user/me/samples/student_marks
|
||||
alice 50
|
||||
bruce 70
|
||||
charlie 80
|
||||
dan 75
|
||||
|
||||
$ c2='cut -f2'; hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-D mapreduce.job.name='Experiment' \
|
||||
-input /user/me/samples/student_marks \
|
||||
-output /user/me/samples/student_out \
|
||||
-mapper "$c2" -reducer 'cat'
|
||||
|
||||
$ hdfs dfs -cat /user/me/samples/student_out/part-00000
|
||||
50
|
||||
70
|
||||
75
|
||||
80
|
||||
|
||||
$H3 Can I use UNIX pipes?
|
||||
|
||||
For example, will -mapper "cut -f1 | sed s/foo/bar/g" work?
|
||||
|
||||
Currently this does not work and gives an "java.io.IOException: Broken pipe" error. This is probably a bug that needs to be investigated.
|
||||
|
||||
$H3 What do I do if I get the "No space left on device" error?
|
||||
|
||||
For example, when I run a streaming job by distributing large executables (for example, 3.6G) through the -file option, I get a "No space left on device" error.
|
||||
|
||||
The jar packaging happens in a directory pointed to by the configuration variable stream.tmpdir. The default value of stream.tmpdir is /tmp. Set the value to a directory with more space:
|
||||
|
||||
-D stream.tmpdir=/export/bigspace/...
|
||||
|
||||
$H3 How do I specify multiple input directories?
|
||||
|
||||
You can specify multiple input directories with multiple '-input' options:
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-input '/user/foo/dir1' -input '/user/foo/dir2' \
|
||||
(rest of the command)
|
||||
|
||||
$H3 How do I generate output files with gzip format?
|
||||
|
||||
Instead of plain text files, you can generate gzip files as your generated output. Pass '-D mapreduce.output.fileoutputformat.compress=true -D mapreduce.output.fileoutputformat.compress.codec=org.apache.hadoop.io.compress.GzipCodec' as option to your streaming job.
|
||||
|
||||
$H3 How do I provide my own input/output format with streaming?
|
||||
|
||||
You can specify your own custom class by packing them and putting the custom jar to `$HADOOP_CLASSPATH`.
|
||||
|
||||
$H3 How do I parse XML documents using streaming?
|
||||
|
||||
You can use the record reader StreamXmlRecordReader to process XML documents.
|
||||
|
||||
hadoop jar hadoop-streaming-${project.version}.jar \
|
||||
-inputreader "StreamXmlRecord,begin=BEGIN_STRING,end=END_STRING" \
|
||||
(rest of the command)
|
||||
|
||||
Anything found between BEGIN\_STRING and END\_STRING would be treated as one record for map tasks.
|
||||
|
||||
$H3 How do I update counters in streaming applications?
|
||||
|
||||
A streaming process can use the stderr to emit counter information. `reporter:counter:<group>,<counter>,<amount>` should be sent to stderr to update the counter.
|
||||
|
||||
$H3 How do I update status in streaming applications?
|
||||
|
||||
A streaming process can use the stderr to emit status information. To set a status, `reporter:status:<message>` should be sent to stderr.
|
||||
|
||||
$H3 How do I get the Job variables in a streaming job's mapper/reducer?
|
||||
|
||||
See [Configured Parameters](./MapReduceTutorial.html#Configured_Parameters). During the execution of a streaming job, the names of the "mapred" parameters are transformed. The dots ( . ) become underscores ( \_ ). For example, mapreduce.job.id becomes mapreduce\_job\_id and mapreduce.job.jar becomes mapreduce\_job\_jar. In your code, use the parameter names with the underscores.
|
Loading…
Reference in New Issue