HADOOP-11593. Convert site documentation from apt to markdown (stragglers) (Masatake Iwasaki via aw)

This commit is contained in:
Allen Wittenauer 2015-02-17 21:30:24 -10:00
parent 7c782047c6
commit b6fc1f3e43
20 changed files with 2978 additions and 3649 deletions

View File

@ -1,70 +0,0 @@
~~ Licensed under the Apache License, Version 2.0 (the "License");
~~ you may not use this file except in compliance with the License.
~~ You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing, software
~~ distributed under the License is distributed on an "AS IS" BASIS,
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~~ See the License for the specific language governing permissions and
~~ limitations under the License. See accompanying LICENSE file.
---
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Building It
---
---
${maven.build.timestamp}
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Building It
* Requirements
* Java 6+
* Maven 3+
* Kerberos KDC (for running Kerberos test cases)
* Building
Use Maven goals: clean, test, compile, package, install
Available profiles: docs, testKerberos
* Testing
By default Kerberos testcases are not run.
The requirements to run Kerberos testcases are a running KDC, a keytab
file with a client principal and a kerberos principal.
To run Kerberos tescases use the <<<testKerberos>>> Maven profile:
+---+
$ mvn test -PtestKerberos
+---+
The following Maven <<<-D>>> options can be used to change the default
values:
* <<<hadoop-auth.test.kerberos.realm>>>: default value <<LOCALHOST>>
* <<<hadoop-auth.test.kerberos.client.principal>>>: default value <<client>>
* <<<hadoop-auth.test.kerberos.server.principal>>>: default value
<<HTTP/localhost>> (it must start 'HTTP/')
* <<<hadoop-auth.test.kerberos.keytab.file>>>: default value
<<${HOME}/${USER}.keytab>>
** Generating Documentation
To create the documentation use the <<<docs>>> Maven profile:
+---+
$ mvn package -Pdocs
+---+
The generated documentation is available at
<<<hadoop-auth/target/site/>>>.

View File

@ -1,377 +0,0 @@
~~ Licensed under the Apache License, Version 2.0 (the "License");
~~ you may not use this file except in compliance with the License.
~~ You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing, software
~~ distributed under the License is distributed on an "AS IS" BASIS,
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~~ See the License for the specific language governing permissions and
~~ limitations under the License. See accompanying LICENSE file.
---
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Server Side
Configuration
---
---
${maven.build.timestamp}
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Server Side
Configuration
* Server Side Configuration Setup
The AuthenticationFilter filter is Hadoop Auth's server side component.
This filter must be configured in front of all the web application resources
that required authenticated requests. For example:
The Hadoop Auth and dependent JAR files must be in the web application
classpath (commonly the <<<WEB-INF/lib>>> directory).
Hadoop Auth uses SLF4J-API for logging. Auth Maven POM dependencies define
the SLF4J API dependency but it does not define the dependency on a concrete
logging implementation, this must be addded explicitly to the web
application. For example, if the web applicationan uses Log4j, the
SLF4J-LOG4J12 and LOG4J jar files must be part part of the web application
classpath as well as the Log4j configuration file.
** Common Configuration parameters
* <<<config.prefix>>>: If specified, all other configuration parameter names
must start with the prefix. The default value is no prefix.
* <<<[PREFIX.]type>>>: the authentication type keyword (<<<simple>>> or
<<<kerberos>>>) or a Authentication handler implementation.
* <<<[PREFIX.]signature.secret>>>: When <<<signer.secret.provider>>> is set to
<<<string>>> or not specified, this is the value for the secret used to sign
the HTTP cookie.
* <<<[PREFIX.]token.validity>>>: The validity -in seconds- of the generated
authentication token. The default value is <<<3600>>> seconds. This is also
used for the rollover interval when <<<signer.secret.provider>>> is set to
<<<random>>> or <<<zookeeper>>>.
* <<<[PREFIX.]cookie.domain>>>: domain to use for the HTTP cookie that stores
the authentication token.
* <<<[PREFIX.]cookie.path>>>: path to use for the HTTP cookie that stores the
authentication token.
* <<<signer.secret.provider>>>: indicates the name of the SignerSecretProvider
class to use. Possible values are: <<<string>>>, <<<random>>>,
<<<zookeeper>>>, or a classname. If not specified, the <<<string>>>
implementation will be used; and failing that, the <<<random>>>
implementation will be used.
** Kerberos Configuration
<<IMPORTANT>>: A KDC must be configured and running.
To use Kerberos SPNEGO as the authentication mechanism, the authentication
filter must be configured with the following init parameters:
* <<<[PREFIX.]type>>>: the keyword <<<kerberos>>>.
* <<<[PREFIX.]kerberos.principal>>>: The web-application Kerberos principal
name. The Kerberos principal name must start with <<<HTTP/...>>>. For
example: <<<HTTP/localhost@LOCALHOST>>>. There is no default value.
* <<<[PREFIX.]kerberos.keytab>>>: The path to the keytab file containing
the credentials for the kerberos principal. For example:
<<</Users/tucu/tucu.keytab>>>. There is no default value.
<<Example>>:
+---+
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<filter-name>kerberosFilter</filter-name>
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
<init-param>
<param-name>type</param-name>
<param-value>kerberos</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>cookie.domain</param-name>
<param-value>.foo.com</param-value>
</init-param>
<init-param>
<param-name>cookie.path</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>kerberos.principal</param-name>
<param-value>HTTP/localhost@LOCALHOST</param-value>
</init-param>
<init-param>
<param-name>kerberos.keytab</param-name>
<param-value>/tmp/auth.keytab</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>kerberosFilter</filter-name>
<url-pattern>/kerberos/*</url-pattern>
</filter-mapping>
...
</web-app>
+---+
** Pseudo/Simple Configuration
To use Pseudo/Simple as the authentication mechanism (trusting the value of
the query string parameter 'user.name'), the authentication filter must be
configured with the following init parameters:
* <<<[PREFIX.]type>>>: the keyword <<<simple>>>.
* <<<[PREFIX.]simple.anonymous.allowed>>>: is a boolean parameter that
indicates if anonymous requests are allowed or not. The default value is
<<<false>>>.
<<Example>>:
+---+
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<filter-name>simpleFilter</filter-name>
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
<init-param>
<param-name>type</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>cookie.domain</param-name>
<param-value>.foo.com</param-value>
</init-param>
<init-param>
<param-name>cookie.path</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>simple.anonymous.allowed</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>simpleFilter</filter-name>
<url-pattern>/simple/*</url-pattern>
</filter-mapping>
...
</web-app>
+---+
** AltKerberos Configuration
<<IMPORTANT>>: A KDC must be configured and running.
The AltKerberos authentication mechanism is a partially implemented derivative
of the Kerberos SPNEGO authentication mechanism which allows a "mixed" form of
authentication where Kerberos SPNEGO is used by non-browsers while an
alternate form of authentication (to be implemented by the user) is used for
browsers. To use AltKerberos as the authentication mechanism (besides
providing an implementation), the authentication filter must be configured
with the following init parameters, in addition to the previously mentioned
Kerberos SPNEGO ones:
* <<<[PREFIX.]type>>>: the full class name of the implementation of
AltKerberosAuthenticationHandler to use.
* <<<[PREFIX.]alt-kerberos.non-browser.user-agents>>>: a comma-separated
list of which user-agents should be considered non-browsers.
<<Example>>:
+---+
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<filter-name>kerberosFilter</filter-name>
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
<init-param>
<param-name>type</param-name>
<param-value>org.my.subclass.of.AltKerberosAuthenticationHandler</param-value>
</init-param>
<init-param>
<param-name>alt-kerberos.non-browser.user-agents</param-name>
<param-value>java,curl,wget,perl</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>cookie.domain</param-name>
<param-value>.foo.com</param-value>
</init-param>
<init-param>
<param-name>cookie.path</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>kerberos.principal</param-name>
<param-value>HTTP/localhost@LOCALHOST</param-value>
</init-param>
<init-param>
<param-name>kerberos.keytab</param-name>
<param-value>/tmp/auth.keytab</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>kerberosFilter</filter-name>
<url-pattern>/kerberos/*</url-pattern>
</filter-mapping>
...
</web-app>
+---+
** SignerSecretProvider Configuration
The SignerSecretProvider is used to provide more advanced behaviors for the
secret used for signing the HTTP Cookies.
These are the relevant configuration properties:
* <<<signer.secret.provider>>>: indicates the name of the
SignerSecretProvider class to use. Possible values are: "string",
"random", "zookeeper", or a classname. If not specified, the "string"
implementation will be used; and failing that, the "random" implementation
will be used.
* <<<[PREFIX.]signature.secret>>>: When <<<signer.secret.provider>>> is set
to <<<string>>> or not specified, this is the value for the secret used to
sign the HTTP cookie.
* <<<[PREFIX.]token.validity>>>: The validity -in seconds- of the generated
authentication token. The default value is <<<3600>>> seconds. This is
also used for the rollover interval when <<<signer.secret.provider>>> is
set to <<<random>>> or <<<zookeeper>>>.
The following configuration properties are specific to the <<<zookeeper>>>
implementation:
* <<<signer.secret.provider.zookeeper.connection.string>>>: Indicates the
ZooKeeper connection string to connect with.
* <<<signer.secret.provider.zookeeper.path>>>: Indicates the ZooKeeper path
to use for storing and retrieving the secrets. All servers
that need to coordinate their secret should point to the same path
* <<<signer.secret.provider.zookeeper.auth.type>>>: Indicates the auth type
to use. Supported values are <<<none>>> and <<<sasl>>>. The default
value is <<<none>>>.
* <<<signer.secret.provider.zookeeper.kerberos.keytab>>>: Set this to the
path with the Kerberos keytab file. This is only required if using
Kerberos.
* <<<signer.secret.provider.zookeeper.kerberos.principal>>>: Set this to the
Kerberos principal to use. This only required if using Kerberos.
<<Example>>:
+---+
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<!-- AuthenticationHandler configs not shown -->
<init-param>
<param-name>signer.secret.provider</param-name>
<param-value>string</param-value>
</init-param>
<init-param>
<param-name>signature.secret</param-name>
<param-value>my_secret</param-value>
</init-param>
</filter>
...
</web-app>
+---+
<<Example>>:
+---+
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<!-- AuthenticationHandler configs not shown -->
<init-param>
<param-name>signer.secret.provider</param-name>
<param-value>random</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
</filter>
...
</web-app>
+---+
<<Example>>:
+---+
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<!-- AuthenticationHandler configs not shown -->
<init-param>
<param-name>signer.secret.provider</param-name>
<param-value>zookeeper</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.connection.string</param-name>
<param-value>zoo1:2181,zoo2:2181,zoo3:2181</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.path</param-name>
<param-value>/myapp/secrets</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.use.kerberos.acls</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.kerberos.keytab</param-name>
<param-value>/tmp/auth.keytab</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.kerberos.principal</param-name>
<param-value>HTTP/localhost@LOCALHOST</param-value>
</init-param>
</filter>
...
</web-app>
+---+

View File

@ -1,133 +0,0 @@
~~ Licensed under the Apache License, Version 2.0 (the "License");
~~ you may not use this file except in compliance with the License.
~~ You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing, software
~~ distributed under the License is distributed on an "AS IS" BASIS,
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~~ See the License for the specific language governing permissions and
~~ limitations under the License. See accompanying LICENSE file.
---
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Examples
---
---
${maven.build.timestamp}
Hadoop Auth, Java HTTP SPNEGO ${project.version} - Examples
* Accessing a Hadoop Auth protected URL Using a browser
<<IMPORTANT:>> The browser must support HTTP Kerberos SPNEGO. For example,
Firefox or Internet Explorer.
For Firefox access the low level configuration page by loading the
<<<about:config>>> page. Then go to the
<<<network.negotiate-auth.trusted-uris>>> preference and add the hostname or
the domain of the web server that is HTTP Kerberos SPNEGO protected (if using
multiple domains and hostname use comma to separate them).
* Accessing a Hadoop Auth protected URL Using <<<curl>>>
<<IMPORTANT:>> The <<<curl>>> version must support GSS, run <<<curl -V>>>.
+---+
$ curl -V
curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
+---+
Login to the KDC using <<kinit>> and then use <<<curl>>> to fetch protected
URL:
+---+
$ kinit
Please enter the password for tucu@LOCALHOST:
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/hadoop-auth-examples/kerberos/who
Enter host password for user 'tucu':
Hello Hadoop Auth Examples!
+---+
* The <<<--negotiate>>> option enables SPNEGO in <<<curl>>>.
* The <<<-u foo>>> option is required but the user ignored (the principal
that has been kinit-ed is used).
* The <<<-b>>> and <<<-c>>> are use to store and send HTTP Cookies.
* Using the Java Client
Use the <<<AuthenticatedURL>>> class to obtain an authenticated HTTP
connection:
+---+
...
URL url = new URL("http://localhost:8080/hadoop-auth/kerberos/who");
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
...
HttpURLConnection conn = new AuthenticatedURL(url, token).openConnection();
...
conn = new AuthenticatedURL(url, token).openConnection();
...
+---+
* Building and Running the Examples
Download Hadoop-Auth's source code, the examples are in the
<<<src/main/examples>>> directory.
** Server Example:
Edit the <<<hadoop-auth-examples/src/main/webapp/WEB-INF/web.xml>>> and set the
right configuration init parameters for the <<<AuthenticationFilter>>>
definition configured for Kerberos (the right Kerberos principal and keytab
file must be specified). Refer to the {{{./Configuration.html}Configuration
document}} for details.
Create the web application WAR file by running the <<<mvn package>>> command.
Deploy the WAR file in a servlet container. For example, if using Tomcat,
copy the WAR file to Tomcat's <<<webapps/>>> directory.
Start the servlet container.
** Accessing the server using <<<curl>>>
Try accessing protected resources using <<<curl>>>. The protected resources
are:
+---+
$ kinit
Please enter the password for tucu@LOCALHOST:
$ curl http://localhost:8080/hadoop-auth-examples/anonymous/who
$ curl http://localhost:8080/hadoop-auth-examples/simple/who?user.name=foo
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/hadoop-auth-examples/kerberos/who
+---+
** Accessing the server using the Java client example
+---+
$ kinit
Please enter the password for tucu@LOCALHOST:
$ cd examples
$ mvn exec:java -Durl=http://localhost:8080/hadoop-auth-examples/kerberos/who
....
Token value: "u=tucu,p=tucu@LOCALHOST,t=kerberos,e=1295305313146,s=sVZ1mpSnC5TKhZQE3QLN5p2DWBo="
Status code: 200 OK
You are: user[tucu] principal[tucu@LOCALHOST]
....
+---+

View File

@ -1,59 +0,0 @@
~~ Licensed under the Apache License, Version 2.0 (the "License");
~~ you may not use this file except in compliance with the License.
~~ You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing, software
~~ distributed under the License is distributed on an "AS IS" BASIS,
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~~ See the License for the specific language governing permissions and
~~ limitations under the License. See accompanying LICENSE file.
---
Hadoop Auth, Java HTTP SPNEGO ${project.version}
---
---
${maven.build.timestamp}
Hadoop Auth, Java HTTP SPNEGO ${project.version}
Hadoop Auth is a Java library consisting of a client and a server
components to enable Kerberos SPNEGO authentication for HTTP.
Hadoop Auth also supports additional authentication mechanisms on the client
and the server side via 2 simple interfaces.
Additionally, it provides a partially implemented derivative of the Kerberos
SPNEGO authentication to allow a "mixed" form of authentication where Kerberos
SPNEGO is used by non-browsers while an alternate form of authentication
(to be implemented by the user) is used for browsers.
* License
Hadoop Auth is distributed under {{{http://www.apache.org/licenses/}Apache
License 2.0}}.
* How Does Auth Works?
Hadoop Auth enforces authentication on protected resources, once authentiation
has been established it sets a signed HTTP Cookie that contains an
authentication token with the user name, user principal, authentication type
and expiration time.
Subsequent HTTP client requests presenting the signed HTTP Cookie have access
to the protected resources until the HTTP Cookie expires.
The secret used to sign the HTTP Cookie has multiple implementations that
provide different behaviors, including a hardcoded secret string, a rolling
randomly generated secret, and a rolling randomly generated secret
synchronized between multiple servers using ZooKeeper.
* User Documentation
* {{{./Examples.html}Examples}}
* {{{./Configuration.html}Configuration}}
* {{{./BuildingIt.html}Building It}}

View File

@ -0,0 +1,56 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
Hadoop Auth, Java HTTP SPNEGO - Building It
===========================================
Requirements
------------
* Java 6+
* Maven 3+
* Kerberos KDC (for running Kerberos test cases)
Building
--------
Use Maven goals: clean, test, compile, package, install
Available profiles: docs, testKerberos
Testing
-------
By default Kerberos testcases are not run.
The requirements to run Kerberos testcases are a running KDC, a keytab file with a client principal and a kerberos principal.
To run Kerberos tescases use the `testKerberos` Maven profile:
$ mvn test -PtestKerberos
The following Maven `-D` options can be used to change the default values:
* `hadoop-auth.test.kerberos.realm`: default value **LOCALHOST**
* `hadoop-auth.test.kerberos.client.principal`: default value **client**
* `hadoop-auth.test.kerberos.server.principal`: default value **HTTP/localhost** (it must start 'HTTP/')
* `hadoop-auth.test.kerberos.keytab.file`: default value **$HOME/$USER.keytab**
### Generating Documentation
To create the documentation use the `docs` Maven profile:
$ mvn package -Pdocs
The generated documentation is available at `hadoop-auth/target/site/`.

View File

@ -0,0 +1,341 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
Hadoop Auth, Java HTTP SPNEGO - Server Side Configuration
=========================================================
Server Side Configuration Setup
-------------------------------
The AuthenticationFilter filter is Hadoop Auth's server side component.
This filter must be configured in front of all the web application resources that required authenticated requests. For example:
The Hadoop Auth and dependent JAR files must be in the web application classpath (commonly the `WEB-INF/lib` directory).
Hadoop Auth uses SLF4J-API for logging. Auth Maven POM dependencies define the SLF4J API dependency but it does not define the dependency on a concrete logging implementation, this must be addded explicitly to the web application. For example, if the web applicationan uses Log4j, the SLF4J-LOG4J12 and LOG4J jar files must be part part of the web application classpath as well as the Log4j configuration file.
### Common Configuration parameters
* `config.prefix`: If specified, all other configuration parameter names
must start with the prefix. The default value is no prefix.
* `[PREFIX.]type`: the authentication type keyword (`simple` or \
`kerberos`) or a Authentication handler implementation.
* `[PREFIX.]signature.secret`: When `signer.secret.provider` is set to
`string` or not specified, this is the value for the secret used to sign
the HTTP cookie.
* `[PREFIX.]token.validity`: The validity -in seconds- of the generated
authentication token. The default value is `3600` seconds. This is also
used for the rollover interval when `signer.secret.provider` is set to
`random` or `zookeeper`.
* `[PREFIX.]cookie.domain`: domain to use for the HTTP cookie that stores
the authentication token.
* `[PREFIX.]cookie.path`: path to use for the HTTP cookie that stores the
authentication token.
* `signer.secret.provider`: indicates the name of the SignerSecretProvider
class to use. Possible values are: `string`, `random`,
`zookeeper`, or a classname. If not specified, the `string`
implementation will be used; and failing that, the `random`
implementation will be used.
### Kerberos Configuration
**IMPORTANT**: A KDC must be configured and running.
To use Kerberos SPNEGO as the authentication mechanism, the authentication filter must be configured with the following init parameters:
* `[PREFIX.]type`: the keyword `kerberos`.
* `[PREFIX.]kerberos.principal`: The web-application Kerberos principal
name. The Kerberos principal name must start with `HTTP/...`. For
example: `HTTP/localhost@LOCALHOST`. There is no default value.
* `[PREFIX.]kerberos.keytab`: The path to the keytab file containing
the credentials for the kerberos principal. For example:
`/Users/tucu/tucu.keytab`. There is no default value.
**Example**:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<filter-name>kerberosFilter</filter-name>
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
<init-param>
<param-name>type</param-name>
<param-value>kerberos</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>cookie.domain</param-name>
<param-value>.foo.com</param-value>
</init-param>
<init-param>
<param-name>cookie.path</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>kerberos.principal</param-name>
<param-value>HTTP/localhost@LOCALHOST</param-value>
</init-param>
<init-param>
<param-name>kerberos.keytab</param-name>
<param-value>/tmp/auth.keytab</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>kerberosFilter</filter-name>
<url-pattern>/kerberos/*</url-pattern>
</filter-mapping>
...
</web-app>
### Pseudo/Simple Configuration
To use Pseudo/Simple as the authentication mechanism (trusting the value of the query string parameter 'user.name'), the authentication filter must be configured with the following init parameters:
* `[PREFIX.]type`: the keyword `simple`.
* `[PREFIX.]simple.anonymous.allowed`: is a boolean parameter that
indicates if anonymous requests are allowed or not. The default value is
`false`.
**Example**:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<filter-name>simpleFilter</filter-name>
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
<init-param>
<param-name>type</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>cookie.domain</param-name>
<param-value>.foo.com</param-value>
</init-param>
<init-param>
<param-name>cookie.path</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>simple.anonymous.allowed</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>simpleFilter</filter-name>
<url-pattern>/simple/*</url-pattern>
</filter-mapping>
...
</web-app>
### AltKerberos Configuration
**IMPORTANT**: A KDC must be configured and running.
The AltKerberos authentication mechanism is a partially implemented derivative of the Kerberos SPNEGO authentication mechanism which allows a "mixed" form of authentication where Kerberos SPNEGO is used by non-browsers while an alternate form of authentication (to be implemented by the user) is used for browsers. To use AltKerberos as the authentication mechanism (besides providing an implementation), the authentication filter must be configured with the following init parameters, in addition to the previously mentioned Kerberos SPNEGO ones:
* `[PREFIX.]type`: the full class name of the implementation of
AltKerberosAuthenticationHandler to use.
* `[PREFIX.]alt-kerberos.non-browser.user-agents`: a comma-separated
list of which user-agents should be considered non-browsers.
**Example**:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<filter-name>kerberosFilter</filter-name>
<filter-class>org.apache.hadoop.security.auth.server.AuthenticationFilter</filter-class>
<init-param>
<param-name>type</param-name>
<param-value>org.my.subclass.of.AltKerberosAuthenticationHandler</param-value>
</init-param>
<init-param>
<param-name>alt-kerberos.non-browser.user-agents</param-name>
<param-value>java,curl,wget,perl</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>cookie.domain</param-name>
<param-value>.foo.com</param-value>
</init-param>
<init-param>
<param-name>cookie.path</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>kerberos.principal</param-name>
<param-value>HTTP/localhost@LOCALHOST</param-value>
</init-param>
<init-param>
<param-name>kerberos.keytab</param-name>
<param-value>/tmp/auth.keytab</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>kerberosFilter</filter-name>
<url-pattern>/kerberos/*</url-pattern>
</filter-mapping>
...
</web-app>
### SignerSecretProvider Configuration
The SignerSecretProvider is used to provide more advanced behaviors for the secret used for signing the HTTP Cookies.
These are the relevant configuration properties:
* `signer.secret.provider`: indicates the name of the
SignerSecretProvider class to use. Possible values are: "string",
"random", "zookeeper", or a classname. If not specified, the "string"
implementation will be used; and failing that, the "random" implementation
will be used.
* `[PREFIX.]signature.secret`: When `signer.secret.provider` is set
to `string` or not specified, this is the value for the secret used to
sign the HTTP cookie.
* `[PREFIX.]token.validity`: The validity -in seconds- of the generated
authentication token. The default value is `3600` seconds. This is
also used for the rollover interval when `signer.secret.provider` is
set to `random` or `zookeeper`.
The following configuration properties are specific to the `zookeeper` implementation:
* `signer.secret.provider.zookeeper.connection.string`: Indicates the
ZooKeeper connection string to connect with.
* `signer.secret.provider.zookeeper.path`: Indicates the ZooKeeper path
to use for storing and retrieving the secrets. All servers
that need to coordinate their secret should point to the same path
* `signer.secret.provider.zookeeper.auth.type`: Indicates the auth type
to use. Supported values are `none` and `sasl`. The default
value is `none`.
* `signer.secret.provider.zookeeper.kerberos.keytab`: Set this to the
path with the Kerberos keytab file. This is only required if using
Kerberos.
* `signer.secret.provider.zookeeper.kerberos.principal`: Set this to the
Kerberos principal to use. This only required if using Kerberos.
**Example**:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<!-- AuthenticationHandler configs not shown -->
<init-param>
<param-name>signer.secret.provider</param-name>
<param-value>string</param-value>
</init-param>
<init-param>
<param-name>signature.secret</param-name>
<param-value>my_secret</param-value>
</init-param>
</filter>
...
</web-app>
**Example**:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<!-- AuthenticationHandler configs not shown -->
<init-param>
<param-name>signer.secret.provider</param-name>
<param-value>random</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
</filter>
...
</web-app>
**Example**:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
...
<filter>
<!-- AuthenticationHandler configs not shown -->
<init-param>
<param-name>signer.secret.provider</param-name>
<param-value>zookeeper</param-value>
</init-param>
<init-param>
<param-name>token.validity</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.connection.string</param-name>
<param-value>zoo1:2181,zoo2:2181,zoo3:2181</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.path</param-name>
<param-value>/myapp/secrets</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.use.kerberos.acls</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.kerberos.keytab</param-name>
<param-value>/tmp/auth.keytab</param-value>
</init-param>
<init-param>
<param-name>signer.secret.provider.zookeeper.kerberos.principal</param-name>
<param-value>HTTP/localhost@LOCALHOST</param-value>
</init-param>
</filter>
...
</web-app>

View File

@ -0,0 +1,109 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
Hadoop Auth, Java HTTP SPNEGO - Examples
========================================
Accessing a Hadoop Auth protected URL Using a browser
-----------------------------------------------------
**IMPORTANT:** The browser must support HTTP Kerberos SPNEGO. For example, Firefox or Internet Explorer.
For Firefox access the low level configuration page by loading the `about:config` page. Then go to the `network.negotiate-auth.trusted-uris` preference and add the hostname or the domain of the web server that is HTTP Kerberos SPNEGO protected (if using multiple domains and hostname use comma to separate them).
Accessing a Hadoop Auth protected URL Using `curl`
--------------------------------------------------
**IMPORTANT:** The `curl` version must support GSS, run `curl -V`.
$ curl -V
curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
Login to the KDC using **kinit** and then use `curl` to fetch protected URL:
$ kinit
Please enter the password for tucu@LOCALHOST:
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/hadoop-auth-examples/kerberos/who
Enter host password for user 'tucu':
Hello Hadoop Auth Examples!
* The `--negotiate` option enables SPNEGO in `curl`.
* The `-u foo` option is required but the user ignored (the principal
that has been kinit-ed is used).
* The `-b` and `-c` are use to store and send HTTP Cookies.
Using the Java Client
---------------------
Use the `AuthenticatedURL` class to obtain an authenticated HTTP connection:
...
URL url = new URL("http://localhost:8080/hadoop-auth/kerberos/who");
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
...
HttpURLConnection conn = new AuthenticatedURL(url, token).openConnection();
...
conn = new AuthenticatedURL(url, token).openConnection();
...
Building and Running the Examples
---------------------------------
Download Hadoop-Auth's source code, the examples are in the `src/main/examples` directory.
### Server Example:
Edit the `hadoop-auth-examples/src/main/webapp/WEB-INF/web.xml` and set the right configuration init parameters for the `AuthenticationFilter` definition configured for Kerberos (the right Kerberos principal and keytab file must be specified). Refer to the [Configuration document](./Configuration.html) for details.
Create the web application WAR file by running the `mvn package` command.
Deploy the WAR file in a servlet container. For example, if using Tomcat, copy the WAR file to Tomcat's `webapps/` directory.
Start the servlet container.
### Accessing the server using `curl`
Try accessing protected resources using `curl`. The protected resources are:
$ kinit
Please enter the password for tucu@LOCALHOST:
$ curl http://localhost:8080/hadoop-auth-examples/anonymous/who
$ curl http://localhost:8080/hadoop-auth-examples/simple/who?user.name=foo
$ curl --negotiate -u foo -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/hadoop-auth-examples/kerberos/who
### Accessing the server using the Java client example
$ kinit
Please enter the password for tucu@LOCALHOST:
$ cd examples
$ mvn exec:java -Durl=http://localhost:8080/hadoop-auth-examples/kerberos/who
....
Token value: "u=tucu,p=tucu@LOCALHOST,t=kerberos,e=1295305313146,s=sVZ1mpSnC5TKhZQE3QLN5p2DWBo="
Status code: 200 OK
You are: user[tucu] principal[tucu@LOCALHOST]
....

View File

@ -0,0 +1,43 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
Hadoop Auth, Java HTTP SPNEGO
=============================
Hadoop Auth is a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP.
Hadoop Auth also supports additional authentication mechanisms on the client and the server side via 2 simple interfaces.
Additionally, it provides a partially implemented derivative of the Kerberos SPNEGO authentication to allow a "mixed" form of authentication where Kerberos SPNEGO is used by non-browsers while an alternate form of authentication (to be implemented by the user) is used for browsers.
License
-------
Hadoop Auth is distributed under [Apache License 2.0](http://www.apache.org/licenses/).
How Does Auth Works?
--------------------
Hadoop Auth enforces authentication on protected resources, once authentiation has been established it sets a signed HTTP Cookie that contains an authentication token with the user name, user principal, authentication type and expiration time.
Subsequent HTTP client requests presenting the signed HTTP Cookie have access to the protected resources until the HTTP Cookie expires.
The secret used to sign the HTTP Cookie has multiple implementations that provide different behaviors, including a hardcoded secret string, a rolling randomly generated secret, and a rolling randomly generated secret synchronized between multiple servers using ZooKeeper.
User Documentation
------------------
* [Examples](./Examples.html)
* [Configuration](./Configuration.html)
* [Building It](./BuildingIt.html)

View File

@ -181,6 +181,9 @@ Trunk (Unreleased)
HADOOP-11596. Allow smart-apply-patch.sh to add new files in binary git HADOOP-11596. Allow smart-apply-patch.sh to add new files in binary git
patches (raviprak) patches (raviprak)
HADOOP-11593. Convert site documentation from apt to markdown (stragglers)
(Masatake Iwasaki via aw)
BUG FIXES BUG FIXES
HADOOP-11473. test-patch says "-1 overall" even when all checks are +1 HADOOP-11473. test-patch says "-1 overall" even when all checks are +1

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,864 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
#set ( $H3 = '###' )
#set ( $H4 = '####' )
#set ( $H5 = '#####' )
Hadoop Key Management Server (KMS) - Documentation Sets
=======================================================
Hadoop KMS is a cryptographic key management server based on Hadoop's **KeyProvider** API.
It provides a client and a server components which communicate over HTTP using a REST API.
The client is a KeyProvider implementation interacts with the KMS using the KMS HTTP REST API.
KMS and its client have built-in security and they support HTTP SPNEGO Kerberos authentication and HTTPS secure transport.
KMS is a Java web-application and it runs using a pre-configured Tomcat bundled with the Hadoop distribution.
KMS Client Configuration
------------------------
The KMS client `KeyProvider` uses the **kms** scheme, and the embedded URL must be the URL of the KMS. For example, for a KMS running on `http://localhost:16000/kms`, the KeyProvider URI is `kms://http@localhost:16000/kms`. And, for a KMS running on `https://localhost:16000/kms`, the KeyProvider URI is `kms://https@localhost:16000/kms`
KMS
---
$H3 KMS Configuration
Configure the KMS backing KeyProvider properties in the `etc/hadoop/kms-site.xml` configuration file:
```xml
<property>
<name>hadoop.kms.key.provider.uri</name>
<value>jceks://file@/${user.home}/kms.keystore</value>
</property>
<property>
<name>hadoop.security.keystore.java-keystore-provider.password-file</name>
<value>kms.keystore.password</value>
</property>
```
The password file is looked up in the Hadoop's configuration directory via the classpath.
NOTE: You need to restart the KMS for the configuration changes to take effect.
$H3 KMS Cache
KMS caches keys for short period of time to avoid excessive hits to the underlying key provider.
The Cache is enabled by default (can be dissabled by setting the `hadoop.kms.cache.enable` boolean property to false)
The cache is used with the following 3 methods only, `getCurrentKey()` and `getKeyVersion()` and `getMetadata()`.
For the `getCurrentKey()` method, cached entries are kept for a maximum of 30000 millisecond regardless the number of times the key is being access (to avoid stale keys to be considered current).
For the `getKeyVersion()` method, cached entries are kept with a default inactivity timeout of 600000 milliseconds (10 mins). This time out is configurable via the following property in the `etc/hadoop/kms-site.xml` configuration file:
```xml
<property>
<name>hadoop.kms.cache.enable</name>
<value>true</value>
</property>
<property>
<name>hadoop.kms.cache.timeout.ms</name>
<value>600000</value>
</property>
<property>
<name>hadoop.kms.current.key.cache.timeout.ms</name>
<value>30000</value>
</property>
```
$H3 KMS Aggregated Audit logs
Audit logs are aggregated for API accesses to the GET\_KEY\_VERSION, GET\_CURRENT\_KEY, DECRYPT\_EEK, GENERATE\_EEK operations.
Entries are grouped by the (user,key,operation) combined key for a configurable aggregation interval after which the number of accesses to the specified end-point by the user for a given key is flushed to the audit log.
The Aggregation interval is configured via the property :
<property>
<name>hadoop.kms.aggregation.delay.ms</name>
<value>10000</value>
</property>
$H3 Start/Stop the KMS
To start/stop KMS use KMS's bin/kms.sh script. For example:
hadoop-${project.version} $ sbin/kms.sh start
NOTE: Invoking the script without any parameters list all possible parameters (start, stop, run, etc.). The `kms.sh` script is a wrapper for Tomcat's `catalina.sh` script that sets the environment variables and Java System properties required to run KMS.
$H3 Embedded Tomcat Configuration
To configure the embedded Tomcat go to the `share/hadoop/kms/tomcat/conf`.
KMS pre-configures the HTTP and Admin ports in Tomcat's `server.xml` to 16000 and 16001.
Tomcat logs are also preconfigured to go to Hadoop's `logs/` directory.
The following environment variables (which can be set in KMS's `etc/hadoop/kms-env.sh` script) can be used to alter those values:
* KMS_HTTP_PORT
* KMS_ADMIN_PORT
* KMS_MAX_THREADS
* KMS_LOGNOTE: You need to restart the KMS for the configuration changes to take effect.
$H3 Loading native libraries
The following environment variable (which can be set in KMS's `etc/hadoop/kms-env.sh` script) can be used to specify the location of any required native libraries. For eg. Tomact native Apache Portable Runtime (APR) libraries:
* JAVA_LIBRARY_PATH
$H3 KMS Security Configuration
$H4 Enabling Kerberos HTTP SPNEGO Authentication
Configure the Kerberos `etc/krb5.conf` file with the information of your KDC server.
Create a service principal and its keytab for the KMS, it must be an `HTTP` service principal.
Configure KMS `etc/hadoop/kms-site.xml` with the correct security values, for example:
```xml
<property>
<name>hadoop.kms.authentication.type</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.keytab</name>
<value>${user.home}/kms.keytab</value>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.principal</name>
<value>HTTP/localhost</value>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.name.rules</name>
<value>DEFAULT</value>
</property>
```
NOTE: You need to restart the KMS for the configuration changes to take effect.
$H4 KMS Proxyuser Configuration
Each proxyuser must be configured in `etc/hadoop/kms-site.xml` using the following properties:
```xml
<property>
<name>hadoop.kms.proxyuser.#USER#.users</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.#USER#.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.#USER#.hosts</name>
<value>*</value>
</property>
```
`#USER#` is the username of the proxyuser to configure.
The `users` property indicates the users that can be impersonated.
The `groups` property indicates the groups users being impersonated must belong to.
At least one of the `users` or `groups` properties must be defined. If both are specified, then the configured proxyuser will be able to impersonate and user in the `users` list and any user belonging to one of the groups in the `groups` list.
The `hosts` property indicates from which host the proxyuser can make impersonation requests.
If `users`, `groups` or `hosts` has a `*`, it means there are no restrictions for the proxyuser regarding users, groups or hosts.
$H4 KMS over HTTPS (SSL)
To configure KMS to work over HTTPS the following 2 properties must be set in the `etc/hadoop/kms_env.sh` script (shown with default values):
* KMS_SSL_KEYSTORE_FILE=$HOME/.keystore
* KMS_SSL_KEYSTORE_PASS=password
In the KMS `tomcat/conf` directory, replace the `server.xml` file with the provided `ssl-server.xml` file.
You need to create an SSL certificate for the KMS. As the `kms` Unix user, using the Java `keytool` command to create the SSL certificate:
$ keytool -genkey -alias tomcat -keyalg RSA
You will be asked a series of questions in an interactive prompt. It will create the keystore file, which will be named **.keystore** and located in the `kms` user home directory.
The password you enter for "keystore password" must match the value of the `KMS_SSL_KEYSTORE_PASS` environment variable set in the `kms-env.sh` script in the configuration directory.
The answer to "What is your first and last name?" (i.e. "CN") must be the hostname of the machine where the KMS will be running.
NOTE: You need to restart the KMS for the configuration changes to take effect.
$H4 KMS Access Control
KMS ACLs configuration are defined in the KMS `etc/hadoop/kms-acls.xml` configuration file. This file is hot-reloaded when it changes.
KMS supports both fine grained access control as well as blacklist for kms operations via a set ACL configuration properties.
A user accessing KMS is first checked for inclusion in the Access Control List for the requested operation and then checked for exclusion in the Black list for the operation before access is granted.
```xml
<configuration>
<property>
<name>hadoop.kms.acl.CREATE</name>
<value>*</value>
<description>
ACL for create-key operations.
If the user is not in the GET ACL, the key material is not returned
as part of the response.
</description>
</property>
<property>
<name>hadoop.kms.blacklist.CREATE</name>
<value>hdfs,foo</value>
<description>
Blacklist for create-key operations.
If the user is in the Blacklist, the key material is not returned
as part of the response.
</description>
</property>
<property>
<name>hadoop.kms.acl.DELETE</name>
<value>*</value>
<description>
ACL for delete-key operations.
</description>
</property>
<property>
<name>hadoop.kms.blacklist.DELETE</name>
<value>hdfs,foo</value>
<description>
Blacklist for delete-key operations.
</description>
</property>
<property>
<name>hadoop.kms.acl.ROLLOVER</name>
<value>*</value>
<description>
ACL for rollover-key operations.
If the user is not in the GET ACL, the key material is not returned
as part of the response.
</description>
</property>
<property>
<name>hadoop.kms.blacklist.ROLLOVER</name>
<value>hdfs,foo</value>
<description>
Blacklist for rollover-key operations.
</description>
</property>
<property>
<name>hadoop.kms.acl.GET</name>
<value>*</value>
<description>
ACL for get-key-version and get-current-key operations.
</description>
</property>
<property>
<name>hadoop.kms.blacklist.GET</name>
<value>hdfs,foo</value>
<description>
ACL for get-key-version and get-current-key operations.
</description>
</property>
<property>
<name>hadoop.kms.acl.GET_KEYS</name>
<value>*</value>
<description>
ACL for get-keys operation.
</description>
</property>
<property>
<name>hadoop.kms.blacklist.GET_KEYS</name>
<value>hdfs,foo</value>
<description>
Blacklist for get-keys operation.
</description>
</property>
<property>
<name>hadoop.kms.acl.GET_METADATA</name>
<value>*</value>
<description>
ACL for get-key-metadata and get-keys-metadata operations.
</description>
</property>
<property>
<name>hadoop.kms.blacklist.GET_METADATA</name>
<value>hdfs,foo</value>
<description>
Blacklist for get-key-metadata and get-keys-metadata operations.
</description>
</property>
<property>
<name>hadoop.kms.acl.SET_KEY_MATERIAL</name>
<value>*</value>
<description>
Complimentary ACL for CREATE and ROLLOVER operation to allow the client
to provide the key material when creating or rolling a key.
</description>
</property>
<property>
<name>hadoop.kms.blacklist.SET_KEY_MATERIAL</name>
<value>hdfs,foo</value>
<description>
Complimentary Blacklist for CREATE and ROLLOVER operation to allow the client
to provide the key material when creating or rolling a key.
</description>
</property>
<property>
<name>hadoop.kms.acl.GENERATE_EEK</name>
<value>*</value>
<description>
ACL for generateEncryptedKey
CryptoExtension operations
</description>
</property>
<property>
<name>hadoop.kms.blacklist.GENERATE_EEK</name>
<value>hdfs,foo</value>
<description>
Blacklist for generateEncryptedKey
CryptoExtension operations
</description>
</property>
<property>
<name>hadoop.kms.acl.DECRYPT_EEK</name>
<value>*</value>
<description>
ACL for decrypt EncryptedKey
CryptoExtension operations
</description>
</property>
<property>
<name>hadoop.kms.blacklist.DECRYPT_EEK</name>
<value>hdfs,foo</value>
<description>
Blacklist for decrypt EncryptedKey
CryptoExtension operations
</description>
</property>
</configuration>
```
$H4 Key Access Control
KMS supports access control for all non-read operations at the Key level. All Key Access operations are classified as :
* MANAGEMENT - createKey, deleteKey, rolloverNewVersion
* GENERATE_EEK - generateEncryptedKey, warmUpEncryptedKeys
* DECRYPT_EEK - decryptEncryptedKey
* READ - getKeyVersion, getKeyVersions, getMetadata, getKeysMetadata, getCurrentKey
* ALL - all of the above
These can be defined in the KMS `etc/hadoop/kms-acls.xml` as follows
For all keys for which a key access has not been explicitly configured, It is possible to configure a default key access control for a subset of the operation types.
It is also possible to configure a "whitelist" key ACL for a subset of the operation types. The whitelist key ACL is a whitelist in addition to the explicit or default per-key ACL. That is, if no per-key ACL is explicitly set, a user will be granted access if they are present in the default per-key ACL or the whitelist key ACL. If a per-key ACL is explicitly set, a user will be granted access if they are present in the per-key ACL or the whitelist key ACL.
If no ACL is configured for a specific key AND no default ACL is configured AND no root key ACL is configured for the requested operation, then access will be DENIED.
**NOTE:** The default and whitelist key ACL does not support `ALL` operation qualifier.
```xml
<property>
<name>key.acl.testKey1.MANAGEMENT</name>
<value>*</value>
<description>
ACL for create-key, deleteKey and rolloverNewVersion operations.
</description>
</property>
<property>
<name>key.acl.testKey2.GENERATE_EEK</name>
<value>*</value>
<description>
ACL for generateEncryptedKey operations.
</description>
</property>
<property>
<name>key.acl.testKey3.DECRYPT_EEK</name>
<value>admink3</value>
<description>
ACL for decryptEncryptedKey operations.
</description>
</property>
<property>
<name>key.acl.testKey4.READ</name>
<value>*</value>
<description>
ACL for getKeyVersion, getKeyVersions, getMetadata, getKeysMetadata,
getCurrentKey operations
</description>
</property>
<property>
<name>key.acl.testKey5.ALL</name>
<value>*</value>
<description>
ACL for ALL operations.
</description>
</property>
<property>
<name>whitelist.key.acl.MANAGEMENT</name>
<value>admin1</value>
<description>
whitelist ACL for MANAGEMENT operations for all keys.
</description>
</property>
<!--
'testKey3' key ACL is defined. Since a 'whitelist'
key is also defined for DECRYPT_EEK, in addition to
admink3, admin1 can also perform DECRYPT_EEK operations
on 'testKey3'
-->
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>admin1</value>
<description>
whitelist ACL for DECRYPT_EEK operations for all keys.
</description>
</property>
<property>
<name>default.key.acl.MANAGEMENT</name>
<value>user1,user2</value>
<description>
default ACL for MANAGEMENT operations for all keys that are not
explicitly defined.
</description>
</property>
<property>
<name>default.key.acl.GENERATE_EEK</name>
<value>user1,user2</value>
<description>
default ACL for GENERATE_EEK operations for all keys that are not
explicitly defined.
</description>
</property>
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>user1,user2</value>
<description>
default ACL for DECRYPT_EEK operations for all keys that are not
explicitly defined.
</description>
</property>
<property>
<name>default.key.acl.READ</name>
<value>user1,user2</value>
<description>
default ACL for READ operations for all keys that are not
explicitly defined.
</description>
</property>
```
$H3 KMS Delegation Token Configuration
KMS delegation token secret manager can be configured with the following properties:
```xml
<property>
<name>hadoop.kms.authentication.delegation-token.update-interval.sec</name>
<value>86400</value>
<description>
How often the master key is rotated, in seconds. Default value 1 day.
</description>
</property>
<property>
<name>hadoop.kms.authentication.delegation-token.max-lifetime.sec</name>
<value>604800</value>
<description>
Maximum lifetime of a delagation token, in seconds. Default value 7 days.
</description>
</property>
<property>
<name>hadoop.kms.authentication.delegation-token.renew-interval.sec</name>
<value>86400</value>
<description>
Renewal interval of a delagation token, in seconds. Default value 1 day.
</description>
</property>
<property>
<name>hadoop.kms.authentication.delegation-token.removal-scan-interval.sec</name>
<value>3600</value>
<description>
Scan interval to remove expired delegation tokens.
</description>
</property>
```
$H3 Using Multiple Instances of KMS Behind a Load-Balancer or VIP
KMS supports multiple KMS instances behind a load-balancer or VIP for scalability and for HA purposes.
When using multiple KMS instances behind a load-balancer or VIP, requests from the same user may be handled by different KMS instances.
KMS instances behind a load-balancer or VIP must be specially configured to work properly as a single logical service.
$H4 HTTP Kerberos Principals Configuration
When KMS instances are behind a load-balancer or VIP, clients will use the hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the URL is used to construct the Kerberos service name of the server, `HTTP/#HOSTNAME#`. This means that all KMS instances must have a Kerberos service name with the load-balancer or VIP hostname.
In order to be able to access directly a specific KMS instance, the KMS instance must also have Keberos service name with its own hostname. This is required for monitoring and admin purposes.
Both Kerberos service principal credentials (for the load-balancer/VIP hostname and for the actual KMS instance hostname) must be in the keytab file configured for authentication. And the principal name specified in the configuration must be '\*'. For example:
```xml
<property>
<name>hadoop.kms.authentication.kerberos.principal</name>
<value>*</value>
</property>
```
**NOTE:** If using HTTPS, the SSL certificate used by the KMS instance must be configured to support multiple hostnames (see Java 7 `keytool` SAN extension support for details on how to do this).
$H4 HTTP Authentication Signature
KMS uses Hadoop Authentication for HTTP authentication. Hadoop Authentication issues a signed HTTP Cookie once the client has authenticated successfully. This HTTP Cookie has an expiration time, after which it will trigger a new authentication sequence. This is done to avoid triggering the authentication on every HTTP request of a client.
A KMS instance must verify the HTTP Cookie signatures signed by other KMS instances. To do this all KMS instances must share the signing secret.
This secret sharing can be done using a Zookeeper service which is configured in KMS with the following properties in the `kms-site.xml`:
```xml
<property>
<name>hadoop.kms.authentication.signer.secret.provider</name>
<value>zookeeper</value>
<description>
Indicates how the secret to sign the authentication cookies will be
stored. Options are 'random' (default), 'string' and 'zookeeper'.
If using a setup with multiple KMS instances, 'zookeeper' should be used.
</description>
</property>
<property>
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
<value>/hadoop-kms/hadoop-auth-signature-secret</value>
<description>
The Zookeeper ZNode path where the KMS instances will store and retrieve
the secret from.
</description>
</property>
<property>
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
<value>#HOSTNAME#:#PORT#,...</value>
<description>
The Zookeeper connection string, a list of hostnames and port comma
separated.
</description>
</property>
<property>
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
<value>kerberos</value>
<description>
The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).
</description>
</property>
<property>
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
<value>/etc/hadoop/conf/kms.keytab</value>
<description>
The absolute path for the Kerberos keytab with the credentials to
connect to Zookeeper.
</description>
</property>
<property>
<name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
<value>kms/#HOSTNAME#</value>
<description>
The Kerberos service principal used to connect to Zookeeper.
</description>
</property>
```
$H4 Delegation Tokens
TBD
$H3 KMS HTTP REST API
$H4 Create a Key
*REQUEST:*
POST http://HOST:PORT/kms/v1/keys
Content-Type: application/json
{
"name" : "<key-name>",
"cipher" : "<cipher>",
"length" : <length>, //int
"material" : "<material>", //base64
"description" : "<description>"
}
*RESPONSE:*
201 CREATED
LOCATION: http://HOST:PORT/kms/v1/key/<key-name>
Content-Type: application/json
{
"name" : "versionName",
"material" : "<material>", //base64, not present without GET ACL
}
$H4 Rollover Key
*REQUEST:*
POST http://HOST:PORT/kms/v1/key/<key-name>
Content-Type: application/json
{
"material" : "<material>",
}
*RESPONSE:*
200 OK
Content-Type: application/json
{
"name" : "versionName",
"material" : "<material>", //base64, not present without GET ACL
}
$H4 Delete Key
*REQUEST:*
DELETE http://HOST:PORT/kms/v1/key/<key-name>
*RESPONSE:*
200 OK
$H4 Get Key Metadata
*REQUEST:*
GET http://HOST:PORT/kms/v1/key/<key-name>/_metadata
*RESPONSE:*
200 OK
Content-Type: application/json
{
"name" : "<key-name>",
"cipher" : "<cipher>",
"length" : <length>, //int
"description" : "<description>",
"created" : <millis-epoc>, //long
"versions" : <versions> //int
}
$H4 Get Current Key
*REQUEST:*
GET http://HOST:PORT/kms/v1/key/<key-name>/_currentversion
*RESPONSE:*
200 OK
Content-Type: application/json
{
"name" : "versionName",
"material" : "<material>", //base64
}
$H4 Generate Encrypted Key for Current KeyVersion
*REQUEST:*
GET http://HOST:PORT/kms/v1/key/<key-name>/_eek?eek_op=generate&num_keys=<number-of-keys-to-generate>
*RESPONSE:*
200 OK
Content-Type: application/json
[
{
"versionName" : "encryptionVersionName",
"iv" : "<iv>", //base64
"encryptedKeyVersion" : {
"versionName" : "EEK",
"material" : "<material>", //base64
}
},
{
"versionName" : "encryptionVersionName",
"iv" : "<iv>", //base64
"encryptedKeyVersion" : {
"versionName" : "EEK",
"material" : "<material>", //base64
}
},
...
]
$H4 Decrypt Encrypted Key
*REQUEST:*
POST http://HOST:PORT/kms/v1/keyversion/<version-name>/_eek?ee_op=decrypt
Content-Type: application/json
{
"name" : "<key-name>",
"iv" : "<iv>", //base64
"material" : "<material>", //base64
}
*RESPONSE:*
200 OK
Content-Type: application/json
{
"name" : "EK",
"material" : "<material>", //base64
}
$H4 Get Key Version
*REQUEST:*
GET http://HOST:PORT/kms/v1/keyversion/<version-name>
*RESPONSE:*
200 OK
Content-Type: application/json
{
"name" : "versionName",
"material" : "<material>", //base64
}
$H4 Get Key Versions
*REQUEST:*
GET http://HOST:PORT/kms/v1/key/<key-name>/_versions
*RESPONSE:*
200 OK
Content-Type: application/json
[
{
"name" : "versionName",
"material" : "<material>", //base64
},
{
"name" : "versionName",
"material" : "<material>", //base64
},
...
]
$H4 Get Key Names
*REQUEST:*
GET http://HOST:PORT/kms/v1/keys/names
*RESPONSE:*
200 OK
Content-Type: application/json
[
"<key-name>",
"<key-name>",
...
]
$H4 Get Keys Metadata
GET http://HOST:PORT/kms/v1/keys/metadata?key=<key-name>&key=<key-name>,...
*RESPONSE:*
200 OK
Content-Type: application/json
[
{
"name" : "<key-name>",
"cipher" : "<cipher>",
"length" : <length>, //int
"description" : "<description>",
"created" : <millis-epoc>, //long
"versions" : <versions> //int
},
{
"name" : "<key-name>",
"cipher" : "<cipher>",
"length" : <length>, //int
"description" : "<description>",
"created" : <millis-epoc>, //long
"versions" : <versions> //int
},
...
]

View File

@ -1,73 +0,0 @@
~~ Licensed under the Apache License, Version 2.0 (the "License");
~~ you may not use this file except in compliance with the License.
~~ You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing, software
~~ distributed under the License is distributed on an "AS IS" BASIS,
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~~ See the License for the specific language governing permissions and
~~ limitations under the License. See accompanying LICENSE file.
---
Apache Hadoop ${project.version}
---
---
${maven.build.timestamp}
Apache Hadoop ${project.version}
Apache Hadoop ${project.version} consists of significant
improvements over the previous stable release (hadoop-1.x).
Here is a short overview of the improvments to both HDFS and MapReduce.
* {HDFS Federation}
In order to scale the name service horizontally, federation uses multiple
independent Namenodes/Namespaces. The Namenodes are federated, that is, the
Namenodes are independent and don't require coordination with each other.
The datanodes are used as common storage for blocks by all the Namenodes.
Each datanode registers with all the Namenodes in the cluster. Datanodes
send periodic heartbeats and block reports and handles commands from the
Namenodes.
More details are available in the
{{{./hadoop-project-dist/hadoop-hdfs/Federation.html}HDFS Federation}}
document.
* {MapReduce NextGen aka YARN aka MRv2}
The new architecture introduced in hadoop-0.23, divides the two major
functions of the JobTracker: resource management and job life-cycle management
into separate components.
The new ResourceManager manages the global assignment of compute resources to
applications and the per-application ApplicationMaster manages the
application scheduling and coordination.
An application is either a single job in the sense of classic MapReduce jobs
or a DAG of such jobs.
The ResourceManager and per-machine NodeManager daemon, which manages the
user processes on that machine, form the computation fabric.
The per-application ApplicationMaster is, in effect, a framework specific
library and is tasked with negotiating resources from the ResourceManager and
working with the NodeManager(s) to execute and monitor the tasks.
More details are available in the
{{{./hadoop-yarn/hadoop-yarn-site/YARN.html}YARN}}
document.
Getting Started
The Hadoop documentation includes the information you need to get started using
Hadoop. Begin with the
{{{./hadoop-project-dist/hadoop-common/SingleCluster.html}Single Node Setup}} which
shows you how to set up a single-node Hadoop installation. Then move on to the
{{{./hadoop-project-dist/hadoop-common/ClusterSetup.html}Cluster Setup}} to learn how
to set up a multi-node Hadoop installation.

View File

@ -0,0 +1,72 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
Apache Hadoop ${project.version}
================================
Apache Hadoop ${project.version} consists of significant
improvements over the previous stable release (hadoop-1.x).
Here is a short overview of the improvments to both HDFS and MapReduce.
* HDFS Federation
In order to scale the name service horizontally, federation uses
multiple independent Namenodes/Namespaces. The Namenodes are
federated, that is, the Namenodes are independent and don't require
coordination with each other. The datanodes are used as common storage
for blocks by all the Namenodes. Each datanode registers with all the
Namenodes in the cluster. Datanodes send periodic heartbeats and block
reports and handles commands from the Namenodes.
More details are available in the
[HDFS Federation](./hadoop-project-dist/hadoop-hdfs/Federation.html)
document.
* MapReduce NextGen aka YARN aka MRv2
The new architecture introduced in hadoop-0.23, divides the two major
functions of the JobTracker: resource management and job life-cycle
management into separate components.
The new ResourceManager manages the global assignment of compute
resources to applications and the per-application
ApplicationMaster manages the application scheduling and
coordination.
An application is either a single job in the sense of classic
MapReduce jobs or a DAG of such jobs.
The ResourceManager and per-machine NodeManager daemon, which
manages the user processes on that machine, form the computation
fabric.
The per-application ApplicationMaster is, in effect, a framework
specific library and is tasked with negotiating resources from the
ResourceManager and working with the NodeManager(s) to execute and
monitor the tasks.
More details are available in the
[YARN](./hadoop-yarn/hadoop-yarn-site/YARN.html) document.
Getting Started
===============
The Hadoop documentation includes the information you need to get started using
Hadoop. Begin with the
[Single Node Setup](./hadoop-project-dist/hadoop-common/SingleCluster.html)
which shows you how to set up a single-node Hadoop installation.
Then move on to the
[Cluster Setup](./hadoop-project-dist/hadoop-common/ClusterSetup.html)
to learn how to set up a multi-node Hadoop installation.

View File

@ -1,686 +0,0 @@
~~ Licensed under the Apache License, Version 2.0 (the "License");
~~ you may not use this file except in compliance with the License.
~~ You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing, software
~~ distributed under the License is distributed on an "AS IS" BASIS,
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~~ See the License for the specific language governing permissions and
~~ limitations under the License. See accompanying LICENSE file.
---
Hadoop OpenStack Support: Swift Object Store
---
---
${maven.build.timestamp}
%{toc|section=1|fromDepth=0}
Hadoop OpenStack Support: Swift Object Store
* {Introduction}
{{{http://www.openstack.org/}OpenStack}} is an open source cloud infrastructure
which can be accessed
from multiple public IaaS providers, and deployed privately. It offers
infrastructure services such as VM hosting (Nova), authentication (Keystone)
and storage of binary objects (Swift).
This module enables Apache Hadoop applications -including MapReduce jobs,
read and write data to and from instances of the
{{{http://www.openstack.org/software/openstack-storage/}OpenStack Swift object store}}.
* Features
* Read and write of data stored in a Swift object store
* Support of a pseudo-hierachical file system (directories, subdirectories and
files)
* Standard filesystem operations: <<<create>>>, <<<delete>>>, <<<mkdir>>>,
<<<ls>>>, <<<mv>>>, <<<stat>>>.
* Can act as a source of data in a MapReduce job, or a sink.
* Support for multiple OpenStack services, and multiple containers from a
single service.
* Supports in-cluster and remote access to Swift data.
* Supports OpenStack Keystone authentication with password or token.
* Released under the Apache Software License
* Tested against the Hadoop 3.x and 1.x branches, against multiple public
OpenStack clusters: Rackspace US, Rackspace UK, HP Cloud.
* Tested against private OpenStack clusters, including scalability tests of
large file uploads.
* Using the Hadoop Swift Filesystem Client
** Concepts: services and containers
OpenStack swift is an <Object Store>; also known as a <blobstore>. It stores
arbitrary binary objects by name in a <container>.
The Hadoop Swift filesystem library adds another concept, the <service>, which
defines which Swift blobstore hosts a container -and how to connect to it.
** Containers and Objects
* Containers are created by users with accounts on the Swift filestore, and hold
<objects>.
* Objects can be zero bytes long, or they can contain data.
* Objects in the container can be up to 5GB; there is a special support for
larger files than this, which merges multiple objects in to one.
* Each object is referenced by it's <name>; there is no notion of directories.
* You can use any characters in an object name that can be 'URL-encoded'; the
maximum length of a name is 1034 characters -after URL encoding.
* Names can have <<</>>> characters in them, which are used to create the illusion of
a directory structure. For example <<<dir/dir2/name>>>. Even though this looks
like a directory, <it is still just a name>. There is no requirement to have
any entries in the container called <<<dir>>> or <<<dir/dir2>>>
* That said. if the container has zero-byte objects that look like directory
names above other objects, they can pretend to be directories. Continuing the
example, a 0-byte object called <<<dir>>> would tell clients that it is a
directory while <<<dir/dir2>>> or <<<dir/dir2/name>>> were present. This creates an
illusion of containers holding a filesystem.
Client applications talk to Swift over HTTP or HTTPS, reading, writing and
deleting objects using standard HTTP operations (GET, PUT and DELETE,
respectively). There is also a COPY operation, that creates a new object in the
container, with a new name, containing the old data. There is no rename
operation itself, objects need to be copied -then the original entry deleted.
** Eventual Consistency
The Swift Filesystem is *eventually consistent*: an operation on an object may
not be immediately visible to that client, or other clients. This is a
consequence of the goal of the filesystem: to span a set of machines, across
multiple datacenters, in such a way that the data can still be available when
many of them fail. (In contrast, the Hadoop HDFS filesystem is *immediately
consistent*, but it does not span datacenters.)
Eventual consistency can cause surprises for client applications that expect
immediate consistency: after an object is deleted or overwritten, the object
may still be visible -or the old data still retrievable. The Swift Filesystem
client for Apache Hadoop attempts to handle this, in conjunction with the
MapReduce engine, but there may be still be occasions when eventual consistency
causes surprises.
** Non-atomic "directory" operations.
Hadoop expects some
operations to be atomic, especially <<<rename()>>>, which is something
the MapReduce layer relies on to commit the output of a job, renaming data
from a temp directory to the final path. Because a rename
is implemented as a copy of every blob under the directory's path, followed
by a delete of the originals, the intermediate state of the operation
will be visible to other clients. If two Reducer tasks to rename their temp
directory to the final path, both operations may succeed, with the result that
output directory contains mixed data. This can happen if MapReduce jobs
are being run with <speculation> enabled and Swift used as the direct output
of the MR job (it can also happen against Amazon S3).
Other consequences of the non-atomic operations are:
1. If a program is looking for the presence of the directory before acting
on the data -it may start prematurely. This can be avoided by using
other mechanisms to co-ordinate the programs, such as the presence of a file
that is written <after> any bulk directory operations.
2. A <<<rename()>>> or <<<delete()>>> operation may include files added under
the source directory tree during the operation, may unintentionally delete
it, or delete the 0-byte swift entries that mimic directories and act
as parents for the files. Try to avoid doing this.
The best ways to avoid all these problems is not using Swift as
the filesystem between MapReduce jobs or other Hadoop workflows. It
can act as a source of data, and a final destination, but it doesn't meet
all of Hadoop's expectations of what a filesystem is -it's a <blobstore>.
* Working with Swift Object Stores in Hadoop
Once installed, the Swift FileSystem client can be used by any Hadoop application
to read from or write to data stored in a Swift container.
Data stored in Swift can be used as the direct input to a MapReduce job
-simply use the <<<swift:>>> URL (see below) to declare the source of the data.
This Swift Filesystem client is designed to work with multiple
Swift object stores, both public and private. This allows the client to work
with different clusters, reading and writing data to and from either of them.
It can also work with the same object stores using multiple login details.
These features are achieved by one basic concept: using a service name in
the URI referring to a swift filesystem, and looking up all the connection and
login details for that specific service. Different service names can be defined
in the Hadoop XML configuration file, so defining different clusters, or
providing different login details for the same object store(s).
** Swift Filesystem URIs
Hadoop uses URIs to refer to files within a filesystem. Some common examples
are:
+--
local://etc/hosts
hdfs://cluster1/users/example/data/set1
hdfs://cluster2.example.org:8020/users/example/data/set1
+--
The Swift Filesystem Client adds a new URL type <<<swift>>>. In a Swift Filesystem
URL, the hostname part of a URL identifies the container and the service to
work with; the path the name of the object. Here are some examples
+--
swift://container.rackspace/my-object.csv
swift://data.hpcloud/data/set1
swift://dmitry.privatecloud/out/results
+--
In the last two examples, the paths look like directories: it is not, they are
simply the objects named <<<data/set1>>> and <<<out/results>>> respectively.
** Installing
The <<<hadoop-openstack>>> JAR must be on the classpath of the Hadoop program trying to
talk to the Swift service. If installed in the classpath of the Hadoop
MapReduce service, then all programs started by the MR engine will pick up the
JAR automatically. This is the easiest way to give all Hadoop jobs access to
Swift.
Alternatively, the JAR can be included as one of the JAR files that an
application uses. This lets the Hadoop jobs work with a Swift object store even
if the Hadoop cluster is not pre-configured for this.
The library also depends upon the Apache HttpComponents library, which
must also be on the classpath.
** Configuring
To talk to a swift service, the user must must provide:
[[1]] The URL defining the container and the service.
[[1]] In the cluster/job configuration, the login details of that service.
Multiple service definitions can co-exist in the same configuration file: just
use different names for them.
*** Example: Rackspace US, in-cluster access using API key
This service definition is for use in a Hadoop cluster deployed within Rackspace's
US infrastructure.
+--
<property>
<name>fs.swift.service.rackspace.auth.url</name>
<value>https://auth.api.rackspacecloud.com/v2.0/tokens</value>
<description>Rackspace US (multiregion)</description>
</property>
<property>
<name>fs.swift.service.rackspace.username</name>
<value>user4</value>
</property>
<property>
<name>fs.swift.service.rackspace.region</name>
<value>DFW</value>
</property>
<property>
<name>fs.swift.service.rackspace.apikey</name>
<value>fe806aa86dfffe2f6ed8</value>
</property>
+--
Here the API key visible in the account settings API keys page is used to log
in. No property for public/private access -the default is to use the private
endpoint for Swift operations.
This configuration also selects one of the regions, DFW, for its data.
A reference to this service would use the <<<rackspace>>> service name:
---
swift://hadoop-container.rackspace/
---
*** Example: Rackspace UK: remote access with password authentication
This connects to Rackspace's UK ("LON") datacenter.
+--
<property>
<name>fs.swift.service.rackspaceuk.auth.url</name>
<value>https://lon.identity.api.rackspacecloud.com/v2.0/tokens</value>
<description>Rackspace UK</description>
</property>
<property>
<name>fs.swift.service.rackspaceuk.username</name>
<value>user4</value>
</property>
<property>
<name>fs.swift.service.rackspaceuk.password</name>
<value>insert-password-here/value>
</property>
<property>
<name>fs.swift.service.rackspace.public</name>
<value>true</value>
</property>
+--
This is a public access point connection, using a password over an API key.
A reference to this service would use the <<<rackspaceuk>>> service name:
+--
swift://hadoop-container.rackspaceuk/
+--
Because the public endpoint is used, if this service definition is used within
the London datacenter, all accesses will be billed at the public
upload/download rates, <irrespective of where the Hadoop cluster is>.
*** Example: HP cloud service definition
Here is an example that connects to the HP Cloud object store.
+--
<property>
<name>fs.swift.service.hpcloud.auth.url</name>
<value>https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens
</value>
<description>HP Cloud</description>
</property>
<property>
<name>fs.swift.service.hpcloud.tenant</name>
<value>FE806AA86</value>
</property>
<property>
<name>fs.swift.service.hpcloud.username</name>
<value>FE806AA86DFFFE2F6ED8</value>
</property>
<property>
<name>fs.swift.service.hpcloud.password</name>
<value>secret-password-goes-here</value>
</property>
<property>
<name>fs.swift.service.hpcloud.public</name>
<value>true</value>
</property>
+--
A reference to this service would use the <<<hpcloud>>> service name:
+--
swift://hadoop-container.hpcloud/
+--
** General Swift Filesystem configuration options
Some configuration options apply to the Swift client, independent of
the specific Swift filesystem chosen.
*** Blocksize fs.swift.blocksize
Swift does not break up files into blocks, except in the special case of files
over 5GB in length. Accordingly, there isn't a notion of a "block size"
to define where the data is kept.
Hadoop's MapReduce layer depends on files declaring their block size,
so that it knows how to partition work. Too small a blocksize means that
many mappers work on small pieces of data; too large a block size means
that only a few mappers get started.
The block size value reported by Swift, therefore, controls the basic workload
partioning of the MapReduce engine -and can be an important parameter to
tune for performance of the cluster.
The property has a unit of kilobytes; the default value is <<<32*1024>>>: 32 MB
+--
<property>
<name>fs.swift.blocksize</name>
<value>32768</value>
</property>
+--
This blocksize has no influence on how files are stored in Swift; it only controls
what the reported size of blocks are - a value used in Hadoop MapReduce to
divide work.
Note that the MapReduce engine's split logic can be tuned independently by setting
the <<<mapred.min.split.size>>> and <<<mapred.max.split.size>>> properties,
which can be done in specific job configurations.
+--
<property>
<name>mapred.min.split.size</name>
<value>524288</value>
</property>
<property>
<name>mapred.max.split.size</name>
<value>1048576</value>
</property>
+--
In an Apache Pig script, these properties would be set as:
---
mapred.min.split.size 524288
mapred.max.split.size 1048576
---
*** Partition size fs.swift.partsize
The Swift filesystem client breaks very large files into partitioned files,
uploading each as it progresses, and writing any remaning data and an XML
manifest when a partitioned file is closed.
The partition size defaults to 4608 MB; 4.5GB, the maximum filesize that
Swift can support.
It is possible to set a smaller partition size, in the <<<fs.swift.partsize>>>
option. This takes a value in KB.
+--
<property>
<name>fs.swift.partsize</name>
<value>1024</value>
<description>upload every MB</description>
</property>
+--
When should this value be changed from its default?
While there is no need to ever change it for basic operation of
the Swift filesystem client, it can be tuned
* If a Swift filesystem is location aware, then breaking a file up into
smaller partitions scatters the data round the cluster. For best performance,
the property <<<fs.swift.blocksize>>> should be set to a smaller value than the
partition size of files.
* When writing to an unpartitioned file, the entire write is done in the
<<<close()>>> operation. When a file is partitioned, the outstanding data to
be written whenever the outstanding amount of data is greater than the
partition size. This means that data will be written more incrementally
*** Request size fs.swift.requestsize
The Swift filesystem client reads files in HTTP GET operations, asking for
a block of data at a time.
The default value is 64KB. A larger value may be more efficient over faster
networks, as it reduces the overhead of setting up the HTTP operation.
However, if the file is read with many random accesses, requests for
data will be made from different parts of the file -discarding some of the
previously requested data. The benefits of larger request sizes may be wasted.
The property <<<fs.swift.requestsize>>> sets the request size in KB.
+--
<property>
<name>fs.swift.requestsize</name>
<value>128</value>
</property>
+--
*** Connection timeout fs.swift.connect.timeout
This sets the timeout in milliseconds to connect to a Swift service.
+--
<property>
<name>fs.swift.connect.timeout</name>
<value>15000</value>
</property>
+--
A shorter timeout means that connection failures are raised faster -but
may trigger more false alarms. A longer timeout is more resilient to network
problems -and may be needed when talking to remote filesystems.
*** Connection timeout fs.swift.socket.timeout
This sets the timeout in milliseconds to wait for data from a connected socket.
+--
<property>
<name>fs.swift.socket.timeout</name>
<value>60000</value>
</property>
+--
A shorter timeout means that connection failures are raised faster -but
may trigger more false alarms. A longer timeout is more resilient to network
problems -and may be needed when talking to remote filesystems.
*** Connection Retry Count fs.swift.connect.retry.count
This sets the number of times to try to connect to a service whenever
an HTTP request is made.
+--
<property>
<name>fs.swift.connect.retry.count</name>
<value>3</value>
</property>
+--
The more retries, the more resilient it is to transient outages -and the
less rapid it is at detecting and reporting server connectivity problems.
*** Connection Throttle Delay fs.swift.connect.throttle.delay
This property adds a delay between bulk file copy and delete operations,
to prevent requests being throttled or blocked by the remote service
+--
<property>
<name>fs.swift.connect.throttle.delay</name>
<value>0</value>
</property>
+--
It is measured in milliseconds; "0" means do not add any delay.
Throttling is enabled on the public endpoints of some Swift services.
If <<<rename()>>> or <<<delete()>>> operations fail with
<<<SwiftThrottledRequestException>>>
exceptions, try setting this property.
*** HTTP Proxy
If the client can only access the Swift filesystem via a web proxy
server, the client configuration must specify the proxy via
the <<<fs.swift.connect.proxy.host>>> and <<<fs.swift.connect.proxy.port>>>
properties.
+--
<property>
<name>fs.swift.proxy.host</name>
<value>web-proxy</value>
</property>
<property>
<name>fs.swift.proxy.port</name>
<value>8088</value>
</property>
+--
If the host is declared, the proxy port must be set to a valid integer value.
** Troubleshooting
*** ClassNotFoundException
The <<<hadoop-openstack>>> JAR -or any dependencies- may not be on your classpath.
If it is a remote MapReduce job that is failing, make sure that the JAR is
installed on the servers in the cluster -or that the job submission process
uploads the JAR file to the distributed cache.
*** Failure to Authenticate
A <<<SwiftAuthenticationFailedException>>> is thrown when the client
cannot authenticate with the OpenStack keystone server. This could be
because the URL in the service definition is wrong, or because
the supplied credentials are invalid.
[[1]] Check the authentication URL through <<<curl>>> or your browser
[[1]] Use a Swift client such as CyberDuck to validate your credentials
[[1]] If you have included a tenant ID, try leaving it out. Similarly,
try adding it if you had not included it.
[[1]] Try switching from API key authentication to password-based authentication,
by setting the password.
[[1]] Change your credentials. As with Amazon AWS clients, some credentials
don't seem to like going over the network.
*** Timeout connecting to the Swift Service
This happens if the client application is running outside an OpenStack cluster,
where it does not have access to the private hostname/IP address for filesystem
operations. Set the <<<public>>> flag to true -but remember to set it to false
for use in-cluster.
** Warnings
[[1]] Do not share your login details with anyone, which means do not log the
details, or check the XML configuration files into any revision control system
to which you do not have exclusive access.
[[1]] Similarly, do not use your real account details in any documentation *or any
bug reports submitted online*
[[1]] Prefer the apikey authentication over passwords as it is easier
to revoke a key -and some service providers allow you to set
an automatic expiry date on a key when issued.
[[1]] Do not use the public service endpoint from within a public OpenStack
cluster, as it will run up large bills.
[[1]] Remember: it's not a real filesystem or hierarchical directory structure.
Some operations (directory rename and delete) take time and are not atomic or
isolated from other operations taking place.
[[1]] Append is not supported.
[[1]] Unix-style permissions are not supported. All accounts with write access to
a repository have unlimited access; the same goes for those with read access.
[[1]] In the public clouds, do not make the containers public unless you are happy
with anyone reading your data, and are prepared to pay the costs of their
downloads.
** Limits
* Maximum length of an object path: 1024 characters
* Maximum size of a binary object: no absolute limit. Files > 5GB are
partitioned into separate files in the native filesystem, and merged during
retrieval. <Warning:> the partitioned/large file support is the
most complex part of the Hadoop/Swift FS integration, and, along with
authentication, the most troublesome to support.
** Testing the hadoop-openstack module
The <<<hadoop-openstack>>> can be remotely tested against any public
or private cloud infrastructure which supports the OpenStack Keystone
authentication mechanism. It can also be tested against private
OpenStack clusters. OpenStack Development teams are strongly encouraged to test
the Hadoop swift filesystem client against any version of Swift that they
are developing or deploying, to stress their cluster and to identify
bugs early.
The module comes with a large suite of JUnit tests -tests that are
only executed if the source tree includes credentials to test against a
specific cluster.
After checking out the Hadoop source tree, create the file:
+--
hadoop-tools/hadoop-openstack/src/test/resources/auth-keys.xml
+--
Into this file, insert the credentials needed to bond to the test filesystem,
as decribed above.
Next set the property <<<test.fs.swift.name>>> to the URL of a
swift container to test against. The tests expect exclusive access
to this container -do not keep any other data on it, or expect it
to be preserved.
+--
<property>
<name>test.fs.swift.name</name>
<value>swift://test.myswift/</value>
</property>
+--
In the base hadoop directory, run:
+--
mvn clean install -DskipTests
+--
This builds a set of Hadoop JARs consistent with the <<<hadoop-openstack>>>
module that is about to be tested.
In the <<<hadoop-tools/hadoop-openstack>>> directory run
+--
mvn test -Dtest=TestSwiftRestClient
+--
This runs some simple tests which include authenticating
against the remote swift service. If these tests fail, so will all
the rest. If it does fail: check your authentication.
Once this test succeeds, you can run the full test suite
+--
mvn test
+--
Be advised that these tests can take an hour or more, especially against a
remote Swift service -or one that throttles bulk operations.
Once the <<<auth-keys.xml>>> file is in place, the <<<mvn test>>> runs from
the Hadoop source base directory will automatically run these OpenStack tests
While this ensures that no regressions have occurred, it can also add significant
time to test runs, and may run up bills, depending on who is providing\
the Swift storage service. We recommend having a separate source tree
set up purely for the Swift tests, and running it manually or by the CI tooling
at a lower frequency than normal test runs.
Finally: Apache Hadoop is an open source project. Contributions of code
-including more tests- are very welcome.

View File

@ -0,0 +1,544 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
* [Hadoop OpenStack Support: Swift Object Store](#Hadoop_OpenStack_Support:_Swift_Object_Store)
* [Introduction](#Introduction)
* [Features](#Features)
* [Using the Hadoop Swift Filesystem Client](#Using_the_Hadoop_Swift_Filesystem_Client)
* [Concepts: services and containers](#Concepts:_services_and_containers)
* [Containers and Objects](#Containers_and_Objects)
* [Eventual Consistency](#Eventual_Consistency)
* [Non-atomic "directory" operations.](#Non-atomic_directory_operations.)
* [Working with Swift Object Stores in Hadoop](#Working_with_Swift_Object_Stores_in_Hadoop)
* [Swift Filesystem URIs](#Swift_Filesystem_URIs)
* [Installing](#Installing)
* [Configuring](#Configuring)
* [Example: Rackspace US, in-cluster access using API key](#Example:_Rackspace_US_in-cluster_access_using_API_key)
* [Example: Rackspace UK: remote access with password authentication](#Example:_Rackspace_UK:_remote_access_with_password_authentication)
* [Example: HP cloud service definition](#Example:_HP_cloud_service_definition)
* [General Swift Filesystem configuration options](#General_Swift_Filesystem_configuration_options)
* [Blocksize fs.swift.blocksize](#Blocksize_fs.swift.blocksize)
* [Partition size fs.swift.partsize](#Partition_size_fs.swift.partsize)
* [Request size fs.swift.requestsize](#Request_size_fs.swift.requestsize)
* [Connection timeout fs.swift.connect.timeout](#Connection_timeout_fs.swift.connect.timeout)
* [Connection timeout fs.swift.socket.timeout](#Connection_timeout_fs.swift.socket.timeout)
* [Connection Retry Count fs.swift.connect.retry.count](#Connection_Retry_Count_fs.swift.connect.retry.count)
* [Connection Throttle Delay fs.swift.connect.throttle.delay](#Connection_Throttle_Delay_fs.swift.connect.throttle.delay)
* [HTTP Proxy](#HTTP_Proxy)
* [Troubleshooting](#Troubleshooting)
* [ClassNotFoundException](#ClassNotFoundException)
* [Failure to Authenticate](#Failure_to_Authenticate)
* [Timeout connecting to the Swift Service](#Timeout_connecting_to_the_Swift_Service)
* [Warnings](#Warnings)
* [Limits](#Limits)
* [Testing the hadoop-openstack module](#Testing_the_hadoop-openstack_module)
Hadoop OpenStack Support: Swift Object Store
============================================
Introduction
------------
[OpenStack](http://www.openstack.org/) is an open source cloud infrastructure which can be accessed from multiple public IaaS providers, and deployed privately. It offers infrastructure services such as VM hosting (Nova), authentication (Keystone) and storage of binary objects (Swift).
This module enables Apache Hadoop applications -including MapReduce jobs, read and write data to and from instances of the [OpenStack Swift object store](http://www.openstack.org/software/openstack-storage/).
Features
--------
* Read and write of data stored in a Swift object store
* Support of a pseudo-hierachical file system (directories, subdirectories and
files)
* Standard filesystem operations: `create`, `delete`, `mkdir`,
`ls`, `mv`, `stat`.
* Can act as a source of data in a MapReduce job, or a sink.
* Support for multiple OpenStack services, and multiple containers from a
single service.
* Supports in-cluster and remote access to Swift data.
* Supports OpenStack Keystone authentication with password or token.
* Released under the Apache Software License
* Tested against the Hadoop 3.x and 1.x branches, against multiple public
OpenStack clusters: Rackspace US, Rackspace UK, HP Cloud.
* Tested against private OpenStack clusters, including scalability tests of
large file uploads.
Using the Hadoop Swift Filesystem Client
----------------------------------------
### Concepts: services and containers
OpenStack swift is an *Object Store*; also known as a *blobstore*. It stores arbitrary binary objects by name in a *container*.
The Hadoop Swift filesystem library adds another concept, the *service*, which defines which Swift blobstore hosts a container -and how to connect to it.
### Containers and Objects
* Containers are created by users with accounts on the Swift filestore, and hold
*objects*.
* Objects can be zero bytes long, or they can contain data.
* Objects in the container can be up to 5GB; there is a special support for
larger files than this, which merges multiple objects in to one.
* Each object is referenced by it's *name*; there is no notion of directories.
* You can use any characters in an object name that can be 'URL-encoded'; the
maximum length of a name is 1034 characters -after URL encoding.
* Names can have `/` characters in them, which are used to create the illusion of
a directory structure. For example `dir/dir2/name`. Even though this looks
like a directory, *it is still just a name*. There is no requirement to have
any entries in the container called `dir` or `dir/dir2`
* That said. if the container has zero-byte objects that look like directory
names above other objects, they can pretend to be directories. Continuing the
example, a 0-byte object called `dir` would tell clients that it is a
directory while `dir/dir2` or `dir/dir2/name` were present. This creates an
illusion of containers holding a filesystem.
Client applications talk to Swift over HTTP or HTTPS, reading, writing and deleting objects using standard HTTP operations (GET, PUT and DELETE, respectively). There is also a COPY operation, that creates a new object in the container, with a new name, containing the old data. There is no rename operation itself, objects need to be copied -then the original entry deleted.
### Eventual Consistency
The Swift Filesystem is \*eventually consistent\*: an operation on an object may not be immediately visible to that client, or other clients. This is a consequence of the goal of the filesystem: to span a set of machines, across multiple datacenters, in such a way that the data can still be available when many of them fail. (In contrast, the Hadoop HDFS filesystem is \*immediately consistent\*, but it does not span datacenters.)
Eventual consistency can cause surprises for client applications that expect immediate consistency: after an object is deleted or overwritten, the object may still be visible -or the old data still retrievable. The Swift Filesystem client for Apache Hadoop attempts to handle this, in conjunction with the MapReduce engine, but there may be still be occasions when eventual consistency causes surprises.
### Non-atomic "directory" operations.
Hadoop expects some operations to be atomic, especially `rename()`, which is something the MapReduce layer relies on to commit the output of a job, renaming data from a temp directory to the final path. Because a rename is implemented as a copy of every blob under the directory's path, followed by a delete of the originals, the intermediate state of the operation will be visible to other clients. If two Reducer tasks to rename their temp directory to the final path, both operations may succeed, with the result that output directory contains mixed data. This can happen if MapReduce jobs are being run with *speculation* enabled and Swift used as the direct output of the MR job (it can also happen against Amazon S3).
Other consequences of the non-atomic operations are:
1. If a program is looking for the presence of the directory before acting
on the data -it may start prematurely. This can be avoided by using
other mechanisms to co-ordinate the programs, such as the presence of a file
that is written *after* any bulk directory operations.
2. A `rename()` or `delete()` operation may include files added under
the source directory tree during the operation, may unintentionally delete
it, or delete the 0-byte swift entries that mimic directories and act
as parents for the files. Try to avoid doing this.
The best ways to avoid all these problems is not using Swift as the filesystem between MapReduce jobs or other Hadoop workflows. It can act as a source of data, and a final destination, but it doesn't meet all of Hadoop's expectations of what a filesystem is -it's a *blobstore*.
Working with Swift Object Stores in Hadoop
------------------------------------------
Once installed, the Swift FileSystem client can be used by any Hadoop application to read from or write to data stored in a Swift container.
Data stored in Swift can be used as the direct input to a MapReduce job -simply use the `swift:` URL (see below) to declare the source of the data.
This Swift Filesystem client is designed to work with multiple Swift object stores, both public and private. This allows the client to work with different clusters, reading and writing data to and from either of them.
It can also work with the same object stores using multiple login details.
These features are achieved by one basic concept: using a service name in the URI referring to a swift filesystem, and looking up all the connection and login details for that specific service. Different service names can be defined in the Hadoop XML configuration file, so defining different clusters, or providing different login details for the same object store(s).
### Swift Filesystem URIs
Hadoop uses URIs to refer to files within a filesystem. Some common examples are:
local://etc/hosts
hdfs://cluster1/users/example/data/set1
hdfs://cluster2.example.org:8020/users/example/data/set1
The Swift Filesystem Client adds a new URL type `swift`. In a Swift Filesystem URL, the hostname part of a URL identifies the container and the service to work with; the path the name of the object. Here are some examples
swift://container.rackspace/my-object.csv
swift://data.hpcloud/data/set1
swift://dmitry.privatecloud/out/results
In the last two examples, the paths look like directories: it is not, they are simply the objects named `data/set1` and `out/results` respectively.
### Installing
The `hadoop-openstack` JAR must be on the classpath of the Hadoop program trying to talk to the Swift service. If installed in the classpath of the Hadoop MapReduce service, then all programs started by the MR engine will pick up the JAR automatically. This is the easiest way to give all Hadoop jobs access to Swift.
Alternatively, the JAR can be included as one of the JAR files that an application uses. This lets the Hadoop jobs work with a Swift object store even if the Hadoop cluster is not pre-configured for this.
The library also depends upon the Apache HttpComponents library, which must also be on the classpath.
### Configuring
To talk to a swift service, the user must must provide:
1. The URL defining the container and the service.
2. In the cluster/job configuration, the login details of that service.
Multiple service definitions can co-exist in the same configuration file: just use different names for them.
#### Example: Rackspace US, in-cluster access using API key
This service definition is for use in a Hadoop cluster deployed within Rackspace's US infrastructure.
<property>
<name>fs.swift.service.rackspace.auth.url</name>
<value>https://auth.api.rackspacecloud.com/v2.0/tokens</value>
<description>Rackspace US (multiregion)</description>
</property>
<property>
<name>fs.swift.service.rackspace.username</name>
<value>user4</value>
</property>
<property>
<name>fs.swift.service.rackspace.region</name>
<value>DFW</value>
</property>
<property>
<name>fs.swift.service.rackspace.apikey</name>
<value>fe806aa86dfffe2f6ed8</value>
</property>
Here the API key visible in the account settings API keys page is used to log in. No property for public/private access -the default is to use the private endpoint for Swift operations.
This configuration also selects one of the regions, DFW, for its data.
A reference to this service would use the `rackspace` service name:
swift://hadoop-container.rackspace/
#### Example: Rackspace UK: remote access with password authentication
This connects to Rackspace's UK ("LON") datacenter.
<property>
<name>fs.swift.service.rackspaceuk.auth.url</name>
<value>https://lon.identity.api.rackspacecloud.com/v2.0/tokens</value>
<description>Rackspace UK</description>
</property>
<property>
<name>fs.swift.service.rackspaceuk.username</name>
<value>user4</value>
</property>
<property>
<name>fs.swift.service.rackspaceuk.password</name>
<value>insert-password-here/value>
</property>
<property>
<name>fs.swift.service.rackspace.public</name>
<value>true</value>
</property>
This is a public access point connection, using a password over an API key.
A reference to this service would use the `rackspaceuk` service name:
swift://hadoop-container.rackspaceuk/
Because the public endpoint is used, if this service definition is used within the London datacenter, all accesses will be billed at the public upload/download rates, *irrespective of where the Hadoop cluster is*.
#### Example: HP cloud service definition
Here is an example that connects to the HP Cloud object store.
<property>
<name>fs.swift.service.hpcloud.auth.url</name>
<value>https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens
</value>
<description>HP Cloud</description>
</property>
<property>
<name>fs.swift.service.hpcloud.tenant</name>
<value>FE806AA86</value>
</property>
<property>
<name>fs.swift.service.hpcloud.username</name>
<value>FE806AA86DFFFE2F6ED8</value>
</property>
<property>
<name>fs.swift.service.hpcloud.password</name>
<value>secret-password-goes-here</value>
</property>
<property>
<name>fs.swift.service.hpcloud.public</name>
<value>true</value>
</property>
A reference to this service would use the `hpcloud` service name:
swift://hadoop-container.hpcloud/
### General Swift Filesystem configuration options
Some configuration options apply to the Swift client, independent of the specific Swift filesystem chosen.
#### Blocksize fs.swift.blocksize
Swift does not break up files into blocks, except in the special case of files over 5GB in length. Accordingly, there isn't a notion of a "block size" to define where the data is kept.
Hadoop's MapReduce layer depends on files declaring their block size, so that it knows how to partition work. Too small a blocksize means that many mappers work on small pieces of data; too large a block size means that only a few mappers get started.
The block size value reported by Swift, therefore, controls the basic workload partioning of the MapReduce engine -and can be an important parameter to tune for performance of the cluster.
The property has a unit of kilobytes; the default value is `32*1024`: 32 MB
<property>
<name>fs.swift.blocksize</name>
<value>32768</value>
</property>
This blocksize has no influence on how files are stored in Swift; it only controls what the reported size of blocks are - a value used in Hadoop MapReduce to divide work.
Note that the MapReduce engine's split logic can be tuned independently by setting the `mapred.min.split.size` and `mapred.max.split.size` properties, which can be done in specific job configurations.
<property>
<name>mapred.min.split.size</name>
<value>524288</value>
</property>
<property>
<name>mapred.max.split.size</name>
<value>1048576</value>
</property>
In an Apache Pig script, these properties would be set as:
mapred.min.split.size 524288
mapred.max.split.size 1048576
#### Partition size fs.swift.partsize
The Swift filesystem client breaks very large files into partitioned files, uploading each as it progresses, and writing any remaning data and an XML manifest when a partitioned file is closed.
The partition size defaults to 4608 MB; 4.5GB, the maximum filesize that Swift can support.
It is possible to set a smaller partition size, in the `fs.swift.partsize` option. This takes a value in KB.
<property>
<name>fs.swift.partsize</name>
<value>1024</value>
<description>upload every MB</description>
</property>
When should this value be changed from its default?
While there is no need to ever change it for basic operation of the Swift filesystem client, it can be tuned
* If a Swift filesystem is location aware, then breaking a file up into
smaller partitions scatters the data round the cluster. For best performance,
the property `fs.swift.blocksize` should be set to a smaller value than the
partition size of files.
* When writing to an unpartitioned file, the entire write is done in the
`close()` operation. When a file is partitioned, the outstanding data to
be written whenever the outstanding amount of data is greater than the
partition size. This means that data will be written more incrementally
#### Request size fs.swift.requestsize
The Swift filesystem client reads files in HTTP GET operations, asking for a block of data at a time.
The default value is 64KB. A larger value may be more efficient over faster networks, as it reduces the overhead of setting up the HTTP operation.
However, if the file is read with many random accesses, requests for data will be made from different parts of the file -discarding some of the previously requested data. The benefits of larger request sizes may be wasted.
The property `fs.swift.requestsize` sets the request size in KB.
<property>
<name>fs.swift.requestsize</name>
<value>128</value>
</property>
#### Connection timeout fs.swift.connect.timeout
This sets the timeout in milliseconds to connect to a Swift service.
<property>
<name>fs.swift.connect.timeout</name>
<value>15000</value>
</property>
A shorter timeout means that connection failures are raised faster -but may trigger more false alarms. A longer timeout is more resilient to network problems -and may be needed when talking to remote filesystems.
#### Connection timeout fs.swift.socket.timeout
This sets the timeout in milliseconds to wait for data from a connected socket.
<property>
<name>fs.swift.socket.timeout</name>
<value>60000</value>
</property>
A shorter timeout means that connection failures are raised faster -but may trigger more false alarms. A longer timeout is more resilient to network problems -and may be needed when talking to remote filesystems.
#### Connection Retry Count fs.swift.connect.retry.count
This sets the number of times to try to connect to a service whenever an HTTP request is made.
<property>
<name>fs.swift.connect.retry.count</name>
<value>3</value>
</property>
The more retries, the more resilient it is to transient outages -and the less rapid it is at detecting and reporting server connectivity problems.
#### Connection Throttle Delay fs.swift.connect.throttle.delay
This property adds a delay between bulk file copy and delete operations, to prevent requests being throttled or blocked by the remote service
<property>
<name>fs.swift.connect.throttle.delay</name>
<value>0</value>
</property>
It is measured in milliseconds; "0" means do not add any delay.
Throttling is enabled on the public endpoints of some Swift services. If `rename()` or `delete()` operations fail with `SwiftThrottledRequestException` exceptions, try setting this property.
#### HTTP Proxy
If the client can only access the Swift filesystem via a web proxy server, the client configuration must specify the proxy via the `fs.swift.connect.proxy.host` and `fs.swift.connect.proxy.port` properties.
<property>
<name>fs.swift.proxy.host</name>
<value>web-proxy</value>
</property>
<property>
<name>fs.swift.proxy.port</name>
<value>8088</value>
</property>
If the host is declared, the proxy port must be set to a valid integer value.
### Troubleshooting
#### ClassNotFoundException
The `hadoop-openstack` JAR -or any dependencies- may not be on your classpath.
If it is a remote MapReduce job that is failing, make sure that the JAR is installed on the servers in the cluster -or that the job submission process uploads the JAR file to the distributed cache.
#### Failure to Authenticate
A `SwiftAuthenticationFailedException` is thrown when the client cannot authenticate with the OpenStack keystone server. This could be because the URL in the service definition is wrong, or because the supplied credentials are invalid.
1. Check the authentication URL through `curl` or your browser
2. Use a Swift client such as CyberDuck to validate your credentials
3. If you have included a tenant ID, try leaving it out. Similarly,
try adding it if you had not included it.
4. Try switching from API key authentication to password-based authentication,
by setting the password.
5. Change your credentials. As with Amazon AWS clients, some credentials
don't seem to like going over the network.
#### Timeout connecting to the Swift Service
This happens if the client application is running outside an OpenStack cluster, where it does not have access to the private hostname/IP address for filesystem operations. Set the `public` flag to true -but remember to set it to false for use in-cluster.
### Warnings
1. Do not share your login details with anyone, which means do not log the
details, or check the XML configuration files into any revision control system
to which you do not have exclusive access.
2. Similarly, do not use your real account details in any
documentation \*or any bug reports submitted online\*
3. Prefer the apikey authentication over passwords as it is easier
to revoke a key -and some service providers allow you to set
an automatic expiry date on a key when issued.
4. Do not use the public service endpoint from within a public OpenStack
cluster, as it will run up large bills.
5. Remember: it's not a real filesystem or hierarchical directory structure.
Some operations (directory rename and delete) take time and are not atomic or
isolated from other operations taking place.
6. Append is not supported.
7. Unix-style permissions are not supported. All accounts with write access to
a repository have unlimited access; the same goes for those with read access.
8. In the public clouds, do not make the containers public unless you are happy
with anyone reading your data, and are prepared to pay the costs of their
downloads.
### Limits
* Maximum length of an object path: 1024 characters
* Maximum size of a binary object: no absolute limit. Files \> 5GB are
partitioned into separate files in the native filesystem, and merged during
retrieval. *Warning:* the partitioned/large file support is the
most complex part of the Hadoop/Swift FS integration, and, along with
authentication, the most troublesome to support.
### Testing the hadoop-openstack module
The `hadoop-openstack` can be remotely tested against any public or private cloud infrastructure which supports the OpenStack Keystone authentication mechanism. It can also be tested against private OpenStack clusters. OpenStack Development teams are strongly encouraged to test the Hadoop swift filesystem client against any version of Swift that they are developing or deploying, to stress their cluster and to identify bugs early.
The module comes with a large suite of JUnit tests -tests that are only executed if the source tree includes credentials to test against a specific cluster.
After checking out the Hadoop source tree, create the file:
hadoop-tools/hadoop-openstack/src/test/resources/auth-keys.xml
Into this file, insert the credentials needed to bond to the test filesystem, as decribed above.
Next set the property `test.fs.swift.name` to the URL of a swift container to test against. The tests expect exclusive access to this container -do not keep any other data on it, or expect it to be preserved.
<property>
<name>test.fs.swift.name</name>
<value>swift://test.myswift/</value>
</property>
In the base hadoop directory, run:
mvn clean install -DskipTests
This builds a set of Hadoop JARs consistent with the `hadoop-openstack` module that is about to be tested.
In the `hadoop-tools/hadoop-openstack` directory run
mvn test -Dtest=TestSwiftRestClient
This runs some simple tests which include authenticating against the remote swift service. If these tests fail, so will all the rest. If it does fail: check your authentication.
Once this test succeeds, you can run the full test suite
mvn test
Be advised that these tests can take an hour or more, especially against a remote Swift service -or one that throttles bulk operations.
Once the `auth-keys.xml` file is in place, the `mvn test` runs from the Hadoop source base directory will automatically run these OpenStack tests While this ensures that no regressions have occurred, it can also add significant time to test runs, and may run up bills, depending on who is providingthe Swift storage service. We recommend having a separate source tree set up purely for the Swift tests, and running it manually or by the CI tooling at a lower frequency than normal test runs.
Finally: Apache Hadoop is an open source project. Contributions of code -including more tests- are very welcome.

View File

@ -0,0 +1,30 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#banner {
height: 93px;
background: none;
}
#bannerLeft img {
margin-left: 30px;
margin-top: 10px;
}
#bannerRight img {
margin: 17px;
}

View File

@ -1,439 +0,0 @@
~~ Licensed under the Apache License, Version 2.0 (the "License");
~~ you may not use this file except in compliance with the License.
~~ You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing, software
~~ distributed under the License is distributed on an "AS IS" BASIS,
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~~ See the License for the specific language governing permissions and
~~ limitations under the License.
---
Yarn Scheduler Load Simulator (SLS)
---
---
${maven.build.timestamp}
Yarn Scheduler Load Simulator (SLS)
%{toc|section=1|fromDepth=0}
* Overview
** Overview
The Yarn scheduler is a fertile area of interest with different
implementations, e.g., Fifo, Capacity and Fair schedulers. Meanwhile, several
optimizations are also made to improve scheduler performance for different
scenarios and workload. Each scheduler algorithm has its own set of features,
and drives scheduling decisions by many factors, such as fairness, capacity
guarantee, resource availability, etc. It is very important to evaluate a
scheduler algorithm very well before we deploy in a production cluster.
Unfortunately, currently it is non-trivial to evaluate a scheduler algorithm.
Evaluating in a real cluster is always time and cost consuming, and it is
also very hard to find a large-enough cluster. Hence, a simulator which can
predict how well a scheduler algorithm for some specific workload would be
quite useful.
The Yarn Scheduler Load Simulator (SLS) is such a tool, which can simulate
large-scale Yarn clusters and application loads in a single machine.This
simulator would be invaluable in furthering Yarn by providing a tool for
researchers and developers to prototype new scheduler features and predict
their behavior and performance with reasonable amount of confidence,
thereby aiding rapid innovation.
The simulator will exercise the real Yarn <<<ResourceManager>>> removing the
network factor by simulating <<<NodeManagers>>> and <<<ApplicationMasters>>>
via handling and dispatching <<<NM>>>/<<<AMs>>> heartbeat events from within
the same JVM. To keep tracking of scheduler behavior and performance, a
scheduler wrapper will wrap the real scheduler.
The size of the cluster and the application load can be loaded from
configuration files, which are generated from job history files directly by
adopting {{{https://hadoop.apache.org/docs/stable/rumen.html}Apache Rumen}}.
The simulator will produce real time metrics while executing, including:
* Resource usages for whole cluster and each queue, which can be utilized to
configure cluster and queue's capacity.
* The detailed application execution trace (recorded in relation to simulated
time), which can be analyzed to understand/validate the scheduler behavior
(individual jobs turn around time, throughput, fairness, capacity guarantee,
etc.).
* Several key metrics of scheduler algorithm, such as time cost of each
scheduler operation (allocate, handle, etc.), which can be utilized by Hadoop
developers to find the code spots and scalability limits.
** Goals
* Exercise the scheduler at scale without a real cluster using real job
traces.
* Being able to simulate real workloads.
** Architecture
The following figure illustrates the implementation architecture of the
simulator.
[images/sls_arch.png] The architecture of the simulator
The simulator takes input of workload traces, and fetches the cluster and
applications information. For each NM and AM, the simulator builds a simulator
to simulate their running. All NM/AM simulators run in a thread pool. The
simulator reuses Yarn Resource Manager, and builds a wrapper out of the
scheduler. The Scheduler Wrapper can track the scheduler behaviors and
generates several logs, which are the outputs of the simulator and can be
further analyzed.
** Usecases
* Engineering
* Verify correctness of scheduler algorithm under load
* Cheap/practical way for finding code hotspots/critical-path.
* Validate the impact of changes and new features.
* Determine what drives the scheduler scalability limits.
[]
* QA
* Validate scheduler behavior for "large" clusters and several workload
profiles.
* Solutions/Sales.
* Sizing model for predefined/typical workloads.
* Cluster sizing tool using real customer data (job traces).
* Determine minimum SLAs under a particular workload.
* Usage
This section will show how to use the simulator. Here let <<<$HADOOP_ROOT>>>
represent the Hadoop install directory. If you build Hadoop yourself,
<<<$HADOOP_ROOT>>> is <<<hadoop-dist/target/hadoop-$VERSION>>>. The simulator
is located at <<<$HADOOP_ROOT/share/hadoop/tools/sls>>>. The fold <<<sls>>>
containers four directories: <<<bin>>>, <<<html>>>, <<<sample-conf>>>, and
<<<sample-data>>>
* <<<bin>>>: contains running scripts for the simulator.
* <<<html>>>: contains several html/css/js files we needed for real-time
tracking.
* <<<sample-conf>>>: specifies the simulator configurations.
* <<<sample-data>>>: provides an example rumen trace, which can be used to
generate inputs of the simulator.
[]
The following sections will describe how to use the simulator step by step.
Before start, make sure that command <<<hadoop>>> is included in your
<<<$PATH>>> environment parameter.
** Step 1: Configure Hadoop and the simulator
Before we start, make sure Hadoop and the simulator are configured well.
All configuration files for Hadoop and the simulator should be placed in
directory <<<$HADOOP_ROOT/etc/hadoop>>>, where the <<<ResourceManager>>>
and Yarn scheduler load their configurations. Directory
<<<$HADOOP_ROOT/share/hadoop/tools/sls/sample-conf/>>> provides several
example configurations, that can be used to start a demo.
For configuration of Hadoop and Yarn scheduler, users can refer to Yarns
website ({{{http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/}
http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/}}).
For the simulator, it loads configuration information from file
<<<$HADOOP_ROOT/etc/hadoop/sls-runner.xml>>>.
Here we illustrate each configuration parameter in <<<sls-runner.xml>>>.
Note that <<<$HADOOP_ROOT/share/hadoop/tools/sls/sample-conf/sls-runner.xml>>>
contains all the default values for these configuration parameters.
* <<<yarn.sls.runner.pool.size>>>
The simulator uses a thread pool to simulate the <<<NM>>> and <<<AM>>> running
, and this parameter specifies the number of threads in the pool.
* <<<yarn.sls.nm.memory.mb>>>
The total memory for each <<<NMSimulator>>>.
* <<<yarn.sls.nm.vcores>>>
The total vCores for each <<<NMSimulator>>>.
* <<<yarn.sls.nm.heartbeat.interval.ms>>>
The heartbeat interval for each <<<NMSimulator>>>.
* <<<yarn.sls.am.heartbeat.interval.ms>>>
The heartbeat interval for each <<<AMSimulator>>>.
* <<<yarn.sls.am.type.mapreduce>>>
The <<<AMSimulator>>> implementation for MapReduce-like applications.
Users can specify implementations for other type of applications.
* <<<yarn.sls.container.memory.mb>>>
The memory required for each container simulator.
* <<<yarn.sls.container.vcores>>>
The vCores required for each container simulator.
* <<<yarn.sls.runner.metrics.switch>>>
The simulator introduces {{{http://metrics.codahale.com/}Metrics}} to measure
the behaviors of critical components and operations. This field specifies
whether we open (<<<ON>>>) or close (<<<OFF>>>) the Metrics running.
* <<<yarn.sls.metrics.web.address.port>>>
The port used by simulator to provide real-time tracking. The default value is
10001.
* <<<org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler>>>
The implementation of scheduler metrics of Fifo Scheduler.
* <<<org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler>>>
The implementation of scheduler metrics of Fair Scheduler.
* <<<org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler>>>
The implementation of scheduler metrics of Capacity Scheduler.
** Step 2: Run the simulator
The simulator supports two types of input files: the rumen traces and its own
input traces. The script to start the simulator is <<<slsrun.sh>>>.
+----+
$ cd $HADOOP_ROOT/share/hadoop/tools/sls
$ bin/slsrun.sh
--input-rumen|--input-sls=<TRACE_FILE1,TRACE_FILE2,...>
--output-dir=<SLS_SIMULATION_OUTPUT_DIRECTORY> [--nodes=<SLS_NODES_FILE>]
[--track-jobs=<JOBID1,JOBID2,...>] [--print-simulation]
+----+
* <<<--input-rumen>>>: The input rumen trace files. Users can input multiple
files, separated by comma. One example trace is provided in
<<<$HADOOP_ROOT/share/hadoop/tools/sls/sample-data/2jobs2min-rumen-jh.json>>>.
* <<<--input-sls>>>: Simulator its own file format. The simulator also
provides a tool to convert rumen traces to sls traces (<<<rumen2sls.sh>>>).
Refer to appendix for an example of sls input json file.
* <<<--output-dir>>>: The output directory for generated running logs and
metrics.
* <<<--nodes>>>: The cluster topology. By default, the simulator will use the
topology fetched from the input json files. Users can specifies a new topology
by setting this parameter. Refer to the appendix for the topology file format.
* <<<--track-jobs>>>: The particular jobs that will be tracked during
simulator running, spearated by comma.
* <<<--print-simulation>>>: Whether to print out simulation information
before simulator running, including number of nodes, applications, tasks,
and information for each application.
In comparison to rumen format, here the sls format is much simpler and users
can easily generate various workload. The simulator also provides a tool to
convert rumen traces to sls traces.
+----+
$ bin/rumen2sls.sh
--rumen-file=<RUMEN_FILE>
--output-dir=<SLS_OUTPUT_DIRECTORY>
[--output-prefix=<SLS_FILE_PREFIX>]
+----+
* <<<--rumen-file>>>: The rumen format file. One example trace is provided
in directory <<<sample-data>>>.
* <<<--output-dir>>>: The output directory of generated simulation traces.
Two files will be generated in this output directory, including one trace
file including all job and task information, and another file showing the
topology information.
* <<<--output-prefix>>>: The prefix of the generated files. The default value
is ”sls”, and the two generated files are <<<sls-jobs.json>>> and
<<<sls-nodes.json>>>.
* Metrics
The Yarn Scheduler Load Simulator has integrated
{{{http://metrics.codahale.com/}Metrics}} to measure the behaviors of critical
components and operations, including running applications and containers,
cluster available resources, scheduler operation timecost, et al. If the
switch <<<yarn.sls.runner.metrics.switch>>> is set <<<ON>>>, <<<Metrics>>>
will run and output it logs in <<<--output-dir>>> directory specified by users.
Users can track these information during simulator running, and can also
analyze these logs after running to evaluate the scheduler performance.
** Real-time Tracking
The simulator provides an interface for tracking its running in real-time.
Users can go to <<<http://host:port/simulate>>> to track whole running,
and <<<http://host:port/track>>> to track a particular job or queue. Here
the <<<host>>> is the place when we run the simulator, and <<<port>>> is
the value configured by <<<yarn.sls.metrics.web.address.port>>> (default value
is 10001).
Here we'll illustrate each chart shown in the webpage.
The first figure describes the number of running applications and containers.
[images/sls_running_apps_containers.png] Number of running applications/containers
The second figure describes the allocated and available resources (memory)
in the cluster.
[images/sls_cluster_memory.png] Cluster Resource (Memory)
The third figure describes the allocated resource for each queue. Here we have
three queues: sls_queue_1, sls_queue_2, and sls_queue_3.The first two queues
are configured with 25% share, while the last one has 50% share.
[images/sls_queue_allocated_memory.png] Queue Allocated Resource (Memory)
The fourth figure describes the timecost for each scheduler operation.
[images/sls_scheduler_operation_timecost.png] Scheduler Opertion Timecost
Finally, we measure the memory used by the simulator.
[images/sls_JVM.png] JVM Memory
The simulator also provides an interface for tracking some particular
jobs and queues. Go to <<<http://<Host>:<Port>/track>>> to get these
information.
Here the first figure illustrates the resource usage information for queue
<<<SLS_Queue_1>>>.
[images/sls_track_queue.png] Tracking Queue <<<sls_queue_3>>>
The second figure illustrates the resource usage information for job
<<<job_1369942127770_0653>>>.
[images/sls_track_job.png] Tracking Job <<<job_1369942127770_0653>>>
** Offline Analysis
After the simulator finishes, all logs are saved in the output directory
specified by <<<--output-dir>>> in
<<<$HADOOP_ROOT/share/hadoop/tools/sls/bin/slsrun.sh>>>.
* File <<<realtimetrack.json>>>: records all real-time tracking logs every 1
second.
* File <<<jobruntime.csv>>>: records all jobs start and end time in the
simulator.
* Folder <<<metrics>>>: logs generated by the Metrics.
[]
Users can also reproduce those real-time tracking charts in offline mode.
Just upload the <<<realtimetrack.json>>> to
<<<$HADOOP_ROOT/share/hadoop/tools/sls/html/showSimulationTrace.html>>>.
For browser security problem, need to put files <<<realtimetrack.json>>> and
<<<showSimulationTrace.html>>> in the same directory.
* Appendix
** Resources
{{{https://issues.apache.org/jira/browse/YARN-1021}YARN-1021}} is the main
JIRA that introduces Yarn Scheduler Load Simulator to Hadoop Yarn project.
** SLS JSON input file format
Here we provide an example format of the sls json file, which contains 2 jobs.
The first job has 3 map tasks and the second one has 2 map tasks.
+----+
{
"am.type" : "mapreduce",
"job.start.ms" : 0,
"job.end.ms" : 95375,
"job.queue.name" : "sls_queue_1",
"job.id" : "job_1",
"job.user" : "default",
"job.tasks" : [ {
"container.host" : "/default-rack/node1",
"container.start.ms" : 6664,
"container.end.ms" : 23707,
"container.priority" : 20,
"container.type" : "map"
}, {
"container.host" : "/default-rack/node3",
"container.start.ms" : 6665,
"container.end.ms" : 21593,
"container.priority" : 20,
"container.type" : "map"
}, {
"container.host" : "/default-rack/node2",
"container.start.ms" : 68770,
"container.end.ms" : 86613,
"container.priority" : 20,
"container.type" : "map"
} ]
}
{
"am.type" : "mapreduce",
"job.start.ms" : 105204,
"job.end.ms" : 197256,
"job.queue.name" : "sls_queue_2",
"job.id" : "job_2",
"job.user" : "default",
"job.tasks" : [ {
"container.host" : "/default-rack/node1",
"container.start.ms" : 111822,
"container.end.ms" : 133985,
"container.priority" : 20,
"container.type" : "map"
}, {
"container.host" : "/default-rack/node2",
"container.start.ms" : 111788,
"container.end.ms" : 131377,
"container.priority" : 20,
"container.type" : "map"
} ]
}
+----+
** Simulator input topology file format
Here is an example input topology file which has 3 nodes organized in 1 rack.
+----+
{
"rack" : "default-rack",
"nodes" : [ {
"node" : "node1"
}, {
"node" : "node2"
}, {
"node" : "node3"
}]
}
+----+

View File

@ -0,0 +1,357 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
Yarn Scheduler Load Simulator (SLS)
===================================
* [Yarn Scheduler Load Simulator (SLS)](#Yarn_Scheduler_Load_Simulator_SLS)
* [Overview](#Overview)
* [Overview](#Overview)
* [Goals](#Goals)
* [Architecture](#Architecture)
* [Usecases](#Usecases)
* [Usage](#Usage)
* [Step 1: Configure Hadoop and the simulator](#Step_1:_Configure_Hadoop_and_the_simulator)
* [Step 2: Run the simulator](#Step_2:_Run_the_simulator)
* [Metrics](#Metrics)
* [Real-time Tracking](#Real-time_Tracking)
* [Offline Analysis](#Offline_Analysis)
* [Appendix](#Appendix)
* [Resources](#Resources)
* [SLS JSON input file format](#SLS_JSON_input_file_format)
* [Simulator input topology file format](#Simulator_input_topology_file_format)
Overview
--------
### Overview
The Yarn scheduler is a fertile area of interest with different implementations, e.g., Fifo, Capacity and Fair schedulers. Meanwhile, several optimizations are also made to improve scheduler performance for different scenarios and workload. Each scheduler algorithm has its own set of features, and drives scheduling decisions by many factors, such as fairness, capacity guarantee, resource availability, etc. It is very important to evaluate a scheduler algorithm very well before we deploy in a production cluster. Unfortunately, currently it is non-trivial to evaluate a scheduler algorithm. Evaluating in a real cluster is always time and cost consuming, and it is also very hard to find a large-enough cluster. Hence, a simulator which can predict how well a scheduler algorithm for some specific workload would be quite useful.
The Yarn Scheduler Load Simulator (SLS) is such a tool, which can simulate large-scale Yarn clusters and application loads in a single machine.This simulator would be invaluable in furthering Yarn by providing a tool for researchers and developers to prototype new scheduler features and predict their behavior and performance with reasonable amount of confidence, thereby aiding rapid innovation.
o
The simulator will exercise the real Yarn `ResourceManager` removing the network factor by simulating `NodeManagers` and `ApplicationMasters` via handling and dispatching `NM`/`AMs` heartbeat events from within the same JVM. To keep tracking of scheduler behavior and performance, a scheduler wrapper will wrap the real scheduler.
The size of the cluster and the application load can be loaded from configuration files, which are generated from job history files directly by adopting [Apache Rumen](https://hadoop.apache.org/docs/stable/rumen.html).
The simulator will produce real time metrics while executing, including:
* Resource usages for whole cluster and each queue, which can be utilized to
configure cluster and queue's capacity.
* The detailed application execution trace (recorded in relation to simulated
time), which can be analyzed to understand/validate the scheduler behavior
(individual jobs turn around time, throughput, fairness, capacity guarantee,
etc.).
* Several key metrics of scheduler algorithm, such as time cost of each
scheduler operation (allocate, handle, etc.), which can be utilized by Hadoop
developers to find the code spots and scalability limits.
### Goals
* Exercise the scheduler at scale without a real cluster using real job
traces.
* Being able to simulate real workloads.
### Architecture
The following figure illustrates the implementation architecture of the simulator.
![The architecture of the simulator](images/sls_arch.png)
The simulator takes input of workload traces, and fetches the cluster and applications information. For each NM and AM, the simulator builds a simulator to simulate their running. All NM/AM simulators run in a thread pool. The simulator reuses Yarn Resource Manager, and builds a wrapper out of the scheduler. The Scheduler Wrapper can track the scheduler behaviors and generates several logs, which are the outputs of the simulator and can be further analyzed.
### Usecases
* Engineering
* Verify correctness of scheduler algorithm under load
* Cheap/practical way for finding code hotspots/critical-path.
* Validate the impact of changes and new features.
* Determine what drives the scheduler scalability limits.
* QA
* Validate scheduler behavior for "large" clusters and several workload profiles.
* Solutions/Sales.
* Sizing model for predefined/typical workloads.
* Cluster sizing tool using real customer data (job traces).
* Determine minimum SLAs under a particular workload.
Usage
-----
This section will show how to use the simulator. Here let `$HADOOP_ROOT` represent the Hadoop install directory. If you build Hadoop yourself, `$HADOOP_ROOT` is `hadoop-dist/target/hadoop-$VERSION`. The simulator is located at `$HADOOP_ROOT/share/hadoop/tools/sls`. The fold `sls` containers four directories: `bin`, `html`, `sample-conf`, and `sample-data`
* `bin`: contains running scripts for the simulator.
* `html`: contains several html/css/js files we needed for real-time tracking.
* `sample-conf`: specifies the simulator configurations.
* `sample-data`: provides an example rumen trace, which can be used to
generate inputs of the simulator.
The following sections will describe how to use the simulator step by step. Before start, make sure that command `hadoop` is included in your `$PATH` environment parameter.
### Step 1: Configure Hadoop and the simulator
Before we start, make sure Hadoop and the simulator are configured well. All configuration files for Hadoop and the simulator should be placed in directory `$HADOOP_ROOT/etc/hadoop`, where the `ResourceManager` and Yarn scheduler load their configurations. Directory `$HADOOP_ROOT/share/hadoop/tools/sls/sample-conf/` provides several example configurations, that can be used to start a demo.
For configuration of Hadoop and Yarn scheduler, users can refer to Yarns website (<http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/>).
For the simulator, it loads configuration information from file `$HADOOP_ROOT/etc/hadoop/sls-runner.xml`.
Here we illustrate each configuration parameter in `sls-runner.xml`. Note that `$HADOOP_ROOT/share/hadoop/tools/sls/sample-conf/sls-runner.xml` contains all the default values for these configuration parameters.
* `yarn.sls.runner.pool.size`
The simulator uses a thread pool to simulate the `NM` and `AM` running,
and this parameter specifies the number of threads in the pool.
* `yarn.sls.nm.memory.mb`
The total memory for each `NMSimulator`.
* `yarn.sls.nm.vcores`
The total vCores for each `NMSimulator`.
* `yarn.sls.nm.heartbeat.interval.ms`
The heartbeat interval for each `NMSimulator`.
* `yarn.sls.am.heartbeat.interval.ms`
The heartbeat interval for each `AMSimulator`.
* `yarn.sls.am.type.mapreduce`
The `AMSimulator` implementation for MapReduce-like applications.
Users can specify implementations for other type of applications.
* `yarn.sls.container.memory.mb`
The memory required for each container simulator.
* `yarn.sls.container.vcores`
The vCores required for each container simulator.
* `yarn.sls.runner.metrics.switch`
The simulator introduces [Metrics](http://metrics.codahale.com/) to measure
the behaviors of critical components and operations. This field specifies
whether we open (`ON`) or close (`OFF`) the Metrics running.
* `yarn.sls.metrics.web.address.port`
The port used by simulator to provide real-time tracking. The default value is
10001.
* `org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler`
The implementation of scheduler metrics of Fifo Scheduler.
* `org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler`
The implementation of scheduler metrics of Fair Scheduler.
* `org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler`
The implementation of scheduler metrics of Capacity Scheduler.
### Step 2: Run the simulator
The simulator supports two types of input files: the rumen traces and its own input traces. The script to start the simulator is `slsrun.sh`.
$ cd $HADOOP_ROOT/share/hadoop/tools/sls
$ bin/slsrun.sh
--input-rumen |--input-sls=<TRACE_FILE1,TRACE_FILE2,...>
--output-dir=<SLS_SIMULATION_OUTPUT_DIRECTORY> [--nodes=<SLS_NODES_FILE>]
[--track-jobs=<JOBID1,JOBID2,...>] [--print-simulation]
* `--input-rumen`: The input rumen trace files. Users can input multiple
files, separated by comma. One example trace is provided in
`$HADOOP_ROOT/share/hadoop/tools/sls/sample-data/2jobs2min-rumen-jh.json`.
* `--input-sls`: Simulator its own file format. The simulator also
provides a tool to convert rumen traces to sls traces (`rumen2sls.sh`).
Refer to appendix for an example of sls input json file.
* `--output-dir`: The output directory for generated running logs and
metrics.
* `--nodes`: The cluster topology. By default, the simulator will use the
topology fetched from the input json files. Users can specifies a new topology
by setting this parameter. Refer to the appendix for the topology file format.
* `--track-jobs`: The particular jobs that will be tracked during
simulator running, spearated by comma.
* `--print-simulation`: Whether to print out simulation information
before simulator running, including number of nodes, applications, tasks,
and information for each application.
In comparison to rumen format, here the sls format is much simpler and users
can easily generate various workload. The simulator also provides a tool to
convert rumen traces to sls traces.
$ bin/rumen2sls.sh
--rumen-file=<RUMEN_FILE>
--output-dir=<SLS_OUTPUT_DIRECTORY>
[--output-prefix=<SLS_FILE_PREFIX>]
* `--rumen-file`: The rumen format file. One example trace is provided
in directory `sample-data`.
* `--output-dir`: The output directory of generated simulation traces.
Two files will be generated in this output directory, including one trace
file including all job and task information, and another file showing the
topology information.
* `--output-prefix`: The prefix of the generated files. The default value
is "sls", and the two generated files are `sls-jobs.json` and
`sls-nodes.json`.
Metrics
-------
The Yarn Scheduler Load Simulator has integrated [Metrics](http://metrics.codahale.com/) to measure the behaviors of critical components and operations, including running applications and containers, cluster available resources, scheduler operation timecost, et al. If the switch `yarn.sls.runner.metrics.switch` is set `ON`, `Metrics` will run and output it logs in `--output-dir` directory specified by users. Users can track these information during simulator running, and can also analyze these logs after running to evaluate the scheduler performance.
### Real-time Tracking
The simulator provides an interface for tracking its running in real-time. Users can go to `http://host:port/simulate` to track whole running, and `http://host:port/track` to track a particular job or queue. Here the `host` is the place when we run the simulator, and `port` is the value configured by `yarn.sls.metrics.web.address.port` (default value is 10001).
Here we'll illustrate each chart shown in the webpage.
The first figure describes the number of running applications and containers.
![Number of running applications/containers](images/sls_running_apps_containers.png)
The second figure describes the allocated and available resources (memory) in the cluster.
![Cluster Resource (Memory)](images/sls_cluster_memory.png)
The third figure describes the allocated resource for each queue. Here we have three queues: sls\_queue\_1, sls\_queue\_2, and sls\_queue\_3.The first two queues are configured with 25% share, while the last one has 50% share.
![Queue Allocated Resource (Memory)](images/sls_queue_allocated_memory.png)
The fourth figure describes the timecost for each scheduler operation.
![Scheduler Opertion Timecost](images/sls_scheduler_operation_timecost.png)
Finally, we measure the memory used by the simulator.
![JVM Memory](images/sls_JVM.png)
The simulator also provides an interface for tracking some particular jobs and queues. Go to `http://<Host>:<Port>/track` to get these information.
Here the first figure illustrates the resource usage information for queue `SLS_Queue_1`.
![Tracking Queue `sls_queue_3`](images/sls_track_queue.png)
The second figure illustrates the resource usage information for job `job_1369942127770_0653`.
![Tracking Job `job_1369942127770_0653`](images/sls_track_job.png)
### Offline Analysis
After the simulator finishes, all logs are saved in the output directory specified by `--output-dir` in `$HADOOP_ROOT/share/hadoop/tools/sls/bin/slsrun.sh`.
* File `realtimetrack.json`: records all real-time tracking logs every 1
second.
* File `jobruntime.csv`: records all jobs start and end time in the
simulator.
* Folder `metrics`: logs generated by the Metrics.
Users can also reproduce those real-time tracking charts in offline mode. Just upload the `realtimetrack.json` to `$HADOOP_ROOT/share/hadoop/tools/sls/html/showSimulationTrace.html`. For browser security problem, need to put files `realtimetrack.json` and `showSimulationTrace.html` in the same directory.
Appendix
--------
### Resources
[YARN-1021](https://issues.apache.org/jira/browse/YARN-1021) is the main JIRA that introduces Yarn Scheduler Load Simulator to Hadoop Yarn project.
### SLS JSON input file format
Here we provide an example format of the sls json file, which contains 2 jobs. The first job has 3 map tasks and the second one has 2 map tasks.
{
"am.type" : "mapreduce",
"job.start.ms" : 0,
"job.end.ms" : 95375,
"job.queue.name" : "sls_queue_1",
"job.id" : "job_1",
"job.user" : "default",
"job.tasks" : [ {
"container.host" : "/default-rack/node1",
"container.start.ms" : 6664,
"container.end.ms" : 23707,
"container.priority" : 20,
"container.type" : "map"
}, {
"container.host" : "/default-rack/node3",
"container.start.ms" : 6665,
"container.end.ms" : 21593,
"container.priority" : 20,
"container.type" : "map"
}, {
"container.host" : "/default-rack/node2",
"container.start.ms" : 68770,
"container.end.ms" : 86613,
"container.priority" : 20,
"container.type" : "map"
} ]
}
{
"am.type" : "mapreduce",
"job.start.ms" : 105204,
"job.end.ms" : 197256,
"job.queue.name" : "sls_queue_2",
"job.id" : "job_2",
"job.user" : "default",
"job.tasks" : [ {
"container.host" : "/default-rack/node1",
"container.start.ms" : 111822,
"container.end.ms" : 133985,
"container.priority" : 20,
"container.type" : "map"
}, {
"container.host" : "/default-rack/node2",
"container.start.ms" : 111788,
"container.end.ms" : 131377,
"container.priority" : 20,
"container.type" : "map"
} ]
}
### Simulator input topology file format
Here is an example input topology file which has 3 nodes organized in 1 rack.
{
"rack" : "default-rack",
"nodes" : [ {
"node" : "node1"
}, {
"node" : "node2"
}, {
"node" : "node3"
}]
}

View File

@ -1,792 +0,0 @@
~~ Licensed under the Apache License, Version 2.0 (the "License");
~~ you may not use this file except in compliance with the License.
~~ You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing, software
~~ distributed under the License is distributed on an "AS IS" BASIS,
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~~ See the License for the specific language governing permissions and
~~ limitations under the License. See accompanying LICENSE file.
---
Hadoop Streaming
---
---
${maven.build.timestamp}
Hadoop Streaming
%{toc|section=1|fromDepth=0|toDepth=4}
* Hadoop Streaming
Hadoop streaming is a utility that comes with the Hadoop distribution. The
utility allows you to create and run Map/Reduce jobs with any executable or
script as the mapper and/or the reducer. For example:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /usr/bin/wc
+---+
* How Streaming Works
In the above example, both the mapper and the reducer are executables that
read the input from stdin (line by line) and emit the output to stdout. The
utility will create a Map/Reduce job, submit the job to an appropriate
cluster, and monitor the progress of the job until it completes.
When an executable is specified for mappers, each mapper task will launch the
executable as a separate process when the mapper is initialized. As the
mapper task runs, it converts its inputs into lines and feed the lines to the
stdin of the process. In the meantime, the mapper collects the line oriented
outputs from the stdout of the process and converts each line into a
key/value pair, which is collected as the output of the mapper. By default,
the <prefix of a line up to the first tab character> is the <<<key>>> and the
rest of the line (excluding the tab character) will be the <<<value>>>. If
there is no tab character in the line, then entire line is considered as key
and the value is null. However, this can be customized by setting
<<<-inputformat>>> command option, as discussed later.
When an executable is specified for reducers, each reducer task will launch
the executable as a separate process then the reducer is initialized. As the
reducer task runs, it converts its input key/values pairs into lines and
feeds the lines to the stdin of the process. In the meantime, the reducer
collects the line oriented outputs from the stdout of the process, converts
each line into a key/value pair, which is collected as the output of the
reducer. By default, the prefix of a line up to the first tab character is
the key and the rest of the line (excluding the tab character) is the value.
However, this can be customized by setting <<<-outputformat>>> command
option, as discussed later.
This is the basis for the communication protocol between the Map/Reduce
framework and the streaming mapper/reducer.
User can specify <<<stream.non.zero.exit.is.failure>>> as <<<true>>> or
<<<false>>> to make a streaming task that exits with a non-zero status to be
<<<Failure>>> or <<<Success>>> respectively. By default, streaming tasks
exiting with non-zero status are considered to be failed tasks.
* Streaming Command Options
Streaming supports streaming command options as well as
{{{Generic_Command_Options}generic command options}}. The general command
line syntax is shown below.
<<Note:>> Be sure to place the generic options before the streaming options,
otherwise the command will fail. For an example, see
{{{Making_Archives_Available_to_Tasks}Making Archives Available to Tasks}}.
+---+
hadoop command [genericOptions] [streamingOptions]
+---+
The Hadoop streaming command options are listed here:
*-------------*--------------------*------------------------------------------*
|| Parameter || Optional/Required || Description |
*-------------+--------------------+------------------------------------------+
| -input directoryname or filename | Required | Input location for mapper
*-------------+--------------------+------------------------------------------+
| -output directoryname | Required | Output location for reducer
*-------------+--------------------+------------------------------------------+
| -mapper executable or JavaClassName | Required | Mapper executable
*-------------+--------------------+------------------------------------------+
| -reducer executable or JavaClassName | Required | Reducer executable
*-------------+--------------------+------------------------------------------+
| -file filename | Optional | Make the mapper, reducer, or combiner executable
| | | available locally on the compute nodes
*-------------+--------------------+------------------------------------------+
| -inputformat JavaClassName | Optional | Class you supply should return
| | | key/value pairs of Text class. If not
| | | specified, TextInputFormat is used as
| | | the default
*-------------+--------------------+------------------------------------------+
| -outputformat JavaClassName | Optional | Class you supply should take
| | | key/value pairs of Text class. If
| | | not specified, TextOutputformat is
| | | used as the default
*-------------+--------------------+------------------------------------------+
| -partitioner JavaClassName | Optional | Class that determines which reduce a
| | | key is sent to
*-------------+--------------------+------------------------------------------+
| -combiner streamingCommand | Optional | Combiner executable for map output
| or JavaClassName | |
*-------------+--------------------+------------------------------------------+
| -cmdenv name=value | Optional | Pass environment variable to streaming
| | | commands
*-------------+--------------------+------------------------------------------+
| -inputreader | Optional | For backwards-compatibility: specifies a record
| | | reader class (instead of an input format class)
*-------------+--------------------+------------------------------------------+
| -verbose | Optional | Verbose output
*-------------+--------------------+------------------------------------------+
| -lazyOutput | Optional | Create output lazily. For example, if the output
| | | format is based on FileOutputFormat, the output file
| | | is created only on the first call to Context.write
*-------------+--------------------+------------------------------------------+
| -numReduceTasks | Optional | Specify the number of reducers
*-------------+--------------------+------------------------------------------+
| -mapdebug | Optional | Script to call when map task fails
*-------------+--------------------+------------------------------------------+
| -reducedebug | Optional | Script to call when reduce task fails
*-------------+--------------------+------------------------------------------+
** Specifying a Java Class as the Mapper/Reducer
You can supply a Java class as the mapper and/or the reducer.
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-inputformat org.apache.hadoop.mapred.KeyValueTextInputFormat \
-mapper org.apache.hadoop.mapred.lib.IdentityMapper \
-reducer /usr/bin/wc
+---+
You can specify <<<stream.non.zero.exit.is.failure>>> as <<<true>>> or
<<<false>>> to make a streaming task that exits with a non-zero status to be
<<<Failure>>> or <<<Success>>> respectively. By default, streaming tasks
exiting with non-zero status are considered to be failed tasks.
** Packaging Files With Job Submissions
You can specify any executable as the mapper and/or the reducer. The
executables do not need to pre-exist on the machines in the cluster; however,
if they don't, you will need to use "-file" option to tell the framework to
pack your executable files as a part of job submission. For example:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-mapper myPythonScript.py \
-reducer /usr/bin/wc \
-file myPythonScript.py
+---+
The above example specifies a user defined Python executable as the mapper.
The option "-file myPythonScript.py" causes the python executable shipped
to the cluster machines as a part of job submission.
In addition to executable files, you can also package other auxiliary files
(such as dictionaries, configuration files, etc) that may be used by the
mapper and/or the reducer. For example:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-mapper myPythonScript.py \
-reducer /usr/bin/wc \
-file myPythonScript.py \
-file myDictionary.txt
+---+
** Specifying Other Plugins for Jobs
Just as with a normal Map/Reduce job, you can specify other plugins for a
streaming job:
+---+
-inputformat JavaClassName
-outputformat JavaClassName
-partitioner JavaClassName
-combiner streamingCommand or JavaClassName
+---+
The class you supply for the input format should return key/value pairs of
Text class. If you do not specify an input format class, the TextInputFormat
is used as the default. Since the TextInputFormat returns keys of
LongWritable class, which are actually not part of the input data, the keys
will be discarded; only the values will be piped to the streaming mapper.
The class you supply for the output format is expected to take key/value
pairs of Text class. If you do not specify an output format class, the
TextOutputFormat is used as the default.
** Setting Environment Variables
To set an environment variable in a streaming command use:
+---+
-cmdenv EXAMPLE_DIR=/home/example/dictionaries/
+---+
* Generic Command Options
Streaming supports {{{Streaming_Command_Options}streaming command options}}
as well as generic command options. The general command line syntax is shown
below.
<<Note:>> Be sure to place the generic options before the streaming options,
otherwise the command will fail. For an example, see
{{{Making_Archives_Available_to_Tasks}Making Archives Available to Tasks}}.
+---+
hadoop command [genericOptions] [streamingOptions]
+---+
The Hadoop generic command options you can use with streaming are listed
here:
*-------------*--------------------*------------------------------------------*
|| Parameter || Optional/Required || Description |
*-------------+--------------------+------------------------------------------+
| -conf configuration_file | Optional | Specify an application configuration
| | | file
*-------------+--------------------+------------------------------------------+
| -D property=value | Optional | Use value for given property
*-------------+--------------------+------------------------------------------+
| -fs host:port or local | Optional | Specify a namenode
*-------------+--------------------+------------------------------------------+
| -files | Optional | Specify comma-separated files to be copied to the
| | | Map/Reduce cluster
*-------------+--------------------+------------------------------------------+
| -libjars | Optional | Specify comma-separated jar files to include in the
| | | classpath
*-------------+--------------------+------------------------------------------+
| -archives | Optional | Specify comma-separated archives to be unarchived on
| | | the compute machines
*-------------+--------------------+------------------------------------------+
** Specifying Configuration Variables with the -D Option
You can specify additional configuration variables by using
"-D \<property\>=\<value\>".
*** Specifying Directories
To change the local temp directory use:
+---+
-D dfs.data.dir=/tmp
+---+
To specify additional local temp directories use:
+---+
-D mapred.local.dir=/tmp/local
-D mapred.system.dir=/tmp/system
-D mapred.temp.dir=/tmp/temp
+---+
<<Note:>> For more details on job configuration parameters see:
{{{./mapred-default.xml}mapred-default.xml}}
*** Specifying Map-Only Jobs
Often, you may want to process input data using a map function only. To do
this, simply set <<<mapreduce.job.reduces>>> to zero. The Map/Reduce
framework will not create any reducer tasks. Rather, the outputs of the
mapper tasks will be the final output of the job.
+---+
-D mapreduce.job.reduces=0
+---+
To be backward compatible, Hadoop Streaming also supports the "-reducer NONE"
option, which is equivalent to "-D mapreduce.job.reduces=0".
*** Specifying the Number of Reducers
To specify the number of reducers, for example two, use:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-D mapreduce.job.reduces=2 \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /usr/bin/wc
+---+
*** Customizing How Lines are Split into Key/Value Pairs
As noted earlier, when the Map/Reduce framework reads a line from the stdout
of the mapper, it splits the line into a key/value pair. By default, the
prefix of the line up to the first tab character is the key and the rest of
the line (excluding the tab character) is the value.
However, you can customize this default. You can specify a field separator
other than the tab character (the default), and you can specify the nth
(n >= 1) character rather than the first character in a line (the default) as
the separator between the key and value. For example:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-D stream.map.output.field.separator=. \
-D stream.num.map.output.key.fields=4 \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /bin/cat
+---+
In the above example, "-D stream.map.output.field.separator=." specifies "."
as the field separator for the map outputs, and the prefix up to the fourth
"." in a line will be the key and the rest of the line (excluding the fourth
".") will be the value. If a line has less than four "."s, then the whole
line will be the key and the value will be an empty Text object (like the one
created by new Text("")).
Similarly, you can use "-D stream.reduce.output.field.separator=SEP" and
"-D stream.num.reduce.output.fields=NUM" to specify the nth field separator
in a line of the reduce outputs as the separator between the key and the
value.
Similarly, you can specify "stream.map.input.field.separator" and
"stream.reduce.input.field.separator" as the input separator for Map/Reduce
inputs. By default the separator is the tab character.
** Working with Large Files and Archives
The -files and -archives options allow you to make files and archives
available to the tasks. The argument is a URI to the file or archive that you
have already uploaded to HDFS. These files and archives are cached across
jobs. You can retrieve the host and fs_port values from the fs.default.name
config variable.
<<Note:>> The -files and -archives options are generic options. Be sure to
place the generic options before the command options, otherwise the command
will fail.
*** Making Files Available to Tasks
The -files option creates a symlink in the current working directory of the
tasks that points to the local copy of the file.
In this example, Hadoop automatically creates a symlink named testfile.txt in
the current working directory of the tasks. This symlink points to the local
copy of testfile.txt.
+---+
-files hdfs://host:fs_port/user/testfile.txt
+---+
User can specify a different symlink name for -files using #.
+---+
-files hdfs://host:fs_port/user/testfile.txt#testfile
+---+
Multiple entries can be specified like this:
+---+
-files hdfs://host:fs_port/user/testfile1.txt,hdfs://host:fs_port/user/testfile2.txt
+---+
*** Making Archives Available to Tasks
The -archives option allows you to copy jars locally to the current working
directory of tasks and automatically unjar the files.
In this example, Hadoop automatically creates a symlink named testfile.jar in
the current working directory of tasks. This symlink points to the directory
that stores the unjarred contents of the uploaded jar file.
+---+
-archives hdfs://host:fs_port/user/testfile.jar
+---+
User can specify a different symlink name for -archives using #.
+---+
-archives hdfs://host:fs_port/user/testfile.tgz#tgzdir
+---+
In this example, the input.txt file has two lines specifying the names of the
two files: cachedir.jar/cache.txt and cachedir.jar/cache2.txt. "cachedir.jar"
is a symlink to the archived directory, which has the files "cache.txt" and
"cache2.txt".
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-archives 'hdfs://hadoop-nn1.example.com/user/me/samples/cachefile/cachedir.jar' \
-D mapreduce.job.maps=1 \
-D mapreduce.job.reduces=1 \
-D mapreduce.job.name="Experiment" \
-input "/user/me/samples/cachefile/input.txt" \
-output "/user/me/samples/cachefile/out" \
-mapper "xargs cat" \
-reducer "cat"
$ ls test_jar/
cache.txt cache2.txt
$ jar cvf cachedir.jar -C test_jar/ .
added manifest
adding: cache.txt(in = 30) (out= 29)(deflated 3%)
adding: cache2.txt(in = 37) (out= 35)(deflated 5%)
$ hdfs dfs -put cachedir.jar samples/cachefile
$ hdfs dfs -cat /user/me/samples/cachefile/input.txt
cachedir.jar/cache.txt
cachedir.jar/cache2.txt
$ cat test_jar/cache.txt
This is just the cache string
$ cat test_jar/cache2.txt
This is just the second cache string
$ hdfs dfs -ls /user/me/samples/cachefile/out
Found 2 items
-rw-r--r-- 1 me supergroup 0 2013-11-14 17:00 /user/me/samples/cachefile/out/_SUCCESS
-rw-r--r-- 1 me supergroup 69 2013-11-14 17:00 /user/me/samples/cachefile/out/part-00000
$ hdfs dfs -cat /user/me/samples/cachefile/out/part-00000
This is just the cache string
This is just the second cache string
+---+
* More Usage Examples
** Hadoop Partitioner Class
Hadoop has a library class,
{{{../../api/org/apache/hadoop/mapred/lib/KeyFieldBasedPartitioner.html}
KeyFieldBasedPartitioner}}, that is useful for many applications. This class
allows the Map/Reduce framework to partition the map outputs based on certain
key fields, not the whole keys. For example:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-D stream.map.output.field.separator=. \
-D stream.num.map.output.key.fields=4 \
-D map.output.key.field.separator=. \
-D mapreduce.partition.keypartitioner.options=-k1,2 \
-D mapreduce.job.reduces=12 \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /bin/cat \
-partitioner org.apache.hadoop.mapred.lib.KeyFieldBasedPartitioner
+---+
Here, <-D stream.map.output.field.separator=.> and
<-D stream.num.map.output.key.fields=4> are as explained in previous example.
The two variables are used by streaming to identify the key/value pair of
mapper.
The map output keys of the above Map/Reduce job normally have four fields
separated by ".". However, the Map/Reduce framework will partition the map
outputs by the first two fields of the keys using the
<-D mapred.text.key.partitioner.options=-k1,2> option. Here,
<-D map.output.key.field.separator=.> specifies the separator for the
partition. This guarantees that all the key/value pairs with the same first
two fields in the keys will be partitioned into the same reducer.
<This is effectively equivalent to specifying the first two fields as the
primary key and the next two fields as the secondary. The primary key is used
for partitioning, and the combination of the primary and secondary keys is
used for sorting.> A simple illustration is shown here:
Output of map (the keys)
+---+
11.12.1.2
11.14.2.3
11.11.4.1
11.12.1.1
11.14.2.2
+---+
Partition into 3 reducers (the first 2 fields are used as keys for partition)
+---+
11.11.4.1
-----------
11.12.1.2
11.12.1.1
-----------
11.14.2.3
11.14.2.2
+---+
Sorting within each partition for the reducer(all 4 fields used for sorting)
+---+
11.11.4.1
-----------
11.12.1.1
11.12.1.2
-----------
11.14.2.2
11.14.2.3
+---+
** Hadoop Comparator Class
Hadoop has a library class,
{{{../../api/org/apache/hadoop/mapreduce/lib/partition/KeyFieldBasedComparator.html}
KeyFieldBasedComparator}}, that is useful for many applications. This class
provides a subset of features provided by the Unix/GNU Sort. For example:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-D mapreduce.job.output.key.comparator.class=org.apache.hadoop.mapreduce.lib.partition.KeyFieldBasedComparator \
-D stream.map.output.field.separator=. \
-D stream.num.map.output.key.fields=4 \
-D mapreduce.map.output.key.field.separator=. \
-D mapreduce.partition.keycomparator.options=-k2,2nr \
-D mapreduce.job.reduces=1 \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /bin/cat
+---+
The map output keys of the above Map/Reduce job normally have four fields
separated by ".". However, the Map/Reduce framework will sort the outputs by
the second field of the keys using the
<-D mapreduce.partition.keycomparator.options=-k2,2nr> option. Here, <-n>
specifies that the sorting is numerical sorting and <-r> specifies that the
result should be reversed. A simple illustration is shown below:
Output of map (the keys)
+---+
11.12.1.2
11.14.2.3
11.11.4.1
11.12.1.1
11.14.2.2
+---+
Sorting output for the reducer (where second field used for sorting)
+---+
11.14.2.3
11.14.2.2
11.12.1.2
11.12.1.1
11.11.4.1
+---+
** Hadoop Aggregate Package
Hadoop has a library package called
{{{../../org/apache/hadoop/mapred/lib/aggregate/package-summary.html}
Aggregate}}. Aggregate provides a special reducer class and a special
combiner class, and a list of simple aggregators that perform aggregations
such as "sum", "max", "min" and so on over a sequence of values. Aggregate
allows you to define a mapper plugin class that is expected to generate
"aggregatable items" for each input key/value pair of the mappers. The
combiner/reducer will aggregate those aggregatable items by invoking the
appropriate aggregators.
To use Aggregate, simply specify "-reducer aggregate":
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-mapper myAggregatorForKeyCount.py \
-reducer aggregate \
-file myAggregatorForKeyCount.py \
+---+
The python program myAggregatorForKeyCount.py looks like:
+---+
#!/usr/bin/python
import sys;
def generateLongCountToken(id):
return "LongValueSum:" + id + "\t" + "1"
def main(argv):
line = sys.stdin.readline();
try:
while line:
line = line&#91;:-1];
fields = line.split("\t");
print generateLongCountToken(fields&#91;0]);
line = sys.stdin.readline();
except "end of file":
return None
if __name__ == "__main__":
main(sys.argv)
+---+
** Hadoop Field Selection Class
Hadoop has a library class,
{{{../../api/org/apache/hadoop/mapred/lib/FieldSelectionMapReduce.html}
FieldSelectionMapReduce}}, that effectively allows you to process text data
like the unix "cut" utility. The map function defined in the class treats
each input key/value pair as a list of fields. You can specify the field
separator (the default is the tab character). You can select an arbitrary
list of fields as the map output key, and an arbitrary list of fields as the
map output value. Similarly, the reduce function defined in the class treats
each input key/value pair as a list of fields. You can select an arbitrary
list of fields as the reduce output key, and an arbitrary list of fields as
the reduce output value. For example:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-D mapreduce.map.output.key.field.separator=. \
-D mapreduce.partition.keypartitioner.options=-k1,2 \
-D mapreduce.fieldsel.data.field.separator=. \
-D mapreduce.fieldsel.map.output.key.value.fields.spec=6,5,1-3:0- \
-D mapreduce.fieldsel.reduce.output.key.value.fields.spec=0-2:5- \
-D mapreduce.map.output.key.class=org.apache.hadoop.io.Text \
-D mapreduce.job.reduces=12 \
-input myInputDirs \
-output myOutputDir \
-mapper org.apache.hadoop.mapred.lib.FieldSelectionMapReduce \
-reducer org.apache.hadoop.mapred.lib.FieldSelectionMapReduce \
-partitioner org.apache.hadoop.mapred.lib.KeyFieldBasedPartitioner
+---+
The option "-D
mapreduce.fieldsel.map.output.key.value.fields.spec=6,5,1-3:0-" specifies
key/value selection for the map outputs. Key selection spec and value
selection spec are separated by ":". In this case, the map output key will
consist of fields 6, 5, 1, 2, and 3. The map output value will consist of all
fields (0- means field 0 and all the subsequent fields).
The option "-D mapreduce.fieldsel.reduce.output.key.value.fields.spec=0-2:5-"
specifies key/value selection for the reduce outputs. In this case, the
reduce output key will consist of fields 0, 1, 2 (corresponding to the
original fields 6, 5, 1). The reduce output value will consist of all fields
starting from field 5 (corresponding to all the original fields).
* Frequently Asked Questions
** How do I use Hadoop Streaming to run an arbitrary set of (semi) independent
tasks?
Often you do not need the full power of Map Reduce, but only need to run
multiple instances of the same program - either on different parts of the
data, or on the same data, but with different parameters. You can use Hadoop
Streaming to do this.
** How do I process files, one per map?
As an example, consider the problem of zipping (compressing) a set of files
across the hadoop cluster. You can achieve this by using Hadoop Streaming
and custom mapper script:
* Generate a file containing the full HDFS path of the input files. Each map
task would get one file name as input.
* Create a mapper script which, given a filename, will get the file to local
disk, gzip the file and put it back in the desired output directory.
** How many reducers should I use?
See MapReduce Tutorial for details: {{{./MapReduceTutorial.html#Reducer}
Reducer}}
** If I set up an alias in my shell script, will that work after -mapper?
For example, say I do: alias c1='cut -f1'. Will -mapper "c1" work?
Using an alias will not work, but variable substitution is allowed as shown
in this example:
+---+
$ hdfs dfs -cat /user/me/samples/student_marks
alice 50
bruce 70
charlie 80
dan 75
$ c2='cut -f2'; hadoop jar hadoop-streaming-${project.version}.jar \
-D mapreduce.job.name='Experiment' \
-input /user/me/samples/student_marks \
-output /user/me/samples/student_out \
-mapper "$c2" -reducer 'cat'
$ hdfs dfs -cat /user/me/samples/student_out/part-00000
50
70
75
80
+---+
** Can I use UNIX pipes?
For example, will -mapper "cut -f1 | sed s/foo/bar/g" work?
Currently this does not work and gives an "java.io.IOException: Broken pipe"
error. This is probably a bug that needs to be investigated.
** What do I do if I get the "No space left on device" error?
For example, when I run a streaming job by distributing large executables
(for example, 3.6G) through the -file option, I get a "No space left on
device" error.
The jar packaging happens in a directory pointed to by the configuration
variable stream.tmpdir. The default value of stream.tmpdir is /tmp. Set the
value to a directory with more space:
+---+
-D stream.tmpdir=/export/bigspace/...
+---+
** How do I specify multiple input directories?
You can specify multiple input directories with multiple '-input' options:
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-input '/user/foo/dir1' -input '/user/foo/dir2' \
(rest of the command)
+---+
** How do I generate output files with gzip format?
Instead of plain text files, you can generate gzip files as your generated
output. Pass '-D mapreduce.output.fileoutputformat.compress=true -D
mapreduce.output.fileoutputformat.compress.codec=org.apache.hadoop.io.compress.GzipCodec'
as option to your streaming job.
** How do I provide my own input/output format with streaming?
You can specify your own custom class by packing them and putting the custom
jar to \$\{HADOOP_CLASSPATH\}.
** How do I parse XML documents using streaming?
You can use the record reader StreamXmlRecordReader to process XML documents.
+---+
hadoop jar hadoop-streaming-${project.version}.jar \
-inputreader "StreamXmlRecord,begin=BEGIN_STRING,end=END_STRING" \
(rest of the command)
+---+
Anything found between BEGIN_STRING and END_STRING would be treated as one
record for map tasks.
** How do I update counters in streaming applications?
A streaming process can use the stderr to emit counter information.
<<<reporter:counter:\<group\>,\<counter\>,\<amount\>>>> should be sent to
stderr to update the counter.
** How do I update status in streaming applications?
A streaming process can use the stderr to emit status information. To set a
status, <<<reporter:status:\<message\>>>> should be sent to stderr.
** How do I get the Job variables in a streaming job's mapper/reducer?
See {{{./MapReduceTutorial.html#Configured_Parameters}
Configured Parameters}}. During the execution of a streaming job, the names
of the "mapred" parameters are transformed. The dots ( . ) become underscores
( _ ). For example, mapreduce.job.id becomes mapreduce_job_id and
mapreduce.job.jar becomes mapreduce_job_jar. In your code, use the parameter
names with the underscores.

View File

@ -0,0 +1,559 @@
%<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
#set ( $H3 = '###' )
#set ( $H4 = '####' )
#set ( $H5 = '#####' )
Hadoop Streaming
================
* [Hadoop Streaming](#Hadoop_Streaming)
* [Hadoop Streaming](#Hadoop_Streaming)
* [How Streaming Works](#How_Streaming_Works)
* [Streaming Command Options](#Streaming_Command_Options)
* [Specifying a Java Class as the Mapper/Reducer](#Specifying_a_Java_Class_as_the_MapperReducer)
* [Packaging Files With Job Submissions](#Packaging_Files_With_Job_Submissions)
* [Specifying Other Plugins for Jobs](#Specifying_Other_Plugins_for_Jobs)
* [Setting Environment Variables](#Setting_Environment_Variables)
* [Generic Command Options](#Generic_Command_Options)
* [Specifying Configuration Variables with the -D Option](#Specifying_Configuration_Variables_with_the_-D_Option)
* [Specifying Directories](#Specifying_Directories)
* [Specifying Map-Only Jobs](#Specifying_Map-Only_Jobs)
* [Specifying the Number of Reducers](#Specifying_the_Number_of_Reducers)
* [Customizing How Lines are Split into Key/Value Pairs](#Customizing_How_Lines_are_Split_into_KeyValue_Pairs)
* [Working with Large Files and Archives](#Working_with_Large_Files_and_Archives)
* [Making Files Available to Tasks](#Making_Files_Available_to_Tasks)
* [Making Archives Available to Tasks](#Making_Archives_Available_to_Tasks)
* [More Usage Examples](#More_Usage_Examples)
* [Hadoop Partitioner Class](#Hadoop_Partitioner_Class)
* [Hadoop Comparator Class](#Hadoop_Comparator_Class)
* [Hadoop Aggregate Package](#Hadoop_Aggregate_Package)
* [Hadoop Field Selection Class](#Hadoop_Field_Selection_Class)
* [Frequently Asked Questions](#Frequently_Asked_Questions)
* [How do I use Hadoop Streaming to run an arbitrary set of (semi) independent tasks?](#How_do_I_use_Hadoop_Streaming_to_run_an_arbitrary_set_of_semi_independent_tasks)
* [How do I process files, one per map?](#How_do_I_process_files_one_per_map)
* [How many reducers should I use?](#How_many_reducers_should_I_use)
* [If I set up an alias in my shell script, will that work after -mapper?](#If_I_set_up_an_alias_in_my_shell_script_will_that_work_after_-mapper)
* [Can I use UNIX pipes?](#Can_I_use_UNIX_pipes)
* [What do I do if I get the "No space left on device" error?](#What_do_I_do_if_I_get_the_No_space_left_on_device_error)
* [How do I specify multiple input directories?](#How_do_I_specify_multiple_input_directories)
* [How do I generate output files with gzip format?](#How_do_I_generate_output_files_with_gzip_format)
* [How do I provide my own input/output format with streaming?](#How_do_I_provide_my_own_inputoutput_format_with_streaming)
* [How do I parse XML documents using streaming?](#How_do_I_parse_XML_documents_using_streaming)
* [How do I update counters in streaming applications?](#How_do_I_update_counters_in_streaming_applications)
* [How do I update status in streaming applications?](#How_do_I_update_status_in_streaming_applications)
* [How do I get the Job variables in a streaming job's mapper/reducer?](#How_do_I_get_the_Job_variables_in_a_streaming_jobs_mapperreducer)
Hadoop Streaming
----------------
Hadoop streaming is a utility that comes with the Hadoop distribution. The utility allows you to create and run Map/Reduce jobs with any executable or script as the mapper and/or the reducer. For example:
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /usr/bin/wc
How Streaming Works
-------------------
In the above example, both the mapper and the reducer are executables that read the input from stdin (line by line) and emit the output to stdout. The utility will create a Map/Reduce job, submit the job to an appropriate cluster, and monitor the progress of the job until it completes.
When an executable is specified for mappers, each mapper task will launch the executable as a separate process when the mapper is initialized. As the mapper task runs, it converts its inputs into lines and feed the lines to the stdin of the process. In the meantime, the mapper collects the line oriented outputs from the stdout of the process and converts each line into a key/value pair, which is collected as the output of the mapper. By default, the *prefix of a line up to the first tab character* is the `key` and the rest of the line (excluding the tab character) will be the `value`. If there is no tab character in the line, then entire line is considered as key and the value is null. However, this can be customized by setting `-inputformat` command option, as discussed later.
When an executable is specified for reducers, each reducer task will launch the executable as a separate process then the reducer is initialized. As the reducer task runs, it converts its input key/values pairs into lines and feeds the lines to the stdin of the process. In the meantime, the reducer collects the line oriented outputs from the stdout of the process, converts each line into a key/value pair, which is collected as the output of the reducer. By default, the prefix of a line up to the first tab character is the key and the rest of the line (excluding the tab character) is the value. However, this can be customized by setting `-outputformat` command option, as discussed later.
This is the basis for the communication protocol between the Map/Reduce framework and the streaming mapper/reducer.
User can specify `stream.non.zero.exit.is.failure` as `true` or `false` to make a streaming task that exits with a non-zero status to be `Failure` or `Success` respectively. By default, streaming tasks exiting with non-zero status are considered to be failed tasks.
Streaming Command Options
-------------------------
Streaming supports streaming command options as well as [generic command options](#Generic_Command_Options). The general command line syntax is shown below.
**Note:** Be sure to place the generic options before the streaming options, otherwise the command will fail. For an example, see [Making Archives Available to Tasks](#Making_Archives_Available_to_Tasks).
hadoop command [genericOptions] [streamingOptions]
The Hadoop streaming command options are listed here:
| Parameter | Optional/Required | Description |
|:---- |:---- |:---- |
| -input directoryname or filename | Required | Input location for mapper |
| -output directoryname | Required | Output location for reducer |
| -mapper executable or JavaClassName | Required | Mapper executable |
| -reducer executable or JavaClassName | Required | Reducer executable |
| -file filename | Optional | Make the mapper, reducer, or combiner executable available locally on the compute nodes |
| -inputformat JavaClassName | Optional | Class you supply should return key/value pairs of Text class. If not specified, TextInputFormat is used as the default |
| -outputformat JavaClassName | Optional | Class you supply should take key/value pairs of Text class. If not specified, TextOutputformat is used as the default |
| -partitioner JavaClassName | Optional | Class that determines which reduce a key is sent to |
| -combiner streamingCommand or JavaClassName | Optional | Combiner executable for map output |
| -cmdenv name=value | Optional | Pass environment variable to streaming commands |
| -inputreader | Optional | For backwards-compatibility: specifies a record reader class (instead of an input format class) |
| -verbose | Optional | Verbose output |
| -lazyOutput | Optional | Create output lazily. For example, if the output format is based on FileOutputFormat, the output file is created only on the first call to Context.write |
| -numReduceTasks | Optional | Specify the number of reducers |
| -mapdebug | Optional | Script to call when map task fails |
| -reducedebug | Optional | Script to call when reduce task fails |
$H3 Specifying a Java Class as the Mapper/Reducer
You can supply a Java class as the mapper and/or the reducer.
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-inputformat org.apache.hadoop.mapred.KeyValueTextInputFormat \
-mapper org.apache.hadoop.mapred.lib.IdentityMapper \
-reducer /usr/bin/wc
You can specify `stream.non.zero.exit.is.failure` as `true` or `false` to make a streaming task that exits with a non-zero status to be `Failure` or `Success` respectively. By default, streaming tasks exiting with non-zero status are considered to be failed tasks.
$H3 Packaging Files With Job Submissions
You can specify any executable as the mapper and/or the reducer. The executables do not need to pre-exist on the machines in the cluster; however, if they don't, you will need to use "-file" option to tell the framework to pack your executable files as a part of job submission. For example:
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-mapper myPythonScript.py \
-reducer /usr/bin/wc \
-file myPythonScript.py
The above example specifies a user defined Python executable as the mapper. The option "-file myPythonScript.py" causes the python executable shipped to the cluster machines as a part of job submission.
In addition to executable files, you can also package other auxiliary files (such as dictionaries, configuration files, etc) that may be used by the mapper and/or the reducer. For example:
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-mapper myPythonScript.py \
-reducer /usr/bin/wc \
-file myPythonScript.py \
-file myDictionary.txt
$H3 Specifying Other Plugins for Jobs
Just as with a normal Map/Reduce job, you can specify other plugins for a streaming job:
-inputformat JavaClassName
-outputformat JavaClassName
-partitioner JavaClassName
-combiner streamingCommand or JavaClassName
The class you supply for the input format should return key/value pairs of Text class. If you do not specify an input format class, the TextInputFormat is used as the default. Since the TextInputFormat returns keys of LongWritable class, which are actually not part of the input data, the keys will be discarded; only the values will be piped to the streaming mapper.
The class you supply for the output format is expected to take key/value pairs of Text class. If you do not specify an output format class, the TextOutputFormat is used as the default.
$H3 Setting Environment Variables
To set an environment variable in a streaming command use:
-cmdenv EXAMPLE_DIR=/home/example/dictionaries/
Generic Command Options
-----------------------
Streaming supports [streaming command options](#Streaming_Command_Options) as well as generic command options. The general command line syntax is shown below.
**Note:** Be sure to place the generic options before the streaming options, otherwise the command will fail. For an example, see [Making Archives Available to Tasks](#Making_Archives_Available_to_Tasks).
hadoop command [genericOptions] [streamingOptions]
The Hadoop generic command options you can use with streaming are listed here:
| Parameter | Optional/Required | Description |
|:---- |:---- |:---- |
| -conf configuration\_file | Optional | Specify an application configuration file |
| -D property=value | Optional | Use value for given property |
| -fs host:port or local | Optional | Specify a namenode |
| -files | Optional | Specify comma-separated files to be copied to the Map/Reduce cluster |
| -libjars | Optional | Specify comma-separated jar files to include in the classpath |
| -archives | Optional | Specify comma-separated archives to be unarchived on the compute machines |
$H3 Specifying Configuration Variables with the -D Option
You can specify additional configuration variables by using "-D \<property\>=\<value\>".
$H4 Specifying Directories
To change the local temp directory use:
-D dfs.data.dir=/tmp
To specify additional local temp directories use:
-D mapred.local.dir=/tmp/local
-D mapred.system.dir=/tmp/system
-D mapred.temp.dir=/tmp/temp
**Note:** For more details on job configuration parameters see: [mapred-default.xml](./mapred-default.xml)
$H4 Specifying Map-Only Jobs
Often, you may want to process input data using a map function only. To do this, simply set `mapreduce.job.reduces` to zero. The Map/Reduce framework will not create any reducer tasks. Rather, the outputs of the mapper tasks will be the final output of the job.
-D mapreduce.job.reduces=0
To be backward compatible, Hadoop Streaming also supports the "-reducer NONE" option, which is equivalent to "-D mapreduce.job.reduces=0".
$H4 Specifying the Number of Reducers
To specify the number of reducers, for example two, use:
hadoop jar hadoop-streaming-${project.version}.jar \
-D mapreduce.job.reduces=2 \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /usr/bin/wc
$H4 Customizing How Lines are Split into Key/Value Pairs
As noted earlier, when the Map/Reduce framework reads a line from the stdout of the mapper, it splits the line into a key/value pair. By default, the prefix of the line up to the first tab character is the key and the rest of the line (excluding the tab character) is the value.
However, you can customize this default. You can specify a field separator other than the tab character (the default), and you can specify the nth (n \>= 1) character rather than the first character in a line (the default) as the separator between the key and value. For example:
hadoop jar hadoop-streaming-${project.version}.jar \
-D stream.map.output.field.separator=. \
-D stream.num.map.output.key.fields=4 \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /bin/cat
In the above example, "-D stream.map.output.field.separator=." specifies "." as the field separator for the map outputs, and the prefix up to the fourth "." in a line will be the key and the rest of the line (excluding the fourth ".") will be the value. If a line has less than four "."s, then the whole line will be the key and the value will be an empty Text object (like the one created by new Text("")).
Similarly, you can use "-D stream.reduce.output.field.separator=SEP" and "-D stream.num.reduce.output.fields=NUM" to specify the nth field separator in a line of the reduce outputs as the separator between the key and the value.
Similarly, you can specify "stream.map.input.field.separator" and "stream.reduce.input.field.separator" as the input separator for Map/Reduce inputs. By default the separator is the tab character.
$H3 Working with Large Files and Archives
The -files and -archives options allow you to make files and archives available to the tasks. The argument is a URI to the file or archive that you have already uploaded to HDFS. These files and archives are cached across jobs. You can retrieve the host and fs\_port values from the fs.default.name config variable.
**Note:** The -files and -archives options are generic options. Be sure to place the generic options before the command options, otherwise the command will fail.
$H4 Making Files Available to Tasks
The -files option creates a symlink in the current working directory of the tasks that points to the local copy of the file.
In this example, Hadoop automatically creates a symlink named testfile.txt in the current working directory of the tasks. This symlink points to the local copy of testfile.txt.
-files hdfs://host:fs_port/user/testfile.txt
User can specify a different symlink name for -files using \#.
-files hdfs://host:fs_port/user/testfile.txt#testfile
Multiple entries can be specified like this:
-files hdfs://host:fs_port/user/testfile1.txt,hdfs://host:fs_port/user/testfile2.txt
$H4 Making Archives Available to Tasks
The -archives option allows you to copy jars locally to the current working directory of tasks and automatically unjar the files.
In this example, Hadoop automatically creates a symlink named testfile.jar in the current working directory of tasks. This symlink points to the directory that stores the unjarred contents of the uploaded jar file.
-archives hdfs://host:fs_port/user/testfile.jar
User can specify a different symlink name for -archives using \#.
-archives hdfs://host:fs_port/user/testfile.tgz#tgzdir
In this example, the input.txt file has two lines specifying the names of the two files: cachedir.jar/cache.txt and cachedir.jar/cache2.txt. "cachedir.jar" is a symlink to the archived directory, which has the files "cache.txt" and "cache2.txt".
hadoop jar hadoop-streaming-${project.version}.jar \
-archives 'hdfs://hadoop-nn1.example.com/user/me/samples/cachefile/cachedir.jar' \
-D mapreduce.job.maps=1 \
-D mapreduce.job.reduces=1 \
-D mapreduce.job.name="Experiment" \
-input "/user/me/samples/cachefile/input.txt" \
-output "/user/me/samples/cachefile/out" \
-mapper "xargs cat" \
-reducer "cat"
$ ls test_jar/
cache.txt cache2.txt
$ jar cvf cachedir.jar -C test_jar/ .
added manifest
adding: cache.txt(in = 30) (out= 29)(deflated 3%)
adding: cache2.txt(in = 37) (out= 35)(deflated 5%)
$ hdfs dfs -put cachedir.jar samples/cachefile
$ hdfs dfs -cat /user/me/samples/cachefile/input.txt
cachedir.jar/cache.txt
cachedir.jar/cache2.txt
$ cat test_jar/cache.txt
This is just the cache string
$ cat test_jar/cache2.txt
This is just the second cache string
$ hdfs dfs -ls /user/me/samples/cachefile/out
Found 2 items
-rw-r--r-* 1 me supergroup 0 2013-11-14 17:00 /user/me/samples/cachefile/out/_SUCCESS
-rw-r--r-* 1 me supergroup 69 2013-11-14 17:00 /user/me/samples/cachefile/out/part-00000
$ hdfs dfs -cat /user/me/samples/cachefile/out/part-00000
This is just the cache string
This is just the second cache string
More Usage Examples
-------------------
$H3 Hadoop Partitioner Class
Hadoop has a library class, [KeyFieldBasedPartitioner](../../api/org/apache/hadoop/mapred/lib/KeyFieldBasedPartitioner.html), that is useful for many applications. This class allows the Map/Reduce framework to partition the map outputs based on certain key fields, not the whole keys. For example:
hadoop jar hadoop-streaming-${project.version}.jar \
-D stream.map.output.field.separator=. \
-D stream.num.map.output.key.fields=4 \
-D map.output.key.field.separator=. \
-D mapreduce.partition.keypartitioner.options=-k1,2 \
-D mapreduce.job.reduces=12 \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /bin/cat \
-partitioner org.apache.hadoop.mapred.lib.KeyFieldBasedPartitioner
Here, *-D stream.map.output.field.separator=.* and *-D stream.num.map.output.key.fields=4* are as explained in previous example. The two variables are used by streaming to identify the key/value pair of mapper.
The map output keys of the above Map/Reduce job normally have four fields separated by ".". However, the Map/Reduce framework will partition the map outputs by the first two fields of the keys using the *-D mapred.text.key.partitioner.options=-k1,2* option. Here, *-D map.output.key.field.separator=.* specifies the separator for the partition. This guarantees that all the key/value pairs with the same first two fields in the keys will be partitioned into the same reducer.
*This is effectively equivalent to specifying the first two fields as the primary key and the next two fields as the secondary. The primary key is used for partitioning, and the combination of the primary and secondary keys is used for sorting.* A simple illustration is shown here:
Output of map (the keys)
11.12.1.2
11.14.2.3
11.11.4.1
11.12.1.1
11.14.2.2
Partition into 3 reducers (the first 2 fields are used as keys for partition)
11.11.4.1
-----------
11.12.1.2
11.12.1.1
-----------
11.14.2.3
11.14.2.2
Sorting within each partition for the reducer(all 4 fields used for sorting)
11.11.4.1
-----------
11.12.1.1
11.12.1.2
-----------
11.14.2.2
11.14.2.3
$H3 Hadoop Comparator Class
Hadoop has a library class, [KeyFieldBasedComparator](../../api/org/apache/hadoop/mapreduce/lib/partition/KeyFieldBasedComparator.html), that is useful for many applications. This class provides a subset of features provided by the Unix/GNU Sort. For example:
hadoop jar hadoop-streaming-${project.version}.jar \
-D mapreduce.job.output.key.comparator.class=org.apache.hadoop.mapreduce.lib.partition.KeyFieldBasedComparator \
-D stream.map.output.field.separator=. \
-D stream.num.map.output.key.fields=4 \
-D mapreduce.map.output.key.field.separator=. \
-D mapreduce.partition.keycomparator.options=-k2,2nr \
-D mapreduce.job.reduces=1 \
-input myInputDirs \
-output myOutputDir \
-mapper /bin/cat \
-reducer /bin/cat
The map output keys of the above Map/Reduce job normally have four fields separated by ".". However, the Map/Reduce framework will sort the outputs by the second field of the keys using the *-D mapreduce.partition.keycomparator.options=-k2,2nr* option. Here, *-n* specifies that the sorting is numerical sorting and *-r* specifies that the result should be reversed. A simple illustration is shown below:
Output of map (the keys)
11.12.1.2
11.14.2.3
11.11.4.1
11.12.1.1
11.14.2.2
Sorting output for the reducer (where second field used for sorting)
11.14.2.3
11.14.2.2
11.12.1.2
11.12.1.1
11.11.4.1
$H3 Hadoop Aggregate Package
Hadoop has a library package called [Aggregate](../../org/apache/hadoop/mapred/lib/aggregate/package-summary.html). Aggregate provides a special reducer class and a special combiner class, and a list of simple aggregators that perform aggregations such as "sum", "max", "min" and so on over a sequence of values. Aggregate allows you to define a mapper plugin class that is expected to generate "aggregatable items" for each input key/value pair of the mappers. The combiner/reducer will aggregate those aggregatable items by invoking the appropriate aggregators.
To use Aggregate, simply specify "-reducer aggregate":
hadoop jar hadoop-streaming-${project.version}.jar \
-input myInputDirs \
-output myOutputDir \
-mapper myAggregatorForKeyCount.py \
-reducer aggregate \
-file myAggregatorForKeyCount.py \
The python program myAggregatorForKeyCount.py looks like:
#!/usr/bin/python
import sys;
def generateLongCountToken(id):
return "LongValueSum:" + id + "\t" + "1"
def main(argv):
line = sys.stdin.readline();
try:
while line:
line = line&#91;:-1];
fields = line.split("\t");
print generateLongCountToken(fields&#91;0]);
line = sys.stdin.readline();
except "end of file":
return None
if __name__ == "__main__":
main(sys.argv)
$H3 Hadoop Field Selection Class
Hadoop has a library class, [FieldSelectionMapReduce](../../api/org/apache/hadoop/mapred/lib/FieldSelectionMapReduce.html), that effectively allows you to process text data like the unix "cut" utility. The map function defined in the class treats each input key/value pair as a list of fields. You can specify the field separator (the default is the tab character). You can select an arbitrary list of fields as the map output key, and an arbitrary list of fields as the map output value. Similarly, the reduce function defined in the class treats each input key/value pair as a list of fields. You can select an arbitrary list of fields as the reduce output key, and an arbitrary list of fields as the reduce output value. For example:
hadoop jar hadoop-streaming-${project.version}.jar \
-D mapreduce.map.output.key.field.separator=. \
-D mapreduce.partition.keypartitioner.options=-k1,2 \
-D mapreduce.fieldsel.data.field.separator=. \
-D mapreduce.fieldsel.map.output.key.value.fields.spec=6,5,1-3:0- \
-D mapreduce.fieldsel.reduce.output.key.value.fields.spec=0-2:5- \
-D mapreduce.map.output.key.class=org.apache.hadoop.io.Text \
-D mapreduce.job.reduces=12 \
-input myInputDirs \
-output myOutputDir \
-mapper org.apache.hadoop.mapred.lib.FieldSelectionMapReduce \
-reducer org.apache.hadoop.mapred.lib.FieldSelectionMapReduce \
-partitioner org.apache.hadoop.mapred.lib.KeyFieldBasedPartitioner
The option "-D mapreduce.fieldsel.map.output.key.value.fields.spec=6,5,1-3:0-" specifies key/value selection for the map outputs. Key selection spec and value selection spec are separated by ":". In this case, the map output key will consist of fields 6, 5, 1, 2, and 3. The map output value will consist of all fields (0- means field 0 and all the subsequent fields).
The option "-D mapreduce.fieldsel.reduce.output.key.value.fields.spec=0-2:5-" specifies key/value selection for the reduce outputs. In this case, the reduce output key will consist of fields 0, 1, 2 (corresponding to the original fields 6, 5, 1). The reduce output value will consist of all fields starting from field 5 (corresponding to all the original fields).
Frequently Asked Questions
--------------------------
$H3 How do I use Hadoop Streaming to run an arbitrary set of (semi) independent tasks?
Often you do not need the full power of Map Reduce, but only need to run multiple instances of the same program - either on different parts of the data, or on the same data, but with different parameters. You can use Hadoop Streaming to do this.
$H3 How do I process files, one per map?
As an example, consider the problem of zipping (compressing) a set of files across the hadoop cluster. You can achieve this by using Hadoop Streaming and custom mapper script:
* Generate a file containing the full HDFS path of the input files. Each map
task would get one file name as input.
* Create a mapper script which, given a filename, will get the file to local
disk, gzip the file and put it back in the desired output directory.
$H3 How many reducers should I use?
See MapReduce Tutorial for details: [Reducer](./MapReduceTutorial.html#Reducer)
$H3 If I set up an alias in my shell script, will that work after -mapper?
For example, say I do: alias c1='cut -f1'. Will -mapper "c1" work?
Using an alias will not work, but variable substitution is allowed as shown in this example:
$ hdfs dfs -cat /user/me/samples/student_marks
alice 50
bruce 70
charlie 80
dan 75
$ c2='cut -f2'; hadoop jar hadoop-streaming-${project.version}.jar \
-D mapreduce.job.name='Experiment' \
-input /user/me/samples/student_marks \
-output /user/me/samples/student_out \
-mapper "$c2" -reducer 'cat'
$ hdfs dfs -cat /user/me/samples/student_out/part-00000
50
70
75
80
$H3 Can I use UNIX pipes?
For example, will -mapper "cut -f1 | sed s/foo/bar/g" work?
Currently this does not work and gives an "java.io.IOException: Broken pipe" error. This is probably a bug that needs to be investigated.
$H3 What do I do if I get the "No space left on device" error?
For example, when I run a streaming job by distributing large executables (for example, 3.6G) through the -file option, I get a "No space left on device" error.
The jar packaging happens in a directory pointed to by the configuration variable stream.tmpdir. The default value of stream.tmpdir is /tmp. Set the value to a directory with more space:
-D stream.tmpdir=/export/bigspace/...
$H3 How do I specify multiple input directories?
You can specify multiple input directories with multiple '-input' options:
hadoop jar hadoop-streaming-${project.version}.jar \
-input '/user/foo/dir1' -input '/user/foo/dir2' \
(rest of the command)
$H3 How do I generate output files with gzip format?
Instead of plain text files, you can generate gzip files as your generated output. Pass '-D mapreduce.output.fileoutputformat.compress=true -D mapreduce.output.fileoutputformat.compress.codec=org.apache.hadoop.io.compress.GzipCodec' as option to your streaming job.
$H3 How do I provide my own input/output format with streaming?
You can specify your own custom class by packing them and putting the custom jar to `$HADOOP_CLASSPATH`.
$H3 How do I parse XML documents using streaming?
You can use the record reader StreamXmlRecordReader to process XML documents.
hadoop jar hadoop-streaming-${project.version}.jar \
-inputreader "StreamXmlRecord,begin=BEGIN_STRING,end=END_STRING" \
(rest of the command)
Anything found between BEGIN\_STRING and END\_STRING would be treated as one record for map tasks.
$H3 How do I update counters in streaming applications?
A streaming process can use the stderr to emit counter information. `reporter:counter:<group>,<counter>,<amount>` should be sent to stderr to update the counter.
$H3 How do I update status in streaming applications?
A streaming process can use the stderr to emit status information. To set a status, `reporter:status:<message>` should be sent to stderr.
$H3 How do I get the Job variables in a streaming job's mapper/reducer?
See [Configured Parameters](./MapReduceTutorial.html#Configured_Parameters). During the execution of a streaming job, the names of the "mapred" parameters are transformed. The dots ( . ) become underscores ( \_ ). For example, mapreduce.job.id becomes mapreduce\_job\_id and mapreduce.job.jar becomes mapreduce\_job\_jar. In your code, use the parameter names with the underscores.