Skip to main content



Spark Hadoop EMR Cross Realm Access HBase & Kafka

 

  • We had in-premise Hadoop Cluster which included Kafka, HBase, HDFS, Spark, YARN , etc.
  • We planned to migrate our Big Data Jobs and Data to AWS EMR but still keeping Kafka on in-premise CDP cluster.
  • After Spawning EMR on AWS. We tried running Spark Job connecting to Kafka on in-premise cluster.
    • We did setup all VPC connections & opened 2firewall ports between the two clusters.
    • But, since EMR and CDP (in-premise) had different KDC Server & principal, it kept on failing for us to connect to Kafka ( in-premise) from EMR.
    • Note, one can set following property to see Kerberos logs - 
      • -Dsun.security.krb5.debug=true
The easiest option for us were two - 
  • Setup Cross-Realm Kerberos trust. Such that EMR principal in-premise KDC Server to use kafka service. Refer - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/using_trusts
  • Setup to Cross-Realm trust using same AD accounts and domain. Refer https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-kerberos-cross-realm.html
But, Our Security team did not agree on above options, which would have made developers life a lot easier. 

So, We copied in-premise Keytab on to EMR, and tried to use that to authenticate with Kafka service. We don't recommend doing it, but we had not other option. Steps are described as below.
  • Update krb5.conf  such that it aware about both the cluster domains, kdc servers, etc.

[libdefaults]

    default_realm = EMR.LOCAL
    dns_lookup_realm = false
    udp_preference_limit = 1
    dns_lookup_kdc = false
    rdns = true
    ticket_lifetime = 24h
    forwardable = true
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1

[realms]
    EMR.LOCAL = {
kdc = ip-90-110-43-74.ec2.internal:88
admin_server = ip-90-110-43-74.ec2.internal:749
default_domain = ec2.internal
    }

CDP.INPREMISE.COM = {
kdc = cdp42.cdp.inpremise.com:88
master_kdc = cdp42.cdp.inpremise.com:88
kpasswd = cdp42.cdp.inpremise.com:464
kpasswd_server = cdp42.cdp.inpremise.com:464
}

[domain_realm]
    .ec2.internal = EMR.LOCAL
     ec2.internal = EMR.LOCAL
    cdp42.cdp.inpremise.com = CDP.INPREMISE.COM
    .cdp.inpremise.com = CDP.INPREMISE.COM

[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log


Note - details can be found here https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#domain-realm


  • Then we did write jaas.conf as below - 
KafkaClient{
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  useTicketCache=false
  principal="inpremiseaccount@CDP.INPREMISE.COM"
  useKeyTab=true
  serviceName="kafka"
  keyTab="inpremiseaccount.keytab"
  renewTicket=true
  storeKey=true
  client=true;
};
Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  doNotPrompt=true
  useTicketCache=false
  serviceName="hbase"
  keyTab="awsemraccount.keytab"
  principal="awsemraccount@EMR.LOCAL"
  storeKey=true
  client=true;
};

Note that - 
  1. KafkaClient has configuration to connect to in-premise kafka server running on CDP.
  2. Client on the other hand includes configuration to connect to EMR HBase service.
  3. As our target is to run a Spark job on EMR, which reads data from a different Kafka cluster and saves data to EMR HBase.
Once above was done then our Spark command looked like below - 

INPREMISEACCOUNT_KEYTAB_PATH= <My_path>/inpremiseaccount.keytab
JAAS_PATH=<My_path>/jaas.conf
TRUSTSTORE_PATH=<My_path>/trustore.jks
KRB5_PATH=<My_path>/krb5.conf
EMRACCOUNT_KEYTAB_PATH=<My_path>/awsemraccount.keytab

spark-shell --master yarn \
 --num-executors 2 \
 --conf "spark.dynamicAllocation.enabled=false" \
 --conf "spark.shuffle.service.enabled=false" \
 --jars $mylib \
 --conf spark.executor.extraJavaOptions=" -Djava.security.auth.login.config=jaas.conf -Djava.security.krb5.conf=krb5.conf" \
--driver-java-options " -Djava.security.auth.login.config=jaas.conf -Djava.security.krb5.conf=krb5.conf" \
--files "$INPREMISEACCOUNT_KEYTAB_PATH,$JAAS_PATH,$TRUSTSTORE_PATH,$KRB5_PATH" \
--conf "spark.yarn.keytab=$EMRACCOUNT_KEYTAB_PATH" \
--conf "spark.yarn.principal=awsemraccount@EMR.LOCAL"

Comments

Post a Comment

Popular posts

Python [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier

  Error requests.exceptions.SSLError: HTTPSConnectionPool  Max retries exceeded with url:  (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1028)'))). Analysis & Solution Recently, we updated from Python 3.11 to 3.13, which resulted in error above. We did verify AKI = SKI in chain of certificates. Also, imported chain of certificates into certifi. Nothing worked for us. Seemingly, it is a bug with Python 3.13. So, we downgraded to Python 3.12 and it started working. Other problems and solution -  '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)'))) solution  pip install pip-system-certs [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired  (_ssl.c:1006) solution  1# openssl s_client -showcerts -connect  signin.aws.amazon.com:443  </dev/...
Post a Comment
Read more




Spring MongoDB Rest API not returning response in 90 seconds which is leading to client timeout

  We have Spring Boot  Rest API deployed in Kubernetes cluster which integrates with MongoDB to fetch the data.  MongoDB is fed with data by a real time Spark & NiFi job.  Our clients complained that for a request what they send they don't have response within 90 seconds. Consider it like an OMS ( Order ManagEment System).  On further analysis, we found that Spark & NiFi processing is happenning within 10 seconds after consuming response data from Kafka. Thus, initally out thought was that it due to delay from upstream to produce data in to Kafka.  Thankfully, our data had create / request  timestamp, and when response was received, and when response was inserted into MongoDB. Subtracting response insert time from request time seemed to be well within 90 seconds. But, still client did timeout on not seeing a response within 90 seconds. This led to confusion on our side.  But, then we realized it was due to Read Preference . We updated this...
Post a Comment
Read more




MongoDB Regex Query taking more time in Production but same query perform well in UAT

   We came across a situation where-in, MongoDB Query was taking more time in Production like 10 seconds and 4.2 seconds but same query performed well in UAT taking under 400 ms. The very first thought that was evident to us that it is because of amount of data which differed in UAT and Production. Then we ran following to see the execution plan -   db.collection.aggregate(<queries>).explain() This gave us Winning and Rejected Plans. Under which, we analyzed that although it was using 'IXSCAN.' But, it was incorrect index- as we had one compound index built on time field and other fields, and there was other index just on time field for TTL purposes. Winning plan picked TTL index rather than compound index. Thus, we dropped TTL index and built TTL index on a different time field.  That got our query performance time from 10 seconds to 726 ms. Also, for other query the performance came down from 8 seconds to 4.3 seconds. Then, we ran following -  ...
Post a Comment
Read more




What is Leadership

 
Post a Comment
Read more




Spark MongoDB Connector Not leading to correct count or data while reading

  We are using Scala 2.11 , Spark 2.4 and Spark MongoDB Connector 2.4.4 Use Case 1 - We wanted to read a Shareded Mongo Collection and copy its data to another Mongo Collection. We noticed that after Spark Job successful completion. Output MongoDB did not had many records. Use Case 2 -  We read a MongoDB collection and doing count on dataframe lead to different count on each execution. Analysis,  We realized that MongoDB Spark Connector is missing data on bulk read as a dataframe. We tried various partitioner, listed on page -  https://www.mongodb.com/docs/spark-connector/v2.4/configuration/  But, none of them worked for us. Finally, we tried  MongoShardedPartitioner  this lead to constant count on each execution. But, it was greater than the actual count of records on the collection. This seems to be limitation with MongoDB Spark Connector. But,  MongoShardedPartitioner  seemed closest possible solution to this kind of situation. But, it per...
Post a Comment
Read more