Skip to content

HDDS-11967. [Docs]DistCP Integration in Kerberized environment. #8531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jojochuang merged 4 commits into from
Jun 5, 2025
Merged

HDDS-11967. [Docs]DistCP Integration in Kerberized environment. #8531

jojochuang merged 4 commits into from
Jun 5, 2025

Conversation

@jojochuang
Copy link
Contributor

@jojochuang jojochuang commented May 30, 2025
edited
Loading

What changes were proposed in this pull request?

HDDS-11967. [Docs]DistCP Integration in Kerberized environment.

Please describe your PR in detail:

  • Generated-by: Google Geimini Pro 2.5 (Preview) with the following prompt:
Read Ozone Distcp user doc https://ozone.apache.org/docs/edge/integration/distcp.html
Create an updated user doc with the following instructions
Be succinct, update and integrate with the existing text rather than overwrite the existing text
Generate Markdown source output.
Delegation Token Issues

If a command fails due to being unable to retrieve a delegation token from the destination cluster (indicated by “OzoneToken” in the error output), add the following configuration to core-site.xml or ozone-site.xml:

<property>
  <name>ozone.security.enabled</name>
  <value>true</value>
</property>

Cross-Realm Kerberos

Affected Versions:

For Ozone 1.x, issuing commands across clusters in different Kerberos realms may produce the following error:

# hdfs dfs -ls ofs://ozone1707264383/

24/02/07 18:47:36 INFO retry.RetryInvocationHandler: com.google.protobuf.ServiceException: java.io.IOException: DestHost:destPort ccycloud-1.weichiu-dst.root.comops.site:9862, LocalHost:localPort ccycloud-1.weichiu-src.local/10.140.99.144:0. Failed on local exception: java.io.IOException: Couldn't set up IO streams: java.lang.IllegalArgumentException: Server has invalid Kerberos principal: om/[email protected], expecting: OM/ccycloud-1.weichiu-dst.local@REALM, while invoking $Proxy10.submitRequest over nodeId=om26,nodeAddress=ccycloud-1.weichiu-dst.local:9862 after 3 failover attempts. Trying to failover immediately.

Cause:

This occurs because the ozone.om.kerberos.principal property is not defined correctly. This issue is fixed in Ozone 2.0.

Workaround:

To resolve this, add the following property to ozone-site.xml:

<property>

  <name>ozone.om.kerberos.principal.pattern</name>
  <value>*</value>
</property>

Fix:

This bug is addressed by HDDS-10328 in Ozone 2.0.

Bidirectional Cross-Realm Trust Environment

In environments with bidirectional cross-realm trust, the command may fail with a token renewal error such as:

24/02/08 00:35:00 ERROR tools.DistCp: Exception encountered

java.io.IOException: org.apache.hadoop.yarn.exceptions.YarnException: Failed to submit application_1707350431298_0001 to YARN: Failed to renew token: Kind: HDFS_DELEGATION_TOKEN, Service: 10.140.99.144:8020, Ident: (token for systest: HDFS_DELEGATION_TOKEN [email protected], renewer=yarn, realUser=, issueDate=1707352474394, maxDate=1707957274394, sequenceNumber=44, masterKeyId=14)

Solution:

Add the following parameter to prevent the DistCp job from attempting to renew the remote Ozone delegation token:

-Dmapreduce.job.hdfs-servers.token-renewal.exclude=ozone1707264383

Example:

If running the command on the destination cluster, use the following syntax:

hadoop distcp \

  -Dmapreduce.job.hdfs-servers.token-renewal.exclude=ccycloud-1.weichiu-src.root.comops.site \

  -Ddfs.checksum.combine.mode=COMPOSITE_CRC                 \

  -Dozone.client.checksum.type=CRC32C                       \

  hdfs://ccycloud-1.weichiu-src.root.comops.site:8020/tmp/  \

  ofs://ozone1707264383/tmp/dest

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-11967

How was this patch tested?

User doc only

@jojochuang
HDDS-11967. [Docs]DistCP Integration in Kerberized environment.
c2db40f 
Change-Id: I3b4e5d796cba324e9cd5e36baaa93278e41d7e08
@jojochuang jojochuang requested a review from Copilot May 30, 2025 20:14
Copilot AI reviewed May 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

HDDS-11967. [Docs] DistCP Integration in Kerberized environment
This PR updates the user documentation for Hadoop DistCp to better address security issues in kerberized environments by adding troubleshooting sections for delegation token failures, cross-realm Kerberos issues, and token renewal errors.

  • Added a "Troubleshooting Common Issues" section with subsections on Delegation Token Issues, Cross-Realm Kerberos, and Token Renewal Failures.
  • Introduced XML and shell command examples to illustrate configuration changes and workarounds.
  • Updated error examples and provided workaround instructions referencing HDDS-10328.

hadoop-hdds/docs/content/integration/DistCp.md

Add the following property to `core-site.xml` or `ozone-site.xml` on the node where you run the DistCp command:

<property>
Copy link

Copilot AI May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using fenced code blocks (e.g., triple backticks with 'xml') for XML configuration snippets to improve readability and consistency in the documentation.

Copilot uses AI. Check for mistakes.
hadoop-hdds/docs/content/integration/DistCp.md
**Example:**
If you are running the DistCp command on a YARN cluster associated with the *destination* Ozone cluster (`ofs://ozone1707264383/...`) and copying data *from* a source HDFS cluster (`hdfs://ccycloud-1.weichiu-src.root.comops.site:8020/...`), and the token renewal for the source HDFS cluster is failing:

hadoop distcp \
Copy link

Copilot AI May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ensure that the example command is formatted in a fenced code block with shell syntax to enhance clarity for users.

Copilot uses AI. Check for mistakes.
@jojochuang
Add code blocks.
876c04c 
Change-Id: I97ac007154f5c78656ae01dfb3e11bb2df1c353e
@jojochuang jojochuang marked this pull request as ready for review May 30, 2025 20:37
@jojochuang jojochuang requested a review from adoroszlai May 30, 2025 20:37
@jojochuang
Copy link
Contributor Author

jojochuang commented May 30, 2025

@SaketaChalamchala pls review

@jojochuang jojochuang added the documentation Improvements or additions to documentation label May 30, 2025
adoroszlai
adoroszlai reviewed Jun 2, 2025
View reviewed changes
jojochuang added 2 commits June 2, 2025 18:01
@jojochuang
Review comments
41d006e 
Change-Id: Ie40b1765d13c011615a64caa33a9046d15319f66
@jojochuang
Revert Topology.md change.
a2e6c36 
Change-Id: I9fb23abb30b7fe56e15ed26bf75ea42c488ade69
@jojochuang jojochuang requested a review from adoroszlai June 5, 2025 18:20
@jojochuang jojochuang merged commit 2a761f7 into apache:master Jun 5, 2025
14 checks passed
@jojochuang
Copy link
Contributor Author

jojochuang commented Jun 5, 2025

Thanks @adoroszlai !

aswinshakil added a commit to aswinshakil/ozone that referenced this pull request Jun 9, 2025
@aswinshakil
Merge branch 'master' of https://github.com/apache/ozone into HDDS-10…
0a53c73 
…239-container-reconciliation

Commits: 80 commits
5e273a4 HDDS-12977. Fail build on dependency problems (apache#8574)
5081ba2 HDDS-13034. Refactor DirectoryDeletingService to use ReclaimableDirFilter and ReclaimableKeyFilter (apache#8546)
e936e4d HDDS-12134. Implement Snapshot Cache lock for OM Bootstrap (apache#8474)
31d13de HDDS-13165. [Docs] Python client developer guide. (apache#8556)
9e6955e HDDS-13205. Bump common-custom-user-data-maven-extension to 2.0.3 (apache#8581)
750b629 HDDS-13203. Bump Bouncy Castle to 1.81 (apache#8580)
ba5177e HDDS-13202. Bump build-helper-maven-plugin to 3.6.1 (apache#8579)
07ee5dd HDDS-13204. Bump awssdk to 2.31.59 (apache#8582)
e1964f2 HDDS-13201. Bump jersey2 to 2.47 (apache#8578)
81295a5 HDDS-13013. [Snapshot] Add metrics and tests for snapshot operations. (apache#8436)
b3d75ab HDDS-12976. Clean up unused dependencies (apache#8521)
e0f08b2 HDDS-13179. rename-generated-config fails on re-compile without clean (apache#8569)
f388317 HDDS-12554. Support callback on completed reconfiguration (apache#8391)
c13a3fe HDDS-13154 Link more Grafana dashboard json files to the Observability user doc (apache#8533)
2a761f7 HDDS-11967. [Docs]DistCP Integration in Kerberized environment. (apache#8531)
81fc4c4 HDDS-12550. Use DatanodeID instead of UUID in NodeManager CommandQueue. (apache#8560)
2360af4 HDDS-13169. Intermittent failure in testSnapshotOperationsNotBlockedDuringCompaction (apache#8553)
f19789d HDDS-13170. Reclaimable filter should always reclaim entries when buckets and volumes have already been deleted (apache#8551)
315ef20 HDDS-13175. Leftover reference to OM-specific trash implementation (apache#8563)
902e715 HDDS-13159. Refactor KeyManagerImpl for getting deleted subdirectories and deleted subFiles (apache#8538)
46a93d0 HDDS-12817. Addendum rename ecIndex to replicaIndex in chunkinfo output (apache#8552)
19b9b9c HDDS-13166. Set pipeline ID in BlockExistenceVerifier to avoid cached pipeline with different node (apache#8549)
b3ff67c HDDS-13068. Validate Container Balancer move timeout and replication timeout configs (apache#8490)
7a7b9a8 HDDS-13139. Introduce bucket layout flag in freon rk command (apache#8539)
3c25e7d HDDS-12595. Add verifier for container replica states (apache#8422)
6d59220 HDDS-13104. Move auditparser acceptance test under debug (apache#8527)
8e8c432 HDDS-13071. Documentation for Container Replica Debugger Tool (apache#8485)
0e8c8d4 HDDS-13158. Bump junit to 5.13.0 (apache#8537)
8e552b4 HDDS-13157. Bump exec-maven-plugin to 3.5.1 (apache#8534)
168f690 HDDS-13155. Bump jline to 3.30.4 (apache#8535)
cc1e4d1 HDDS-13156. Bump awssdk to 2.31.54 (apache#8536)
3bfb7af HDDS-13136. KeyDeleting Service should not run for already deep cleaned snapshots (apache#8525)
006e691 HDDS-12503. Compact snapshot DB before evicting a snapshot out of cache (apache#8141)
568b228 HDDS-13067. Container Balancer delete commands should not be sent with an expiration time in the past (apache#8491)
53673c5 HDDS-11244. OmPurgeDirectoriesRequest should clean up File and Directory tables of AOS for deleted snapshot directories (apache#8509)
07f4868 HDDS-13099. ozone admin datanode list ignores --json flag when --id filter is used (apache#8500)
08c0ab8 HDDS-13075. Fix default value in description of container placement policy configs (apache#8511)
58c87a8 HDDS-12177. Set runtime scope where missing (apache#8513)
10c470d HDDS-12817. Add EC block index in the ozone debug replicas chunk-info (apache#8515)
7027ab7 HDDS-13124. Respect config hdds.datanode.use.datanode.hostname when reading from datanode (apache#8518)
b8b226c HDDS-12928. datanode min free space configuration (apache#8388)
fd3d70c HDDS-13026. KeyDeletingService should also delete RenameEntries (apache#8447)
4c1c6cf HDDS-12714. Create acceptance test framework for debug and repair tools (apache#8510)
fff80fc HDDS-13118. Remove duplicate mockito-core dependency from hdds-test-utils (apache#8508)
10d5555 HDDS-13115. Bump awssdk to 2.31.50 (apache#8505)
360d139 HDDS-13017. Fix warnings due to non-test scoped test dependencies (apache#8479)
1db1cca HDDS-13116. Bump jline to 3.30.3 (apache#8504)
322ca93 HDDS-13025. Refactor KeyDeletingService to use ReclaimableKeyFilter (apache#8450)
988b447 HDDS-5287. Document S3 ACL classes (apache#8501)
64bb29d HDDS-12777. Use module-specific name for generated config files (apache#8475)
54ed115 HDDS-9210. Update snapshot chain restore test to incorporate snapshot delete. (apache#8484)
87dfa5a HDDS-13014. Improve PrometheusMetricsSink#normalizeName performance (apache#8438)
7cdc865 HDDS-13100. ozone admin datanode list --json should output a newline at the end (apache#8499)
9cc4194 HDDS-13089. [snapshot] Add an integration test to verify snapshotted data can be read by S3 SDK client (apache#8495)
cb9867b HDDS-13065. Refactor SnapshotCache to return AutoCloseSupplier instead of ReferenceCounted (apache#8473)
a88ff71 HDDS-10979. Support STANDARD_IA S3 storage class to accept EC replication config (apache#8399)
6ec8f85 HDDS-13080. Improve delete metrics to show number of timeout DN command from SCM (apache#8497)
3bb8858 HDDS-12378. Change default hdds.scm.safemode.min.datanode to 3 (apache#8331)
0171bef HDDS-13073. Set pipeline ID in checksums verifier to avoid cached pipeline with different node (apache#8480)
5c7726a HDDS-11539. OzoneClientCache `@PreDestroy` is never called (apache#8493)
a8ed19b HDDS-13031. Implement a Flat Lock resource in OzoneManagerLock (apache#8446)
e9e8b30 HDDS-12935. Support unsigned chunked upload with STREAMING-UNSIGNED-PAYLOAD-TRAILER (apache#8366)
7590268 HDDS-13079. Improve logging in DN for delete operation. (apache#8489)
435fe7e HDDS-12870. Fix listObjects corner cases (apache#8307)
eb5dabd HDDS-12926. Remove *.tmp.* exclusion in DU (apache#8486)
eeb98c7 HDDS-13030. Snapshot Purge should unset deep cleaning flag for next 2 snapshots in the chain (apache#8451)
6bf121e HDDS-13032. Support proper S3OwnerId representation (apache#8478)
5d1b43d HDDS-13076. Refactor OzoneManagerLock class to rename Resource class to LeveledResource (apache#8482)
bafe6d9 HDDS-13064. [snapshot] Add test coverage for SnapshotUtils.isBlockLocationInfoSame() (apache#8476)
7035846 HDDS-13040. Add user doc highlighting the difference between Ozone ACL and S3 ACL. (apache#8457)
1825cdf HDDS-13049. Deprecate VolumeName & BucketName in OmKeyPurgeRequest and prevent Key version purge on Block Deletion Failure (apache#8463)
211c76c HDDS-13060. Change NodeManager.addDatanodeCommand(..) to use DatanodeID (apache#8471)
f410238 HDDS-13061. Add test for key ACL operations without permission (apache#8472)
d1a2f48 HDDS-13057. Increment block delete processed transaction counts regardless of log level (apache#8466)
0cc6fcc HDDS-13043. Replace != with assertNotEquals in TestSCMContainerPlacementRackAware (apache#8470)
e1c779a HDDS-13051. Use DatanodeID in server-scm. (apache#8465)
35e1126 HDDS-13042. [snapshot] Add future proofing test cases for unsupported file system API (apache#8458)
619c05d HDDS-13008. Exclude same SST files when calculating full snapdiff (apache#8423)
21b49d3 HDDS-12965. Fix warnings about "used undeclared" dependencies (apache#8468)
8136119 HDDS-13048. Create new module for Recon integration tests (apache#8464)

Conflicts:
	hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/node/NodeManager.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adoroszlai adoroszlai adoroszlai approved these changes

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jojochuang @adoroszlai