MapR non-standard Hadoop security not supported #70
Comments
|
This has to do with MapR forking Hadoop and not providing a 100% compatible authentication mechanism. The problematic code is here: To provide a better error message than Hadoop API's do (just a deadlock :/), we try to detect user's forgetting to login before instantiating If you have any suggestions, I'd be welcome to a PR adding MapR support. I don't have a MapR cluster available for testing. |
|
Hi there, thanks for the reply. We are in contact with MapR support we will try to get some sort of way forward on that. |
jcrist
changed the title
|
@jcrist I am running into this exact same issue with a MapR cluster. Is there a temporary workaround that we could do? I would be interested in contributing this feature to dask-yarn. What do you think a fix would require? @andregouveiasantana did you hear back from MapR about this issue? |
|
The issue here is our check for whether a user is appropriately logged in before any requests are made. The Hadoop APIs block if the user isn't logged in (unfortunate design), so I'd like to keep this check around to provide a nicer user experience. Due to MapR's fork of Hadoop, our check code is incorrect. Without access to a MapR cluster to test on, I'm not sure what to do here. The MapR sandbox vm doesn't have security enabled, if you know of a way to get that test setup working and reproducible then I can take a look. |
|
Unfortunately I don't have any way to get a test setup working and reproducible. But I am happy to test for you and post the work around/solution and help in any way that I can.
So as a hack for now would patching out this check (assuming that I am properly logged in) work?
By blocks do you mean that it just hangs and doesn't give a response one way or the other? |
I'd need to experiment with a running MapR install to figure out how their fork is different, which would be hard to do remote.
Yes.
Yes, an error is logged but the request just hangs forever. |
|
Hey guys, Sorry for the delay in the reply. We had been waiting for a reply from MapR, which took some more time that expected. Unfortunately it pretty much stated the obvious that the issue is related to the specific method of authentication used by MapR's implementation. I am attaching their reply for the moment. I didn't see anything that could help. |
|
The question I want to know is how to check beforehand from a |
|
I can confirm similar issues with HortonWorks Hadoop. Some non-substantive research (google queries) - led me to: Having looked through the https://github.com/jcrist/skein codebase (used by dask-yarn for yarn connectivity) - I wonder if the approach to use the API "getLoginUser()" is best ? Suggest change to use "getUGIFromTicketCache(ticketCache,userId)" - and add ticketCache and userId parameters as Driver arguments. Note: that in my use case - we are explicitly using kinit prior to dask-yarn/skein instantiation and 'klist' reports a valid non-expired kerberos ticket. |
|
dask-yarn (and If you're having issues on hortonworks, please file a new issue in https://github.com/jcrist/skein where we can discuss them. |
|
Submitted a PR for |
|
@jcrist Can you please review the fix for this issue? |
|
Any update with the patching of the issue? I am using MapR hadoop too and facing exactly the same issue in 2023. |
Hi guys,
I am sorry if it's a dummy/repeated question. We have been trying to follow the example to bring up dask on yarn and keep getting error "Kerberos ticket not found, please kinit and restart" even though the user starting the cluster does have a valid ticket.
Is there anywhere where I could specifically point to the ticket location at the runtime of the cluster? We have a hadoop cluster and wanted to use dask on yarn. Wondering if anybody has tried to work with this constellation. MapR hadoop cluster/ Dask on Yarn and could give us any pointers would be highly appreciated.
Thank you!
Andre
Error attached.
log-daskyarn.txt
The text was updated successfully, but these errors were encountered: