nickwallen opened a new pull request #1539: METRON-2297 Enrichment Topology Unable to Load Geo IP Data from HDFS URL: https://github.com/apache/metron/pull/1539 On the `feature/METRON-2088-support-hdp-3.1` feature branch, the Enrichment topology is unable to load the GeoIP data from HDFS when using Kerberos authentication. ### The Problem The Enrichment topology shows this exception, ``` 2019-10-03 18:23:18.545 o.a.h.i.Client Curator-TreeCache-0 [WARN] Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] 2019-10-03 18:23:18.552 o.a.m.e.a.m.MaxMindDbUtilities Curator-TreeCache-0 [ERROR] Unable to open new database file /apps/metron/geo/default/GeoLite2-City.tar.gz java.io.IOException: DestHost:destPort metrong-1.openstacklocal:8020 , LocalHost:localPort metrong-7/172.22.74.121:0. Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] ``` * When using Kerberos authentication no topology is able to access HDFS, which primarily impacts Enrichment and Batch Indexing. * If the local cache on a Storm worker contains a ticket for the 'metron' user, the topology is able to access HDFS. * When using Kerberos authentication, all topologies are able to access Kafka. This only impacts HDFS. ### Why? We use [Storm's AutoTGT](https://github.com/apache/storm/blob/v1.2.1/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java) class to unpack the user credentials obtained by the Nimbus and authenticate with HDFS. When attempting to authenticate with HDFS, It uses reflection to load Hadoop's `org.apache.hadoop.security.UserGroupInformation` class at runtime. I believe Storm uses reflection so `hadoop-common` is not a required dependency for all Storm users. When [this class is loaded at runtime](https://github.com/apache/storm/blob/d156d25d991311eaa1f5131d3dc34787f87ce684/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java#L177), it fails indicating that the class is not found on the classpath. When this occurs, the error is effectively ignored, an `INFO` message is logged (rather than error or warn), and no details from the exception are logged. This occurs despite this class being on the classpath in three different places. 1. The class is packaged into into the Enrichment topology Uber jar. 1. The class is packaged into the Stellar common jar which is added to the classpath using `--jars`. 1. The class is added to the classpath at runtime by Storm as part of storm-autocreds. ### The Solution If we use bundle a custom `AutoTGT` class in the topology uber jars, the custom `AutoTGT` implementation is able to correctly load the `hadoop-common` dependency at runtime. This avoids the problem. ### Changes 1. Created a custom `AutoTGT` implementation that lives within `metron-common-storm`. This is a clone of Storm's AutoTGT except that it includes additional commentary and logging should this error occur again. 1. Added `metron-common-storm` as a direct dependency of all project's that create a Storm uber jar. In all cases except `metron-pcap-backend` this was already a transitive dependency. We need this to be a direct dependency because without the new AutoTGT implementation, none of the topologies will start in Storm. 1. Created an additional configuration in the Mpack for the topology's `topology.auto-credentials` property. This can no longer default to the value of Nimbus's `nimbus.credential.renewers.classes`. This property is only exposed to the user as an "advanced" setting and should rarely need changed by a user. ### Validation This is difficult (impossible?) to test in the development environment. This should be tested on a multi-node cluster. The bug cannot be replicated on a single node because the ticket that is cached when the topology is submitted will be reused by the Storm worker when attempting to access HDFS. The bug only occurs when there is not already a cached ticket to use. 1. Spin-up Metron on a multi-node cluster. 1. Kerberize the environment. 1. Start the Enrichment topology. 1. Ensure that the Enrichment topology is able to load the GeoIP data from HDFS. 1. Ensure that telemetry is being indexed in HDFS. ## Pull Request Checklist Thank you for submitting a contribution to Apache Metron. Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions. Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides. In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following: ### For all changes: - [ ] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel). - [ ] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [ ] Has your PR been rebased against the latest commit within the target branch (typically master)? ### For code changes: - [ ] Have you included steps to reproduce the behavior or problem that is being changed or addressed? - [ ] Have you included steps or a guide to how the change may be verified and tested manually? - [ ] Have you ensured that the full suite of tests and checks have been executed in the root metron folder via: ``` mvn -q clean integration-test install && dev-utilities/build-utils/verify_licenses.sh ``` - [ ] Have you written or updated unit tests and or integration tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`: ``` cd site-book mvn site ``` - [ ] Have you ensured that any documentation diagrams have been updated, along with their source files, using [draw.io](https://www.draw.io/)? See [Metron Development Guidelines](https://cwiki.apache.org/confluence/display/METRON/Development+Guidelines) for instructions. #### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. It is also recommended that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
