edit-icon download-icon

Cross-region access

Last Updated: Apr 12, 2018

The Kerberos in E-MapReduce supports cross-region, that is, different Kerberos clusters can inter-access each other.

This article describe cross-region access by using Cluster-A and Cluster-B as an example.

Cluster-A accesses services in Cluster-B.

  • hostname of emr-header-1 in Cluster-A -> emr-header-1.cluster-1234 ; region -> EMR.1234.COM
  • hostname of emr-header-1 in Cluster-B -> emr-header-1.cluster-6789 ; region -> EMR.6789.COM

Note:

  • The hostname can be obtained through executing the command hostname on emr-header-1.
  • Region can be obtained in /etc/krb5.conf on emr-header-1.

1. Add principal

emr-header-1 nodes in Cluster-A and Cluster-B run the same command exactly as follows:

  1. # root account
  2. sh /usr/lib/has-current/bin/hadmin-local.sh /etc/ecm/has-conf -k /etc/ecm/has-conf/admin.keytab
  3. HadminLocalTool.local: addprinc -pw 123456 krbtgt/EMR.6789.COM@EMR.1234.COM

Note:

  • 123456 is the password, which can be changed.
  • EMR.6789.COM is the region of Cluster-B, namely, the region of the cluster to be accessed.
  • EMR.1234.COM is the region of Cluster-A, namely, the region of the cluster that initiates the access.

2. Configure /etc/krb5.conf for Cluster-A

Configure [regions]/[domain_region]/[capaths] on Cluster-A as follows:

  1. [libdefaults]
  2. kdc_region = EMR.1234.COM
  3. default_region = EMR.1234.COM
  4. udp_preference_limit = 4096
  5. kdc_tcp_port = 88
  6. kdc_udp_port = 88
  7. dns_lookup_kdc = false
  8. [regions]
  9. EMR.1234.COM = {
  10. kdc = 10.81.49.3:88
  11. }
  12. EMR.6789.COM = {
  13. kdc = 10.81.49.7:88
  14. }
  15. [domain_region]
  16. .cluster-1234 = EMR.1234.COM
  17. .cluster-6789 = EMR.6789.COM
  18. [capaths]
  19. EMR.1234.COM = {
  20. EMR.6789.COM = .
  21. }
  22. EMR.6789.COM = {
  23. EMR.1234.COM = .
  24. }

Synchronize /etc/krb5.conf to all Cluster-A nodes.

Note:

  • If a job is running on Cluster-A to access Cluster-B. yarn must be restarted.

  • Configure host binding information for all Cluster-A nodes.

    Copy the binding information (only the long domain name emr-xxx-x.cluster-xxx is needed) in the file /etc/hosts in Cluster-B to /etc/hosts for all Cluster-A nodes.

    1. 10.81.45.89 emr-worker-1.cluster-xxx
    2. 10.81.46.222 emr-worker-2.cluster-xx
    3. 10.81.44.177 emr-header-1.cluster-xxx

3. Access services in Cluster-B

The keytab file /ticket in Kerberos of Cluster-A can be used on Cluster-A as a cache to access services in Cluster-B.

For example, access hdfs service in Cluster-B:

  1. su has;
  2. hadoop fs -ls hdfs://emr-header-1.cluster-6789:9000/
  3. Found 4 items
  4. -rw-r----- 2 has hadoop 34 2017-12-05 18:15 hdfs://emr-header-1.cluster-6789:9000/abc
  5. drwxrwxrwt - hadoop hadoop 0 2017-12-05 18:32 hdfs://emr-header-1.cluster-6789:9000/spark-history
  6. drwxrwxrwt - hadoop hadoop 0 2017-12-05 17:53 hdfs://emr-header-1.cluster-6789:9000/tmp
  7. drwxrwxrwt - hadoop hadoop 0 2017-12-05 18:24 hdfs://emr-header-1.cluster-6789:9000/user
Thank you! We've received your feedback.