Document Center
edit-icon download-icon

Cross-region access

Last Updated: Apr 12, 2018

The Kerberos in E-MapReduce supports cross-region, that is, different Kerberos clusters can inter-access each other.

This article describe cross-region access by using Cluster-A and Cluster-B as an example.

Cluster-A accesses services in Cluster-B.

  • hostname of emr-header-1 in Cluster-A -> emr-header-1.cluster-1234 ; region -> EMR.1234.COM
  • hostname of emr-header-1 in Cluster-B -> emr-header-1.cluster-6789 ; region -> EMR.6789.COM

Note:

  • The hostname can be obtained through executing the command hostname on emr-header-1.
  • Region can be obtained in /etc/krb5.conf on emr-header-1.

1. Add principal

emr-header-1 nodes in Cluster-A and Cluster-B run the same command exactly as follows:

  1.        # root account
  2.        sh /usr/lib/has-current/bin/hadmin-local.sh /etc/ecm/has-conf -k /etc/ecm/has-conf/admin.keytab
  3.        HadminLocalTool.local: addprinc -pw 123456 krbtgt/EMR.6789.COM@EMR.1234.COM

Note:

  • 123456 is the password, which can be changed.
  • EMR.6789.COM is the region of Cluster-B, namely, the region of the cluster to be accessed.
  • EMR.1234.COM is the region of Cluster-A, namely, the region of the cluster that initiates the access.

2. Configure /etc/krb5.conf for Cluster-A

Configure [regions]/[domain_region]/[capaths] on Cluster-A as follows:

  1. [libdefaults]
  2.     kdc_region = EMR.1234.COM
  3.     default_region = EMR.1234.COM
  4.     udp_preference_limit = 4096
  5.     kdc_tcp_port = 88
  6.     kdc_udp_port = 88
  7.     dns_lookup_kdc = false
  9. [regions]
  10.     EMR.1234.COM = {
  11.                 kdc = 10.81.49.3:88
  12.     }
  13.     EMR.6789.COM = {
  14.                 kdc = 10.81.49.7:88
  15.     }
  17. [domain_region]
  18.     .cluster-1234 = EMR.1234.COM
  19.     .cluster-6789 = EMR.6789.COM
  21. [capaths]
  22.     EMR.1234.COM = {
  23.        EMR.6789.COM = .
  24.     }
  25.     EMR.6789.COM = {
  26.        EMR.1234.COM = .
  27.     }

Synchronize /etc/krb5.conf to all Cluster-A nodes.

Note:

  • If a job is running on Cluster-A to access Cluster-B. yarn must be restarted.

  • Configure host binding information for all Cluster-A nodes.

    Copy the binding information (only the long domain name emr-xxx-x.cluster-xxx is needed) in the file /etc/hosts in Cluster-B to /etc/hosts for all Cluster-A nodes.

    1.  10.81.45.89  emr-worker-1.cluster-xxx
    2.  10.81.46.222  emr-worker-2.cluster-xx
    3.  10.81.44.177  emr-header-1.cluster-xxx

3. Access services in Cluster-B

The keytab file /ticket in Kerberos of Cluster-A can be used on Cluster-A as a cache to access services in Cluster-B.

For example, access hdfs service in Cluster-B:

  1. su has;
  2. hadoop fs -ls hdfs://emr-header-1.cluster-6789:9000/
  3. Found 4 items
  4. -rw-r-----   2 has    hadoop         34 2017-12-05 18:15 hdfs://emr-header-1.cluster-6789:9000/abc
  5. drwxrwxrwt   - hadoop hadoop          0 2017-12-05 18:32 hdfs://emr-header-1.cluster-6789:9000/spark-history
  6. drwxrwxrwt   - hadoop hadoop          0 2017-12-05 17:53 hdfs://emr-header-1.cluster-6789:9000/tmp
  7. drwxrwxrwt   - hadoop hadoop          0 2017-12-05 18:24 hdfs://emr-header-1.cluster-6789:9000/user
Thank you! We've received your feedback.
Free Trial Free Trial