Skip to content

Commit

Permalink
feat(yarn-timelineserver-v2): setup Ranger rules and Hbase tables cre…
Browse files Browse the repository at this point in the history 
…ation for ATS
  • Loading branch information
@dapicard
dapicard committed Sep 29, 2023
1 parent 55c3b06 commit 3cc760e
Show file tree
Hide file tree
Showing 7 changed files with 125 additions and 3 deletions.
1 change: 1 addition & 0 deletions playbooks/meta/yarn.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
- ansible.builtin.import_playbook: ../yarn_ranger_config.yml
# yarn_config
- ansible.builtin.import_playbook: ../yarn_ranger_init.yml
- ansible.builtin.import_playbook: ../yarn_apptimelineserver_ranger_init.yml
- ansible.builtin.import_playbook: ../yarn_resourcemanager_start.yml
- ansible.builtin.import_playbook: ../yarn_nodemanager_start.yml
# yarn_client_init
Expand Down
10 changes: 10 additions & 0 deletions playbooks/yarn_apptimelineserver_prepare.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@
# SPDX-License-Identifier: Apache-2.0

---
- name: Initialize Hadoop YARN App Timeline Server
hosts: hbase_client
tasks:
- tosit.tdp.resolve: # noqa unnamed-task
node_name: yarn_apptimelineserver
- name: Initialize YARN ATS
import_role:
name: tosit.tdp.yarn.apptimelineserver
tasks_from: hbase_init

- name: Hadoop YARN App Timeline Server restart
hosts: yarn_ats
tasks:
Expand Down
14 changes: 14 additions & 0 deletions playbooks/yarn_apptimelineserver_ranger_init.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Copyright 2022 TOSIT.IO
# SPDX-License-Identifier: Apache-2.0

---
- name: Hadoop YARN App Timeline Server ranger policy init
hosts: yarn_ats
tasks:
- tosit.tdp.resolve: # noqa unnamed-task
node_name: yarn_apptimelineserver
- name: Initialize YARN App Timeline Server Ranger policy
import_role:
name: tosit.tdp.yarn.apptimelineserver
tasks_from: ranger_policy
- meta: clear_facts # noqa unnamed-task
1 change: 1 addition & 0 deletions roles/yarn/apptimelineserver/tasks/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,4 +65,5 @@
group: root
mode: "644"

# sur edge node:
# HADOOP_CLASSPATH=/etc/hbase/conf/*:/opt/tdp/hbase/lib/*:/opt/tdp/hadoop-3.1.1-TDP-0.1.0-SNAPSHOT/share/hadoop/yarn/timelineservice/*:`hadoop classpath` hadoop org.apache.hadoop.yarn.server.timelineservice.storage.TimelineSchemaCreator -create -skipExistingTable
33 changes: 33 additions & 0 deletions roles/yarn/apptimelineserver/tasks/hbase_init.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Copyright 2022 TOSIT.IO
# SPDX-License-Identifier: Apache-2.0

---
- name: YARN Timeline Service initialization - "kinit"
run_once: true
become_user: "{{ yarn_user }}"
ansible.builtin.shell: /bin/kinit -kt /etc/security/keytabs/yarn.headless.keytab "{{ yarn_headless_principal }}@{{ realm }}"
changed_when: false

- name: Initialize Timeline Service Hbase tables
run_once: true
become_user: "{{ yarn_user }}"
block:
- name: Start TimelineSchemaCreator
ansible.builtin.shell: |
HADOOP_OPTS=-Djava.security.auth.login.config=/etc/hbase/conf/krb5JAASClient.conf \
HADOOP_CLASSPATH=/opt/tdp/hbase/lib/*:/opt/tdp/hadoop/share/hadoop/yarn/timelineservice/*:`hadoop classpath` \
hadoop org.apache.hadoop.yarn.server.timelineservice.storage.TimelineSchemaCreator -create -skipExistingTable 2>&1
register: timeline_schema_creator
changed_when: false
failed_when: 'timeline_schema_creator.rc != 0 or "Successfully created HBase schema" not in timeline_schema_creator.stdout'
rescue:
- name: YARN Timeline Service initialization - "kdestroy"
ansible.builtin.shell: /bin/kdestroy
changed_when: false
failed_when: true

- name: YARN Timeline Service initialization - "kdestroy"
run_once: true
become_user: "{{ yarn_user }}"
ansible.builtin.shell: /bin/kdestroy
changed_when: false
59 changes: 59 additions & 0 deletions roles/yarn/apptimelineserver/tasks/ranger_policy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Copyright 2022 TOSIT.IO
# SPDX-License-Identifier: Apache-2.0

---
- name: Create Yarn Timeline Server policy
run_once: true
uri:
url: "{{ ranger_yarn_install_properties.POLICY_MGR_URL }}/service/public/v2/api/policy"
headers:
Accept: application/json
body:
name: yarn-ats-permissions
service: "{{ ranger_hbase_install_properties.REPOSITORY_NAME }}"
repositoryType: hbase
description: Permissions to give to yarn Timeline Server
isEnabled: true
isAuditEnabled: true
resources:
column-family:
values: ["*"]
isExcludes: false
isRecursive: false
column:
values: ["*"]
isExcludes: false
isRecursive: false
table:
values: ["{{ cluster_name }}.timelineservice.*"]
isExcludes: false
isRecursive: false
policyItems:
- users: ["{{ yarn_user }}"]
groups: []
delegateAdmin: false
accesses:
- isAllowed: true
type: read
- isAllowed: true
type: write
- isAllowed: true
type: create
- isAllowed: true
type: admin
conditions: []
body_format: json
url_username: "admin"
url_password: "{{ ranger_admin_password }}"
force_basic_auth: true
method: POST
status_code: [200, 400]
validate_certs: false
register: reg_yarn_ats
changed_when: reg_yarn_ats.status == 200
failed_when: |
reg_yarn_ats is failed or
reg_yarn_ats.status == 400 and
(reg_yarn_ats.json.msgDesc is not defined or
'Another policy already exists for this name' not in reg_yarn_ats.json.msgDesc and
'Another policy already exists for matching resource' not in reg_yarn_ats.json.msgDesc)
10 changes: 7 additions & 3 deletions tdp_vars_defaults/yarn/yarn.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,9 @@ yarn_site:
yarn.resourcemanager.ha.automatic-failover.zk-base-path: "/yarn-leader-election"
yarn.nodemanager.container-executor.class: org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor
yarn.nodemanager.linux-container-executor.group: hadoop
yarn.nodemanager.aux-services: mapreduce_shuffle
yarn.nodemanager.aux-services: mapreduce_shuffle,timeline_collector
yarn.nodemanager.aux-services.mapreduce_shuffle.class: org.apache.hadoop.mapred.ShuffleHandler
yarn.nodemanager.aux-services.timeline_collector.class: org.apache.hadoop.yarn.server.timelineservice.collector.PerNodeTimelineCollectorsAuxService
yarn.nodemanager.address: "0.0.0.0:{{ yarn_nm_rpc_port }}"
yarn.nodemanager.bind-host: 0.0.0.0
yarn.nodemanager.localizer.address: "0.0.0.0:{{ yarn_nm_localizer_port }}"
Expand Down Expand Up @@ -124,7 +125,7 @@ yarn_site:
yarn.timeline-service.http-authentication.type: kerberos
yarn.timeline-service.http-authentication.kerberos.principal: HTTP/_HOST@{{ realm }}
yarn.timeline-service.http-authentication.kerberos.keytab: /etc/security/keytabs/spnego.service.keytab
yarn.timeline-service.schema.prefix: "ats.{{ cluster_name }}."
yarn.timeline-service.hbase-schema.prefix: "{{ cluster_name }}."
yarn.timeline-service.hbase.configuration.file: "file:{{ hbase_client_conf_dir }}/hbase-site.xml"
yarn.acl.enable: "true"
yarn.admin.acl: yarn,knox
Expand All @@ -135,7 +136,8 @@ yarn_site:
yarn.nodemanager.linux-container-executor.cgroups.mount-path: "{{ cgroups_root_dir }}"
yarn.nodemanager.linux-container-executor.cgroups.hierarchy: "/yarn"
yarn.nodemanager.linux-container-executor.cgroups.strict-resource-usage: "{% if cgroups_enabled %}true{% else %}false{% endif %}"

yarn.system-metrics-publisher.enabled: "true"
yarn.rm.system-metrics-publisher.emit-container-events: "true"

# container-executor.cfg
container_executor:
Expand All @@ -158,6 +160,8 @@ ranger_yarn_install_properties:
REPOSITORY_NAME: yarn-tdp
XAAUDIT_SOLR_ENABLE: "{% if 'ranger_solr' in groups and groups['ranger_solr'] %}true{% else %}false{% endif %}"
XAAUDIT_SOLR_URL: "{% if 'ranger_solr' in groups and groups['ranger_solr'] %}http://{{ groups['ranger_solr'][0] | tosit.tdp.access_fqdn(hostvars) }}:{{ ranger_solr_http_port }}/solr/ranger_audits{% else %}NONE{% endif %}"
ranger_hbase_install_properties:
REPOSITORY_NAME: hbase-tdp

capacity_scheduler:
yarn.scheduler.capacity.maximum-applications: 10000
Expand Down

0 comments on commit 3cc760e

Please sign in to comment.