Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 0437416c33
Branches Tags
elasticsearch
/
docs
/
plugins
/
repository-hdfs.asciidoc

repository-hdfs.asciidoc 8.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194 
  1. [[repository-hdfs]]
    2. 

  2. === Hadoop HDFS repository plugin
    3. 

  3. 

  4. The HDFS repository plugin adds support for using HDFS File System as a repository for
    5. 

  5. {ref}/snapshot-restore.html[Snapshot/Restore].
    6. 

  6. 

  7. :plugin_name: repository-hdfs
    8. 

  8. include::install_remove.asciidoc[]
    9. 

  9. 

  10. [[repository-hdfs-usage]]
    11. 

  11. ==== Getting started with HDFS
    12. 

  12. 

  13. The HDFS snapshot/restore plugin is built against the latest Apache Hadoop 2.x (currently 2.7.1). If the distro you are using is not protocol
    14. 

  14. compatible with Apache Hadoop, consider replacing the Hadoop libraries inside the plugin folder with your own (you might have to adjust the security permissions required).
    15. 

  15. 

  16. Even if Hadoop is already installed on the Elasticsearch nodes, for security reasons, the required libraries need to be placed under the plugin folder. Note that in most cases, if the distro is compatible, one simply needs to configure the repository with the appropriate Hadoop configuration files (see below).
    17. 

  17. 

  18. Windows Users::
    19. 

  19. Using Apache Hadoop on Windows is problematic and thus it is not recommended. For those _really_ wanting to use it, make sure you place the elusive `winutils.exe` under the
    20. 

  20. plugin folder and point `HADOOP_HOME` variable to it; this should minimize the amount of permissions Hadoop requires (though one would still have to add some more).
    21. 

  21. 

  22. [[repository-hdfs-config]]
    23. 

  23. ==== Configuration properties
    24. 

  24. 

  25. Once installed, define the configuration for the `hdfs` repository through the
    26. 

  26. {ref}/snapshot-restore.html[REST API]:
    27. 

  27. 

  28. [source,console]
    29. 

  29. ----
    30. 

  30. PUT _snapshot/my_hdfs_repository
    31. 

  31. {
    32. 

  32.   "type": "hdfs",
    33. 

  33.   "settings": {
    34. 

  34.     "uri": "hdfs://namenode:8020/",
    35. 

  35.     "path": "elasticsearch/repositories/my_hdfs_repository",
    36. 

  36.     "conf.dfs.client.read.shortcircuit": "true"
    37. 

  37.   }
    38. 

  38. }
    39. 

  39. ----
    40. 

  40. // TEST[skip:we don't have hdfs set up while testing this]
    41. 

  41. 

  42. The following settings are supported:
    43. 

  43. 

  44. [horizontal]
    45. 

  45. `uri`::
    46. 

  46. 

  47.     The uri address for hdfs. ex: "hdfs://<host>:<port>/". (Required)
    48. 

  48. 

  49. `path`::
    50. 

  50. 

  51.     The file path within the filesystem where data is stored/loaded. ex: "path/to/file". (Required)
    52. 

  52. 

  53. `load_defaults`::
    54. 

  54. 

  55.     Whether to load the default Hadoop configuration or not. (Enabled by default)
    56. 

  56. 

  57. `conf.<key>`::
    58. 

  58. 

  59.     Inlined configuration parameter to be added to Hadoop configuration. (Optional)
    60. 

  60.     Only client oriented properties from the hadoop https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/core-default.xml[core] and https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/hdfs-default.xml[hdfs] configuration files will be recognized by the plugin.
    61. 

  61. 

  62. `compress`::
    63. 

  63. 

  64.     Whether to compress the metadata or not. (Enabled by default)
    65. 

  65. 

  66. include::repository-shared-settings.asciidoc[]
    67. 

  67. 

  68. `chunk_size`::
    69. 

  69. 

  70.     Override the chunk size. (Disabled by default)
    71. 

  71. 

  72. `security.principal`::
    73. 

  73. 

  74.     Kerberos principal to use when connecting to a secured HDFS cluster.
    75. 

  75.     If you are using a service principal for your elasticsearch node, you may
    76. 

  76.     use the `_HOST` pattern in the principal name and the plugin will replace
    77. 

  77.     the pattern with the hostname of the node at runtime (see
    78. 

  78.     link:repository-hdfs-security-runtime[Creating the Secure Repository]).
    79. 

  79. 

  80. `replication_factor`::
    81. 

  81. 

  82.     The replication factor for all new HDFS files created by this repository.
    83. 

  83.     Must be greater or equal to `dfs.replication.min` and less or equal to `dfs.replication.max` HDFS option.
    84. 

  84.     Defaults to using HDFS cluster setting.
    85. 

  85. 

  86. [[repository-hdfs-availability]]
    87. 

  87. [discrete]
    88. 

  88. ===== A note on HDFS availability
    89. 

  89. When you initialize a repository, its settings are persisted in the cluster state. When a node comes online, it will
    90. 

  90. attempt to initialize all repositories for which it has settings. If your cluster has an HDFS repository configured, then
    91. 

  91. all nodes in the cluster must be able to reach HDFS when starting. If not, then the node will fail to initialize the
    92. 

  92. repository at start up and the repository will be unusable. If this happens, you will need to remove and re-add the
    93. 

  93. repository or restart the offending node.
    94. 

  94. 

  95. [[repository-hdfs-security]]
    96. 

  96. ==== Hadoop security
    97. 

  97. 

  98. The HDFS repository plugin integrates seamlessly with Hadoop's authentication model. The following authentication
    99. 

  99. methods are supported by the plugin:
    100. 

  100. 

  101. [horizontal]
    102. 

  102. `simple`::
    103. 

  103. 

  104.     Also means "no security" and is enabled by default. Uses information from underlying operating system account
    105. 

  105.     running Elasticsearch to inform Hadoop of the name of the current user. Hadoop makes no attempts to verify this
    106. 

  106.     information.
    107. 

  107. 

  108. `kerberos`::
    109. 

  109. 

  110.     Authenticates to Hadoop through the usage of a Kerberos principal and keytab. Interfacing with HDFS clusters
    111. 

  111.     secured with Kerberos requires a few additional steps to enable (See <<repository-hdfs-security-keytabs>> and
    112. 

  112.     <<repository-hdfs-security-runtime>> for more info)
    113. 

  113. 

  114. [[repository-hdfs-security-keytabs]]
    115. 

  115. [discrete]
    116. 

  116. ===== Principals and keytabs
    117. 

  117. Before attempting to connect to a secured HDFS cluster, provision the Kerberos principals and keytabs that the
    118. 

  118. Elasticsearch nodes will use for authenticating to Kerberos. For maximum security and to avoid tripping up the Kerberos
    119. 

  119. replay protection, you should create a service principal per node, following the pattern of
    120. 

  120. `elasticsearch/hostname@REALM`.
    121. 

  121. 

  122. WARNING: In some cases, if the same principal is authenticating from multiple clients at once, services may reject
    123. 

  123. authentication for those principals under the assumption that they could be replay attacks. If you are running the
    124. 

  124. plugin in production with multiple nodes you should be using a unique service principal for each node.
    125. 

  125. 

  126. On each Elasticsearch node, place the appropriate keytab file in the node's configuration location under the
    127. 

  127. `repository-hdfs` directory using the name `krb5.keytab`:
    128. 

  128. 

  129. [source, bash]
    130. 

  130. ----
    131. 

  131. $> cd elasticsearch/config
    132. 

  132. $> ls
    133. 

  133. elasticsearch.yml  jvm.options        log4j2.properties  repository-hdfs/   scripts/
    134. 

  134. $> cd repository-hdfs
    135. 

  135. $> ls
    136. 

  136. krb5.keytab
    137. 

  137. ----
    138. 

  138. // TEST[skip:this is for demonstration purposes only
    139. 

  139. 

  140. NOTE: Make sure you have the correct keytabs! If you are using a service principal per node (like
    141. 

  141. `elasticsearch/hostname@REALM`) then each node will need its own unique keytab file for the principal assigned to that
    142. 

  142. host!
    143. 

  143. 

  144. // Setup at runtime (principal name)
    145. 

  145. [[repository-hdfs-security-runtime]]
    146. 

  146. [discrete]
    147. 

  147. ===== Creating the secure repository
    148. 

  148. Once your keytab files are in place and your cluster is started, creating a secured HDFS repository is simple. Just
    149. 

  149. add the name of the principal that you will be authenticating as in the repository settings under the
    150. 

  150. `security.principal` option:
    151. 

  151. 

  152. [source,console]
    153. 

  153. ----
    154. 

  154. PUT _snapshot/my_hdfs_repository
    155. 

  155. {
    156. 

  156.   "type": "hdfs",
    157. 

  157.   "settings": {
    158. 

  158.     "uri": "hdfs://namenode:8020/",
    159. 

  159.     "path": "/user/elasticsearch/repositories/my_hdfs_repository",
    160. 

  160.     "security.principal": "elasticsearch@REALM"
    161. 

  161.   }
    162. 

  162. }
    163. 

  163. ----
    164. 

  164. // TEST[skip:we don't have hdfs set up while testing this]
    165. 

  165. 

  166. If you are using different service principals for each node, you can use the `_HOST` pattern in your principal
    167. 

  167. name. Elasticsearch will automatically replace the pattern with the hostname of the node at runtime:
    168. 

  168. 

  169. [source,console]
    170. 

  170. ----
    171. 

  171. PUT _snapshot/my_hdfs_repository
    172. 

  172. {
    173. 

  173.   "type": "hdfs",
    174. 

  174.   "settings": {
    175. 

  175.     "uri": "hdfs://namenode:8020/",
    176. 

  176.     "path": "/user/elasticsearch/repositories/my_hdfs_repository",
    177. 

  177.     "security.principal": "elasticsearch/_HOST@REALM"
    178. 

  178.   }
    179. 

  179. }
    180. 

  180. ----
    181. 

  181. // TEST[skip:we don't have hdfs set up while testing this]
    182. 

  182. 

  183. [[repository-hdfs-security-authorization]]
    184. 

  184. [discrete]
    185. 

  185. ===== Authorization
    186. 

  186. Once Elasticsearch is connected and authenticated to HDFS, HDFS will infer a username to use for
    187. 

  187. authorizing file access for the client. By default, it picks this username from the primary part of
    188. 

  188. the kerberos principal used to authenticate to the service. For example, in the case of a principal
    189. 

  189. like `elasticsearch@REALM` or `elasticsearch/hostname@REALM` then the username that HDFS
    190. 

  190. extracts for file access checks will be `elasticsearch`.
    191. 

  191. 

  192. NOTE: The repository plugin makes no assumptions of what Elasticsearch's principal name is. The main fragment of the
    193. 

  193. Kerberos principal is not required to be `elasticsearch`. If you have a principal or service name that works better
    194. 

  194. for you or your organization then feel free to use it instead!
    195.