Configuring Livy server for Hadoop Spark access¶
After installing Livy server, there are main 3 aspects you need to configure on Apache Livy server for Anaconda Enterprise users to be able to access Hadoop Spark within Anaconda Enterprise:
If the Hadoop cluster is configured to use Kerberos authentication, you’ll need to allow Livy to access the services. Additionally, you can configure Livy as a secure endpoint. For more information, see Configuring Livy to use HTTPS below.
Configuring Livy impersonation¶
To enable users to run Spark sessions within Anaconda Enterprise, they need to be able to log in to each machine in the Spark cluster. The easiest way to accomplish this is to configure Livy impersonation as follows:
Add
Hadoop.proxyuser.livy
to your authenticated hosts, users, or groups.Check the option to
Allow Livy to impersonate users
and set the value to all (*
), or a list of specific users or groups.
If impersonation is not enabled, the user executing the livy-server (livy
) must exist on every machine. You can add this user to each machine by running the following command on each node:
Note
If you have any problems configuring Livy, try setting the log level to DEBUG
in the conf/log4j.properties
file.
Configuring cluster access¶
Livy server enables users to submit jobs from any remote machine or analytics cluster—even where a Spark client is not available—without requiring you to install Jupyter and Anaconda directly on an edge node in the Spark cluster.
To configure Livy server, put the following environment variables into a user’s .bashrc file
, or the conf/livy-env.sh
file that’s used to configure the Livy server.
These values are accurate for a Cloudera install of Spark with Java version 1.8:
Note that the port parameter that’s defined as livy.server.port
in conf/livy-env.sh
is the same port that will generally appear in the Sparkmagic user configuration.
The minimum required parameter is livy.spark.master
. Other possible values include the following:
local[*]
—for testing purposesyarn-cluster
—for using with the YARN resource allocation systema full spark URI like
spark://masterhost:7077
—if the spark scheduler is on a different host.
Example with YARN:
The YARN deployment mode is set to cluster
for Livy. The livy.conf
file, typically located in $LIVY_HOME/conf/livy.conf
, may include settings similar to the following:
After configuring Livy server, you’ll need to restart it:
Consider using a process control mechanism to restart Livy server, to ensure that it’s reliably restarted in the event of a failure.
Using Livy with Kerberos authentication¶
If the Hadoop cluster is configured to use Kerberos authentication, you’ll need to do the following to allow Livy to access the services:
Generate 2 keytabs for Apache Livy using
kadmin.local
.
IMPORTANT: The keytab principals for Livy must match the hostname that the Livy server is deployed on, or you’ll see the following exception: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentials)
.
These are hostname and domain dependent, so edit the following example according to your Kerberos settings:
This will generate two files: livy-ip-172-31-3-131.ec2.internal.keytab
and HTTP-ip-172-31-3-131.ec2.internal.keytab
.
Change the permissions of these two files so they can be read by
livy-server
.Enable Kerberos authentication and reference these two keytab files in the
conf/livy.conf
configuration file, as shown:
NOTES:
The hostname and domain are not the same—verify that they match your Kerberos configuration.
livy.server.access-control.enabled = true
is only required if you’re going to also whitelist the allowed users with thelivy.server.access-control.allowed-users <user>
key.
Configuring project access¶
After you’ve installed Livy and configured cluster access, some additional configuration is required before Anaconda Enterprise users will be able to connect to a remote Hadoop Spark cluster from within their projects. For more information, see Connecting to the Hadoop Spark ecosystem.
If the Hadoop installation used Kerberos authentication, add the
krb5.conf
to the global configuration using the following command:To use Sparkmagic, pass two flags to the previous command to configure a Sparkmagic configuration file:
This creates a yaml file—anaconda-config-files-secret.yaml
—with the data converted for Anaconda Enterprise.
Use the following command to upload the yaml file to the server:
To update the Anaconda Enterprise server with your changes, run the following command to identify the pod associated with the workspace services:
Restart the workspace services by running:
Now, whenever a new project is created, /etc/krb5.conf
will be populated with the appropriate data.
Configuring Livy to use HTTPS¶
If you want to use Sparkmagic to communicate with Livy via HTTPS, you need to do the following to configure Livy as a secure endpoint:
Generate a keystore file, certificate, and truststore file for the Livy server—or use a third-party SSL certificate.
Update Livy with the keystore details.
Update your Sparkmagic configuration.
Restart the Livy server.
If you’re using a self-signed certificate:
Generate a keystore file for Livy server using the following command:
Create a certificate:
Create a truststore file:
Update
livy.conf
with the keystore details. For example:Update
~/.sparkmagic/config.json
. For example:
Note
In this example, ignore_ssl_errors
is set to true
because this configuration uses self-signed certificates. Your production cluster setup may be different.
Warning
If you misconfigure a .json
file, all Sparkmagic kernels will fail to launch. You can test your Sparkmagic configuration by running the following Python command in an interactive shell: python -m json.tool config.json
.
If you have formatted the JSON correctly, this command will run without error. Additional edits may be required, depending on your Livy settings.
Restart the Livy server.
The Livy server should now be accessible over https. For example, https://<livy host>:<livy port>
.
To test your SSL-enabled Livy server, run the following Python code in an interactive shell to create a session:
Run the following Python code to verify the status of the session:
Then submit the following statement:
If you’re using a third-party certificate:
Note
Ensure that Java JDK is installed on the Livy server.
Create the
keystore.p12
file using the following command:Use the following command to create the
keystore.jks
file:If you don’t already have the
rootca.crt
, you can run the following command to extract it from your Anaconda Enterprise installation:Add the
rootca.crt
to thekeystore.jks
file:Add the
keystore.jks
file to thelivy.conf
file. For example:Restart the Livy server.
Run the following command to verify that you can connect to the Livy server (using your actual host and port):
If running this command returns
0
, you’ve successfully configured Livy to use HTTPS.
To add the trusted root certificate to the AE server, do the following:
Install the
ca-certificates
package:Enable dynamic CA configuration:
Add your
rootca.crt
as a new file:Update the certificate authority trust:
To connect to Livy within a session, open the project and run the following command in an interactive shell:
You can also edit the anaconda-project.yml
file for the project and set the environment variable there. See Hadoop / Spark for more information.