Updated on 2024-11-29 GMT+08:00

Synchronizing Index Owner Group

Scenario

  • This section describes how to add owner information to indexes created in an MRS cluster in security/non-security mode in an Elasticsearch cluster based on Ranger authentication. In this case, the authentication function runs properly either when the Elasticsearch cluster is switched from the non-security mode to the security mode based on user and role authentication or when Ranger-based authentication is switched to user- and role-based authentication in security mode.
  • Under the MRS cluster in security mode, this section guides you to check whether the indexes in the Elasticsearch cluster in security mode are consistent with those in ZooKeeper. In addition, you can add, update, and delete the mapping between indexes and owners saved in ZooKeeper.

    If only the Elasticsearch cluster in security mode needs to be operated, you can directly go to 11 to for checking, adding, updating, and deleting the mapping between indexes and owners saved in ZooKeeper.

Prerequisites

  • If an MRS cluster needs to be converted from non-security mode to security mode, or under an MRS cluster in security mode, an Elasticsearch cluster needs to be converted from non-security mode to security mode. Obtain the list of indexes created in the non-secure Elasticsearch cluster before the conversion.
  • The Elasticsearch client has been installed in a directory, for example, /opt/client.

Procedure

Obtain Corresponding Information in the Elasticsearch cluster in Non-security Mode

  1. Log in to the node where the Elasticsearch client has been installed. Run the following commands to configure environment variables and go to the conf directory where the Elasticsearch client is located:

    source /opt/client/bigdta_env

    cd /opt/client/Elasticsearch/tools/elasticsearch-synindextool/conf

  2. Run the following command to open the es-example.properties configuration file to be modified:

    vi es-example.properties

  3. Set EsServerHost to the instance that connects to the Elasticsearch cluster.

    EsServerHost=ip1:port1,ip2:port2...

    For details about how to obtain the parameters, see Table 1.

  4. Set IsSecureMode to false.

    IsSecureMode=false

  5. Run the following command to return to the tool directory:

    cd /opt/client/Elasticsearch/tools/elasticsearch-synindextool

  6. Run the following command to obtain the index information of the current Elasticsearch cluster:

    java -Dlog4j.configuration=file:/opt/client/Elasticsearch/tools/elasticsearch-synindextool/conf/log4j.properties -cp /opt/client/Elasticsearch/tools/elasticsearch-synindextool/lib/*:/opt/client/Elasicsearch/tools/elasticsearch-synindextool/conf/ com.*.fusioninsight.elasticsearch.synindex.SynIndex

  7. After the execution is complete, the output directory is generated in the tool path. Check whether the indexesInES.txt file is generated and whether all index names of the Elasticsearch cluster are written in the file.

    • If yes, go to 9.
    • If no, go to 8.

  8. View the synIndexTool.log file in the logs directory of the tool path, find the cause, rectify the fault, and go to 9.

Change the Elasticsearch Cluster from the Non-Security Mode to the Security Mode

  1. Log in to Manager, choose Cluster > Name of the desired cluster > Services > Elasticsearch > Configurations > All Configurations.
  2. Set ELASTICSEARCH_SECURITY_ENABLE to true. Save the configuration and restart the Elasticsearch service.

Obtain the Owner Information After the Elasticsearch Cluster Is Switched to the Security Mode

  1. Log in to any host where the Elasticsearch client and Elasticsearch instance have been installed, and run the following command to go to the conf directory where Elasticsearch is stored:

    cd /opt/client/Elasticsearch/tools/elasticsearch-synindextool/conf

  2. Obtain certificate files required for authentication.

    1. Run the following command to copy the elasticsearch.keytab file in any directory of the instance on the node, for example, EsMaster:

      cp ${BIGDATA_HOME}/FusionInsight_Elasticsearch_8.1.0.1/install/FusionInsight-Elasticsearch-7.10.2/keytabs/EsMaster/elasticsearch.keytab ./

    2. Run the following command to copy the krb5.conf file in the directory of the KerberosClient instance:

      cp ${BIGDATA_HOME}/FusionInsight_BASE_8.1.0.1/*_*_KerberosClient/etc/krb5.conf ./

  3. Run the following command to open the jaas.conf configuration file:

    vi jaas.conf

  4. Change the value of keyTab to the absolute path of the elasticsearch.keytab file.

    keyTab="/opt/client/Elasticsearch/tools/elasticsearch-synindextool/conf/elasticsearch.keytab"

  5. Change the value of principal to elasticsearch/hadoop.<System domain name>@<System domain name>.

    • You can log in to Manager, choose System > Permission > Domain and Mutual Trust, and view the value of Local Domain, which is the current system domain name.
    • elasticsearch/hadoop.<System domain name> indicates the username. All letters in the system domain name need to be converted into lowercase for the username. For example, if Local Domain is 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM, the username is set to elasticsearch/hadoop.9427068f-6efa-4833-b43e-60cb641e5b6c.com.

  6. Run the following command to open the es-example.properties configuration file to be modified:

    vi es-example.properties

    Modify the following parameters. For details about the configuration items and how to obtain the values, see Table 1.

    IsSecureMode=true
    EsServerHost=ip1:port1,ip2:port2...
    ZkHostList=ip1:2181,ip2:2181,ip3:2181
    MutiServiceName=elasticsearch
    Table 1 Parameters in the es-example.properties file

    Parameter

    Default Value

    Description

    How to Obtain

    IsSecureMode

    false

    Indicates whether to enable the security mode for the client. true indicates that the security mode is enabled, and false indicates that the security mode is disabled.

    -

    EsServerHost

    ip1:port1,ip2:port2,ip3:port3...

    Indicates the list of combinations of the IP addresses of nodes in the Elasticsearch cluster and the HTTP ports of the Elasticsearch instances installed on the nodes, except EsMaster instances.

    Log in to Manager, choose Cluster > Name of the desired cluster > Services > Elasticsearch > Configurations > All Configurations, select any instance other than EsMater, click Instance List, and check the value of the INSTANCE_SERVER_PORT_LIST parameter.

    maxRetryTimeoutMillis

    60000

    Indicates the timeout interval for multiple retries of the same request sent to the Elasticsearch cluster. The unit is millisecond.

    -

    connectTimeout

    5000

    Indicates the timeout interval for the connection between the Elasticsearch client and the Elasticsearch server. The unit is millisecond.

    -

    socketTimeout

    60000

    Indicates the timeout interval of the Elasticsearch client obtaining response from the Elasticsearch server. The unit is millisecond.

    -

    ZkHostList

    ip1:2181,ip2:2181,ip3:2181

    Indicates the list of IP addresses and port numbers of nodes where ZooKeeper instances are located.

    Log in to Manager, choose Cluster > Name of the desired cluster > Services > ZooKeeper > Instance, and check the IP address of the host where the quorumpeer instance is installed.

    IndexOwner

    -

    Indicates that the same owner name is assigned to all indexes in AddIndexOwnerListToZK. Ensure that the owner information is correct. The value of AddIndexOwnerListToZK is an index list, for example, index1, index2...

    -

    AddIndexOwnerListToZK

    index1#owner1,index2#owner2...

    Indicates that if IndexOwner is not set, values are assigned to a list in the format of index1#owner1. # is used to separate an index from owner information. That is, owner1 is added to index1.

    -

    DeleteExtraIndexInZK

    false

    Indicates that when index information is output in the indexesExtraInZK.txt file in the output directory, you can set DeleteExtraIndexInZK to true to automatically delete redundant index information on ZooKeeper.

    -

    MutiServiceName

    elasticsearch

    Indicates the service name of the Elasticsearch cluster.

    Log in to Manager, choose Cluster > Name of the desired cluster > Services > Elasticsearch > Configurations > All Configurations. Select any instance, set the configuration to Default. Assign MutiServiceName to the muti.cluster.service.name parameter.

  7. Determine whether to add the same owner for all indexes in the generated IndexesInES.txt file.

    • If yes, assign all index names in the IndexesInES.txt file to the AddIndexOwnerListToZK parameter, separate the index names with commas (,), and assign the owner name to the IndexOwner parameter.
    • If no, assign a value in the format of index1#owner1,index2#owner2,index3#owner3... to the AddIndexOwnerListToZK parameter. Separate the index name and owner name with #, and clear the value of IndexOwner.

  8. Run the following command to return to the tool directory:

    cd /opt/client/Elasticsearch/tools/elasticsearch-synindextool/

  9. Run the following command to obtain the index information of the current Elasticsearch cluster:

    java -Dlog4j.configuration=file:/opt/client/Elasticsearch/tools/elasticsearch-synindextool/conf/log4j.properties -cp /opt/client/Elasticsearch/tools/elasticsearch-synindextool/lib/*:/opt/client/Elasticsearch/tools/elasticsearch-synindextool/conf/ com.*.fusioninsight.elasticsearch.synindex.SynIndex

Check the Configuration Result

  1. Check whether the synIndexTool.log file in the logs directory in the path where the tool is located contains ERROR or an error message. If it does, rectify the fault based on the error information.
  2. Check the errorInput.txt file in the output directory in the path where the tool is located. Assign the incorrect format information in the errorInput.txt file to the corresponding parameters in the correct format, and then repeat 16 to 19.
  3. Check the indexesMissInZK.txt file in the output directory of the path where the tool is located. If the file contains index information, some index information in the Elasticsearch cluster is missing on ZooKeeper. To be specific, that is, there are indexes not added with owner information. In this case, repeat 16 to 19 to add owner information to the missing index.
  4. Check the indexesExtraInZK.txt file in the output directory. If there is index information, ZooKeeper saves index information that does not exist in the Elasticsearch cluster. To keep the index information on Elasticsearch consistent with that on ZooKeeper, modify the es-example.properties configuration file, clear the IndexOwner and AddIndexOwnerListToZK parameters, set DeleteExtraIndexInZK to true, and repeat 16 to 19.

    If DeleteExtraIndexInZK is set to true but no extra index exists in ZooKeeper, no action is performed.

  5. After the tool is executed, if the synIndexTool.log file does not contain error information and the errorInput.txt, indexesMissInZK.txt, and indexesExtraInZK.txt files are empty, the index synchronization is successful after the Elasticsearch cluster is switched to the security mode.