| <?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.1.1">Jekyll</generator><link href="/feed.xml" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2021-06-22T14:15:16-07:00</updated><id>/feed.xml</id><entry><title type="html">Apache Kudu 1.15.0 Released</title><link href="/2021/06/22/apache-kudu-1-15-0-released.html" rel="alternate" type="text/html" title="Apache Kudu 1.15.0 Released" /><published>2021-06-22T00:00:00-07:00</published><updated>2021-06-22T00:00:00-07:00</updated><id>/2021/06/22/apache-kudu-1-15-0-released</id><content type="html" xml:base="/2021/06/22/apache-kudu-1-15-0-released.html"><p>The Apache Kudu team is happy to announce the release of Kudu 1.15.0!</p> |
| |
| <p>The new release adds several new features and improvements, including the |
| following:</p> |
| |
| <!--more--> |
| |
| <ul> |
| <li> |
| <p>Kudu now experimentally supports multi-row transactions. Currently only <code class="language-plaintext highlighter-rouge">INSERT</code> and |
| <code class="language-plaintext highlighter-rouge">INSERT_IGNORE</code> operations are supported. |
| See <a href="https://github.com/apache/kudu/blob/master/docs/design-docs/transactions.adoc">here</a> for a |
| design overview of this feature.</p> |
| </li> |
| <li> |
| <p>Kudu now supports Raft configuration change for Kudu masters and CLI tools for orchestrating |
| addition and removal of masters in a Kudu cluster. These tools substantially simplify the process |
| of migrating to multiple masters, recovering a dead master and removing masters from a Kudu |
| cluster. For detailed steps, see the latest administration documentation. This feature is evolving |
| and the steps to add, remove and recover masters may change in the future. |
| See <a href="https://issues.apache.org/jira/browse/KUDU-2181">KUDU-2181</a> for details.</p> |
| </li> |
| <li> |
| <p>Kudu now supports table comments directly on Kudu tables which are automatically synchronized |
| when the Hive Metastore integration is enabled. These comments can be added at table creation time |
| and changed via table alteration.</p> |
| </li> |
| <li> |
| <p>Kudu now experimentally supports per-table size limits based on leader disk space usage or number |
| of rows. When generating new authorization tokens, Masters will now consider the size limits and |
| strip tokens of <code class="language-plaintext highlighter-rouge">INSERT</code> and <code class="language-plaintext highlighter-rouge">UPDATE</code> privileges if either limit is reached. To enable this |
| feature, set the <code class="language-plaintext highlighter-rouge">--enable_table_write_limit</code> master flag; adjust the <code class="language-plaintext highlighter-rouge">--table_disk_size_limit</code> |
| and <code class="language-plaintext highlighter-rouge">--table_row_count_limit</code> flags as desired or use the <code class="language-plaintext highlighter-rouge">kudu table set_limit</code> tool to set |
| limits per table.</p> |
| </li> |
| <li> |
| <p>It is now possible to change the Kerberos Service Principal Name using the <code class="language-plaintext highlighter-rouge">--principal</code> flag. The |
| default SPN is still <code class="language-plaintext highlighter-rouge">kudu/_HOST</code>. Clients connecting to a cluster using a non-default SPN must |
| set the <code class="language-plaintext highlighter-rouge">sasl_protocol_name</code> or <code class="language-plaintext highlighter-rouge">saslProtocolName</code> to match the SPN base |
| (i.e. “kudu” if the SPN is “kudu/_HOST”) in the client builder or the Kudu CLI. |
| See <a href="https://issues.apache.org/jira/browse/KUDU-1884">KUDU-1884</a> for details.</p> |
| </li> |
| <li> |
| <p>Kudu RPC now supports TLSv1.3. Kudu servers and clients automatically negotiate TLSv1.3 for Kudu |
| RPC if OpenSSL (or Java runtime correspondingly) on each side supports TLSv1.3. |
| If necessary, use the newly introduced flag <code class="language-plaintext highlighter-rouge">--rpc_tls_ciphersuites</code> to customize TLSv1.3-specific |
| cipher suites at the server side. |
| See <a href="https://issues.apache.org/jira/browse/KUDU-2871">KUDU-2871</a> for details.</p> |
| </li> |
| </ul> |
| |
| <p>The above is just a list of the highlights, for a more complete list of new |
| features, improvements and fixes please refer to the <a href="/releases/1.15.0/docs/release_notes.html">release |
| notes</a>.</p> |
| |
| <p>The Apache Kudu project only publishes source code releases. To build Kudu |
| 1.15.0, follow these steps:</p> |
| |
| <ul> |
| <li>Download the Kudu <a href="/releases/1.15.0">1.15.0 source release</a></li> |
| <li>Follow the instructions in the documentation to build Kudu <a href="/releases/1.15.0/docs/installation.html#build_from_source">1.15.0 from |
| source</a></li> |
| </ul> |
| |
| <p>For your convenience, binary JAR files for the Kudu Java client library, Spark |
| DataSource, Flume sink, and other Java integrations are published to the ASF |
| Maven repository and are <a href="https://search.maven.org/search?q=g:org.apache.kudu%20AND%20v:1.15.0">now |
| available</a>.</p> |
| |
| <p>The Python client source is also available on |
| <a href="https://pypi.org/project/kudu-python/">PyPI</a>.</p> |
| |
| <p>Additionally, experimental Docker images are published to |
| <a href="https://hub.docker.com/r/apache/kudu">Docker Hub</a>, including for AArch64-based |
| architectures (ARM).</p></content><author><name>Bankim Bhavsar</name></author><summary type="html">The Apache Kudu team is happy to announce the release of Kudu 1.15.0! The new release adds several new features and improvements, including the following:</summary></entry><entry><title type="html">Apache Kudu 1.14.0 Released</title><link href="/2021/01/28/apache-kudu-1-14-0-release.html" rel="alternate" type="text/html" title="Apache Kudu 1.14.0 Released" /><published>2021-01-28T00:00:00-08:00</published><updated>2021-01-28T00:00:00-08:00</updated><id>/2021/01/28/apache-kudu-1-14-0-release</id><content type="html" xml:base="/2021/01/28/apache-kudu-1-14-0-release.html"><p>The Apache Kudu team is happy to announce the release of Kudu 1.14.0!</p> |
| |
| <p>The new release adds several new features and improvements, including the |
| following:</p> |
| |
| <!--more--> |
| |
| <ul> |
| <li> |
| <p>Full support for <code class="language-plaintext highlighter-rouge">INSERT_IGNORE</code>, <code class="language-plaintext highlighter-rouge">UPDATE_IGNORE</code>, and <code class="language-plaintext highlighter-rouge">DELETE_IGNORE</code> operations |
| was added. The <code class="language-plaintext highlighter-rouge">INSERT_IGNORE</code> operation will insert a row if one matching the key |
| does not exist and ignore the operation if one already exists. The <code class="language-plaintext highlighter-rouge">UPDATE_IGNORE</code> |
| operation will update the row if one matching the key exists and ignore the operation |
| if one does not exist. The <code class="language-plaintext highlighter-rouge">DELETE_IGNORE</code> operation will delete the row if one matching |
| the key exists and ignore the operation if one does not exist. These operations are |
| particularly useful in situations where retries or duplicate operations could occur and |
| you do not want to handle the errors that could result manually or you do not want to cause |
| unnecessary writes and compaction work as a result of using the <code class="language-plaintext highlighter-rouge">UPSERT</code> operation. |
| The Java client can check if the cluster it is communicating with supports these operations |
| by calling the <code class="language-plaintext highlighter-rouge">supportsIgnoreOperations()</code> method on the KuduClient.</p> |
| </li> |
| <li> |
| <p>Spark 3 compatible JARs compiled for Scala 2.12 are now published for the Kudu Spark integration. |
| See <a href="https://issues.apache.org/jira/browse/KUDU-3202">KUDU-3202</a> for more details.</p> |
| </li> |
| <li> |
| <p>Every Kudu cluster now has an automatically generated cluster Id that can be used to uniquely |
| identify a cluster. The cluster Id is shown in the masters web-UI, the <code class="language-plaintext highlighter-rouge">kudu master list</code> tool, |
| and in master server logs.</p> |
| </li> |
| <li> |
| <p>Downloading the WAL data and data blocks when copying tablets to another tablet server is now |
| parallelized, resulting in much faster tablet copy operations. These operations occur when |
| recovering from a down tablet server or when running the cluster rebalancer.</p> |
| </li> |
| <li> |
| <p>The HMS integration now supports multiple Kudu clusters associated with a single HMS |
| including Kudu clusters that do not have HMS synchronization enabled. This is possible, |
| because the Kudu master will now leverage the cluster Id to ignore notifications from |
| tables in a different cluster. Additionally, the HMS plugin will check if the Kudu cluster |
| associated with a table has HMS synchronization enabled.</p> |
| </li> |
| <li> |
| <p>DeltaMemStores will now be flushed as long as any DMS in a tablet is older than the point |
| defined by <code class="language-plaintext highlighter-rouge">--flush_threshold_secs</code>, rather than flushing once every <code class="language-plaintext highlighter-rouge">--flush_threshold_secs</code> |
| period. This can reduce memory pressure under update- or delete-heavy workloads, and lower tablet |
| server restart times following such workloads.</p> |
| </li> |
| </ul> |
| |
| <p>The above is just a list of the highlights, for a more complete list of new |
| features, improvements and fixes please refer to the <a href="/releases/1.14.0/docs/release_notes.html">release |
| notes</a>.</p> |
| |
| <p>The Apache Kudu project only publishes source code releases. To build Kudu |
| 1.14.0, follow these steps:</p> |
| |
| <ul> |
| <li>Download the Kudu <a href="/releases/1.14.0">1.14.0 source release</a></li> |
| <li>Follow the instructions in the documentation to build Kudu <a href="/releases/1.14.0/docs/installation.html#build_from_source">1.14.0 from |
| source</a></li> |
| </ul> |
| |
| <p>For your convenience, binary JAR files for the Kudu Java client library, Spark |
| DataSource, Flume sink, and other Java integrations are published to the ASF |
| Maven repository and are <a href="https://search.maven.org/search?q=g:org.apache.kudu%20AND%20v:1.14.0">now |
| available</a>.</p> |
| |
| <p>The Python client source is also available on |
| <a href="https://pypi.org/project/kudu-python/">PyPI</a>.</p> |
| |
| <p>Additionally, experimental Docker images are published to |
| <a href="https://hub.docker.com/r/apache/kudu">Docker Hub</a>, including for AArch64-based |
| architectures (ARM).</p></content><author><name>Grant Henke</name></author><summary type="html">The Apache Kudu team is happy to announce the release of Kudu 1.14.0! The new release adds several new features and improvements, including the following:</summary></entry><entry><title type="html">Optimized joins &amp; filtering with Bloom filter predicate in Kudu</title><link href="/2021/01/15/bloom-filter-predicate.html" rel="alternate" type="text/html" title="Optimized joins &amp; filtering with Bloom filter predicate in Kudu" /><published>2021-01-15T00:00:00-08:00</published><updated>2021-01-15T00:00:00-08:00</updated><id>/2021/01/15/bloom-filter-predicate</id><content type="html" xml:base="/2021/01/15/bloom-filter-predicate.html"><p>Note: This is a cross-post from the Cloudera Engineering Blog |
| <a href="https://blog.cloudera.com/optimized-joins-filtering-with-bloom-filter-predicate-in-kudu/">Optimized joins &amp; filtering with Bloom filter predicate in Kudu</a></p> |
| |
| <p>Cloudera’s CDP Runtime version 7.1.5 maps to Apache Kudu 1.13 and upcoming Apache Impala 4.0</p> |
| |
| <h2 id="introduction">Introduction</h2> |
| <p>In database systems one of the most effective ways to improve performance is to avoid doing |
| unnecessary work, such as network transfers and reading data from disk. One of the ways Apache |
| Kudu achieves this is by supporting column predicates with scanners. Pushing down column predicate |
| filters to Kudu allows for optimized execution by skipping reading column values for filtered out |
| rows and reducing network IO between a client, like the distributed query engine Apache Impala, and |
| Kudu. See the documentation on |
| <a href="https://docs.cloudera.com/runtime/latest/impala-reference/topics/impala-runtime-filtering.html">runtime filtering in Impala</a> |
| for details.</p> |
| |
| <p>CDP Runtime 7.1.5 and CDP Public Cloud added support for Bloom filter column predicate pushdown in |
| Kudu and the associated integration in Impala.</p> |
| |
| <!--more--> |
| |
| <h2 id="bloom-filter">Bloom filter</h2> |
| <p>A Bloom filter is a space-efficient probabilistic data structure used to test set membership with a |
| possibility of false positive matches. In database systems these are used to determine whether a |
| set of data can be ignored when only a subset of the records are required. See the |
| <a href="https://en.wikipedia.org/wiki/Bloom_filter">wikipedia page</a> for more details.</p> |
| |
| <p>The implementation used in Kudu is a space, hash, and cache efficient block-based Bloom filter from |
| <a href="https://www.cs.amherst.edu/~ccmcgeoch/cs34/papers/cacheefficientbloomfilters-jea.pdf">“Cache-, Hash- and Space-Efficient Bloom Filters”</a> |
| by Putze et al. This Bloom filter was taken from the implementation in Impala and further enhanced. |
| The block based Bloom filter is designed to fit in CPU cache, and it allows SIMD operations using |
| AVX2, when available, for efficient lookup and insertion.</p> |
| |
| <p>Consider the case of a broadcast hash join between a small table and a big table where predicate |
| push down is not available. This typically involves following steps:</p> |
| <ol> |
| <li>Read the entire small table and construct a hash table from it.</li> |
| <li>Broadcast the generated hash table to all worker nodes.</li> |
| <li>On the worker nodes start fetching and iterating on slices of the big table, check whether the |
| key in the big table exists in the hash table, and only return the matched rows.</li> |
| </ol> |
| |
| <p>Step 3 is the heaviest since it involves reading the entire big table, and could involve heavy |
| network IO if the worker and the nodes hosting the big table are not on the same server.</p> |
| |
| <p>Before 7.1.5, Impala supported pushing down only the Minimum/Maximum (MIN_MAX) runtime filter to |
| Kudu which filters out values not within the specified bounds. In addition to the MIN_MAX runtime |
| filter, Impala in CDP 7.1.5+ now supports pushing down a runtime Bloom filter to Kudu. With the |
| newly introduced Bloom filter predicate support in Kudu, Impala can use this feature to perform |
| drastically more efficient joins for data stored in Kudu. |
| Performance |
| As in the scenario described above, we ran a Impala query which joins a big table stored on Kudu |
| and a small table stored as Parquet on HDFS. The small table was created using Parquet on HDFS to |
| isolate the new feature, but could also be stored in Kudu just the same. We ran the queries first |
| using only the MIN_MAX filter and then using both the MIN_MAX and BLOOM filter |
| (ALL runtime filters). For comparison, we created the same big table in Parquet on HDFS. Using |
| Parquet on HDFS is a great baseline for comparison because Impala already supports both MIN_MAX and |
| BLOOM filters for Parquet on HDFS.</p> |
| |
| <h2 id="setup">Setup</h2> |
| <p>The following test was performed on a 6 node cluster with CDP Runtime 7.1.5.</p> |
| |
| <p>Hardware Configuration: |
| <code class="language-plaintext highlighter-rouge">Dell PowerEdge R430, 20c/40t Xeon e5-2630 v4 @ 2.2Ghz, 128GB RAM, 4-2TB HDDs with 1 for WAL and 3 |
| for data directories.</code></p> |
| |
| <h3 id="schema">Schema:</h3> |
| <ul> |
| <li>Big table consists of 260 million rows with randomly generated data hash partitioned by primary |
| key across 20 partitions on Kudu. The Kudu table was explicitly rebalanced to ensure a balanced |
| layout after the load.</li> |
| <li>Small table consists of 2000 rows of top 1000 and bottom 1000 keys from the big table stored as |
| Parquet on HDFS. This prevents the MIN_MAX filters from doing any filtering on the big table as |
| all rows would fall under the range bounds of the MIN_MAX filters.</li> |
| <li>COMPUTE STATS were run on all tables to help gather information about the table metadata and help |
| Impala optimize the query plan.</li> |
| <li>All queries were run 10 times and the mean query runtime is depicted below.</li> |
| </ul> |
| |
| <h2 id="join-queries">Join Queries</h2> |
| <p>For join queries, we saw performance improvements of 3X to 5X in Kudu with Bloom filter predicate |
| pushdown. We expect to see even better performance multiples with larger data sizes and more |
| selective queries.</p> |
| |
| <p>Compared to Parquet on HDFS, Kudu performance is now better by around 17-33%.</p> |
| |
| <p><img src="/img/bloom-filter-join-queries.png" alt="png" class="img-responsive" /></p> |
| |
| <h2 id="update-query">Update Query</h2> |
| <p>For an update query that basically upserts the entire small table into the existing big table, we |
| saw 15X improvement. This is primarily due to the increased query performance when selecting the |
| rows to update.</p> |
| |
| <p><img src="/img/bloom-filter-update-query.png" alt="png" class="img-responsive" /></p> |
| |
| <p>See references section below for details on the table schema, loading process, and queries that were |
| run.</p> |
| |
| <h2 id="tpc-h">TPC-H</h2> |
| <p>We also ran the TPC-H benchmark on a single node cluster with a scale factor of 30 and saw |
| performance improvements in the range of 19% to 31% with different block cache capacity settings.</p> |
| |
| <p>Kudu automatically disables Bloom filter predicates that are not effectively filtering data to avoid |
| any performance penalties from the new feature. During development of the feature, query 9 in the |
| TPCH benchmark (TPCH-Q9) exhibited regression of 50-96%. On further investigation, the time required |
| to scan the rows from Kudu increased by up to 2X. When investigating this regression we found that |
| the Bloom filter predicate that was pushed down was filtering out less than 10% of the rows, leading |
| to increased CPU usage in Kudu which outweighed the benefit of the filter. To resolve the regression |
| we added a heuristic in Kudu wherein if a Bloom filter predicate is not filtering out a sufficient |
| percentage of rows then it’s disabled automatically for the remainder of the scan. This is safe |
| because Bloom filters can return false positives and hence false matches returned to the client are |
| expected to be filtered out using other deterministic filters.</p> |
| |
| <h2 id="feature-availability">Feature Availability</h2> |
| <p>Users querying Kudu using Impala will have the feature enabled by default from CDP 7.1.5 onward |
| and CDP Public Cloud. We highly recommend users upgrade to get this performance enhancement and many |
| other performance enhancements in the release. For custom applications that use the Kudu client API |
| directly, the Kudu C++ client also has the Bloom filter predicate available from CDP 7.1.5 onward. |
| The Kudu Java client does not have the Bloom filter predicate available yet, |
| <a href="https://issues.apache.org/jira/browse/KUDU-3221">KUDU-3221</a>.</p> |
| |
| <h2 id="references">References:</h2> |
| <ul> |
| <li>Performance testing related schema and queries: |
| <a href="https://gist.github.com/bbhavsar/006df9c40b4b0528e297fac29824ceb4">https://gist.github.com/bbhavsar/006df9c40b4b0528e297fac29824ceb4</a></li> |
| <li>Kudu C++ client documentation: |
| <a href="https://kudu.apache.org/cpp-client-api/classkudu_1_1client_1_1KuduTable.html#a356e8d0d10491d4d8540adefac86be94">https://kudu.apache.org/cpp-client-api/classkudu_1_1client_1_1KuduTable.html#a356e8d0d10491d4d8540adefac86be94</a></li> |
| <li>Example code to create and pass Bloom filter predicate: |
| <a href="https://github.com/apache/kudu/blob/master/src/kudu/client/predicate-test.cc#L1416">https://github.com/apache/kudu/blob/master/src/kudu/client/predicate-test.cc#L1416</a></li> |
| <li>Block based Bloom filter: |
| <a href="https://github.com/apache/kudu/blob/master/src/kudu/util/block_bloom_filter.h#L51">https://github.com/apache/kudu/blob/master/src/kudu/util/block_bloom_filter.h#L51</a></li> |
| </ul> |
| |
| <h2 id="acknowledgement">Acknowledgement</h2> |
| <p>This feature was implemented jointly by Bankim Bhavsar and Wenzhe Zhou with guidance and feedback |
| from Tim Armstrong, Adar Dembo, Thomas Tauber-Marshall, Andrew Wong, and Grant Henke. We are also |
| grateful for our customers especially Mauricio Aristizabal from Impact for providing us valuable |
| feedback and benchmarks.</p></content><author><name>Bankim Bhavsar</name></author><summary type="html">Note: This is a cross-post from the Cloudera Engineering Blog Optimized joins &amp; filtering with Bloom filter predicate in Kudu Cloudera’s CDP Runtime version 7.1.5 maps to Apache Kudu 1.13 and upcoming Apache Impala 4.0 Introduction In database systems one of the most effective ways to improve performance is to avoid doing unnecessary work, such as network transfers and reading data from disk. One of the ways Apache Kudu achieves this is by supporting column predicates with scanners. Pushing down column predicate filters to Kudu allows for optimized execution by skipping reading column values for filtered out rows and reducing network IO between a client, like the distributed query engine Apache Impala, and Kudu. See the documentation on runtime filtering in Impala for details. CDP Runtime 7.1.5 and CDP Public Cloud added support for Bloom filter column predicate pushdown in Kudu and the associated integration in Impala.</summary></entry><entry><title type="html">Apache Kudu 1.13.0 released</title><link href="/2020/09/21/apache-kudu-1-13-0-release.html" rel="alternate" type="text/html" title="Apache Kudu 1.13.0 released" /><published>2020-09-21T00:00:00-07:00</published><updated>2020-09-21T00:00:00-07:00</updated><id>/2020/09/21/apache-kudu-1-13-0-release</id><content type="html" xml:base="/2020/09/21/apache-kudu-1-13-0-release.html"><p>The Apache Kudu team is happy to announce the release of Kudu 1.13.0!</p> |
| |
| <p>The new release adds several new features and improvements, including the |
| following:</p> |
| |
| <!--more--> |
| |
| <ul> |
| <li>Added table ownership support. All newly created tables are automatically |
| owned by the user creating them. It is also possible to change the owner by |
| altering the table. You can also assign privileges to table owners via Apache |
| Ranger.</li> |
| <li>An experimental feature is added to Kudu that allows it to automatically |
| rebalance tablet replicas among tablet servers. The background task can be |
| enabled by setting the <code class="language-plaintext highlighter-rouge">--auto_rebalancing_enabled</code> flag on the Kudu masters. |
| Before starting auto-rebalancing on an existing cluster, the CLI rebalancer |
| tool should be run first.</li> |
| <li>Bloom filter column predicate pushdown has been added to allow optimized |
| execution of filters which match on a set of column values with a |
| false-positive rate. Support for Impala queries utilizing Bloom filter |
| predicate is available yielding performance improvements of 19% to 30% in TPC-H |
| benchmarks and around 41% improvement for distributed joins across large |
| tables. Support for Spark is not yet available.</li> |
| <li>ARM-based architectures are now supported.</li> |
| </ul> |
| |
| <p>The above is just a list of the highlights, for a more complete list of new |
| features, improvements and fixes please refer to the <a href="/releases/1.13.0/docs/release_notes.html">release |
| notes</a>.</p> |
| |
| <p>The Apache Kudu project only publishes source code releases. To build Kudu |
| 1.13.0, follow these steps:</p> |
| |
| <ul> |
| <li>Download the Kudu <a href="/releases/1.13.0">1.13.0 source release</a></li> |
| <li>Follow the instructions in the documentation to build Kudu <a href="/releases/1.13.0/docs/installation.html#build_from_source">1.13.0 from |
| source</a></li> |
| </ul> |
| |
| <p>For your convenience, binary JAR files for the Kudu Java client library, Spark |
| DataSource, Flume sink, and other Java integrations are published to the ASF |
| Maven repository and are <a href="https://search.maven.org/search?q=g:org.apache.kudu%20AND%20v:1.13.0">now |
| available</a>.</p> |
| |
| <p>The Python client source is also available on |
| <a href="https://pypi.org/project/kudu-python/">PyPI</a>.</p> |
| |
| <p>Additionally, experimental Docker images are published to |
| <a href="https://hub.docker.com/r/apache/kudu">Docker Hub</a>, including for AArch64-based |
| architectures (ARM).</p></content><author><name>Attila Bukor</name></author><summary type="html">The Apache Kudu team is happy to announce the release of Kudu 1.13.0! The new release adds several new features and improvements, including the following:</summary></entry><entry><title type="html">Fine-Grained Authorization with Apache Kudu and Apache Ranger</title><link href="/2020/08/11/fine-grained-authz-ranger.html" rel="alternate" type="text/html" title="Fine-Grained Authorization with Apache Kudu and Apache Ranger" /><published>2020-08-11T00:00:00-07:00</published><updated>2020-08-11T00:00:00-07:00</updated><id>/2020/08/11/fine-grained-authz-ranger</id><content type="html" xml:base="/2020/08/11/fine-grained-authz-ranger.html"><p>When Apache Kudu was first released in September 2016, it didn’t support any |
| kind of authorization. Anyone who could access the cluster could do anything |
| they wanted. To remedy this, coarse-grained authorization was added along with |
| authentication in Kudu 1.3.0. This meant allowing only certain users to access |
| Kudu, but those who were allowed access could still do whatever they wanted. The |
| only way to achieve finer-grained access control was to limit access to Apache |
| Impala where access control <a href="/2019/04/22/fine-grained-authorization-with-apache-kudu-and-impala.html">could be enforced</a> by |
| fine-grained policies in Apache Sentry. This method limited how Kudu could be |
| accessed, so we saw a need to implement fine-grained access control in a way |
| that wouldn’t limit access to Impala only.</p> |
| |
| <p>Kudu 1.10.0 integrated with Apache Sentry to enable finer-grained authorization |
| policies. This integration was rather short-lived as it was deprecated in Kudu |
| 1.12.0 and will be completely removed in Kudu 1.13.0.</p> |
| |
| <p>Most recently, since 1.12.0 Kudu supports fine-grained authorization by |
| integrating with Apache Ranger 2.1 and later. In this post, we’ll cover how this |
| works and how to set it up.</p> |
| |
| <!--more--> |
| |
| <h2 id="how-it-works">How it works</h2> |
| |
| <p>Ranger supports a wide range of software across the Apache Hadoop ecosystem, but |
| unlike Sentry, it doesn’t depend on any of them for fine-grained authorization, |
| making it an ideal choice for Kudu.</p> |
| |
| <p>Ranger consists of an Admin server that has a web UI and a REST API where admins |
| can create policies. The policies are stored in a database (supported database |
| systems are Microsoft SQL Server, MySQL, Oracle, PostgreSQL, and SQL Anywhere) |
| and are periodically fetched and cached by the Ranger plugin that runs on the |
| Kudu Masters. The Ranger plugin is responsible for authorizing the requests |
| against the cached policies. At the time of writing this post, the Ranger plugin |
| base is available only in Java, as most Hadoop ecosystem projects, including |
| Ranger, are written in Java.</p> |
| |
| <p>Unlike Sentry’s client which we reimplemented in C++, the Ranger plugin is a fat |
| client that handles the evaluation of the policies (which are much richer and |
| more complex than Sentry policies) locally, so we decided not to reimplement it |
| in C++.</p> |
| |
| <p>Each Kudu Master spawns a JVM child process that is effectively a wrapper around |
| the Ranger plugin and communicates with it via named pipes.</p> |
| |
| <h2 id="prerequisites">Prerequisites</h2> |
| |
| <p>This post assumes the Admin Tool of a compatible Ranger version is |
| <a href="https://ranger.apache.org/quick_start_guide.html">installed</a> on a host that is |
| reachable by both you and by all Kudu Master servers.</p> |
| |
| <p><em>Note</em>: At the time of writing this post, Ranger 2.0 is the most recent release |
| which does NOT support Kudu yet. Ranger 2.1 will be the first version that |
| supports Kudu. If you wish to use Kudu with Ranger before this is released, you |
| either need to build Ranger from the <code class="language-plaintext highlighter-rouge">master</code> branch or use a distribution that |
| has already backported the relevant bits |
| (<a href="https://issues.apache.org/jira/browse/RANGER-2684">RANGER-2684</a>: |
| 0b23df7801062cc7836f2e162e1775101898add4).</p> |
| |
| <p>To enable Ranger integration in Kudu, Java 8 or later has to be available on the |
| Master servers.</p> |
| |
| <p>You can build the Ranger subprocess by navigating to the <code class="language-plaintext highlighter-rouge">java/</code> inside the Kudu |
| source directory, then running the below command:</p> |
| |
| <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>./gradlew :kudu-subprocess:jar</code></pre></figure> |
| |
| <p>This will build the subprocess JAR which you can find in the |
| <code class="language-plaintext highlighter-rouge">kudu-subprocess/build/libs</code> directory.</p> |
| |
| <h2 id="setting-up-kudu-with-ranger">Setting up Kudu with Ranger</h2> |
| |
| <p>The first step is to add Kudu in Ranger Admin and set <code class="language-plaintext highlighter-rouge">tag.download.auth.users</code> |
| and <code class="language-plaintext highlighter-rouge">policy.download.auth.users</code> to the user or service principal name running |
| the Kudu process (typically <code class="language-plaintext highlighter-rouge">kudu</code>). The former is for downloading tag-based |
| policies which Kudu doesn’t currently support, so this is only for forward |
| compatibility and can be safely omitted.</p> |
| |
| <p><img src="/img/blog-ranger/create-service.png" alt="create-service" class="img-responsive" /></p> |
| |
| <p>Next, you’ll have to configure the Ranger plugin. As it’s written in Java and is |
| part of the Hadoop ecosystem, it expects to find a <code class="language-plaintext highlighter-rouge">core-site.xml</code> in its |
| classpath that at a minimum configures the authentication types (simple or |
| Kerberos) and the group mapping. If your Kudu is co-located with a Hadoop |
| cluster, you can simply use your Hadoop’s <code class="language-plaintext highlighter-rouge">core-site.xml</code> and it should work. |
| Otherwise, you can use the below sample <code class="language-plaintext highlighter-rouge">core-site.xml</code> assuming you have |
| Kerberos enabled and shell-based groups mapping works for you:</p> |
| |
| <figure class="highlight"><pre><code class="language-xml" data-lang="xml"><span class="nt">&lt;configuration&gt;</span> |
| <span class="nt">&lt;property&gt;</span> |
| <span class="nt">&lt;name&gt;</span>hadoop.security.authentication<span class="nt">&lt;/name&gt;</span> |
| <span class="nt">&lt;value&gt;</span>kerberos<span class="nt">&lt;/value&gt;</span> |
| <span class="nt">&lt;/property&gt;</span> |
| <span class="nt">&lt;property&gt;</span> |
| <span class="nt">&lt;name&gt;</span>hadoop.security.group.mapping<span class="nt">&lt;/name&gt;</span> |
| <span class="nt">&lt;value&gt;</span>org.apache.hadoop.security.ShellBasedUnixGroupsMapping<span class="nt">&lt;/value&gt;</span> |
| <span class="nt">&lt;/property&gt;</span> |
| <span class="nt">&lt;/configuration&gt;</span></code></pre></figure> |
| |
| <p>In addition to the <code class="language-plaintext highlighter-rouge">core-site.xml</code> file, you’ll also need a |
| <code class="language-plaintext highlighter-rouge">ranger-kudu-security.xml</code> in the same directory that looks like this:</p> |
| |
| <figure class="highlight"><pre><code class="language-xml" data-lang="xml"><span class="nt">&lt;configuration&gt;</span> |
| <span class="nt">&lt;property&gt;</span> |
| <span class="nt">&lt;name&gt;</span>ranger.plugin.kudu.policy.cache.dir<span class="nt">&lt;/name&gt;</span> |
| <span class="nt">&lt;value&gt;</span>/path/to/policy/cache/<span class="nt">&lt;/value&gt;</span> |
| <span class="nt">&lt;/property&gt;</span> |
| <span class="nt">&lt;property&gt;</span> |
| <span class="nt">&lt;name&gt;</span>ranger.plugin.kudu.service.name<span class="nt">&lt;/name&gt;</span> |
| <span class="nt">&lt;value&gt;</span>kudu<span class="nt">&lt;/value&gt;</span> |
| <span class="nt">&lt;/property&gt;</span> |
| <span class="nt">&lt;property&gt;</span> |
| <span class="nt">&lt;name&gt;</span>ranger.plugin.kudu.policy.rest.url<span class="nt">&lt;/name&gt;</span> |
| <span class="nt">&lt;value&gt;</span>http://ranger-admin:6080<span class="nt">&lt;/value&gt;</span> |
| <span class="nt">&lt;/property&gt;</span> |
| <span class="nt">&lt;property&gt;</span> |
| <span class="nt">&lt;name&gt;</span>ranger.plugin.kudu.policy.source.impl<span class="nt">&lt;/name&gt;</span> |
| <span class="nt">&lt;value&gt;</span>org.apache.ranger.admin.client.RangerAdminRESTClient<span class="nt">&lt;/value&gt;</span> |
| <span class="nt">&lt;/property&gt;</span> |
| <span class="nt">&lt;property&gt;</span> |
| <span class="nt">&lt;name&gt;</span>ranger.plugin.kudu.policy.pollIntervalMs<span class="nt">&lt;/name&gt;</span> |
| <span class="nt">&lt;value&gt;</span>30000<span class="nt">&lt;/value&gt;</span> |
| <span class="nt">&lt;/property&gt;</span> |
| <span class="nt">&lt;property&gt;</span> |
| <span class="nt">&lt;name&gt;</span>ranger.plugin.kudu.access.cluster.name<span class="nt">&lt;/name&gt;</span> |
| <span class="nt">&lt;value&gt;</span>Cluster 1<span class="nt">&lt;/value&gt;</span> |
| <span class="nt">&lt;/property&gt;</span> |
| <span class="nt">&lt;/configuration&gt;</span></code></pre></figure> |
| |
| <ul> |
| <li><code class="language-plaintext highlighter-rouge">ranger.plugin.kudu.policy.cache.dir</code> - A directory that is writable by the |
| user running the Master process where the plugin will cache the policies it |
| fetches from Ranger Admin.</li> |
| <li><code class="language-plaintext highlighter-rouge">ranger.plugin.kudu.service.name</code> - This needs to be set to whatever the |
| service name was set to on Ranger Admin.</li> |
| <li><code class="language-plaintext highlighter-rouge">ranger.plugin.kudu.policiy.rest.url</code> - The URL of the Ranger Admin REST API.</li> |
| <li><code class="language-plaintext highlighter-rouge">ranger.plugin.kudu.policy.source.impl</code> - This should always be |
| <code class="language-plaintext highlighter-rouge">org.apache.ranger.admin.client.RangerAdminRESTClient</code>.</li> |
| <li><code class="language-plaintext highlighter-rouge">ranger.plugin.kudu.policy.pollIntervalMs</code> - This is the interval at which the |
| plugin will fetch policies from the Ranger Admin.</li> |
| <li><code class="language-plaintext highlighter-rouge">ranger.plugin.kudu.access.cluster.name</code> - The name of the cluster.</li> |
| </ul> |
| |
| <p><em>Note</em>: This is a minimal config. For more options refer to the <a href="https://cwiki.apache.org/confluence/display/RANGER/Index">Ranger |
| documentation</a></p> |
| |
| <p>Once these files are created, you need to point Kudu Masters to the directory |
| containing them with the <code class="language-plaintext highlighter-rouge">-ranger_config_path</code> flag. In addition, |
| <code class="language-plaintext highlighter-rouge">-ranger_jar_path</code> and <code class="language-plaintext highlighter-rouge">-ranger_java_path</code> should be configured. The Java path |
| defaults to <code class="language-plaintext highlighter-rouge">$JAVA_HOME/bin/java</code> if <code class="language-plaintext highlighter-rouge">$JAVA_HOME</code> is set and falls back to |
| <code class="language-plaintext highlighter-rouge">java</code> in <code class="language-plaintext highlighter-rouge">$PATH</code> if not. The JAR path defaults to <code class="language-plaintext highlighter-rouge">kudu-subprocess.jar</code> in the |
| directory containing the <code class="language-plaintext highlighter-rouge">kudu-master</code> binary.</p> |
| |
| <p>As the last step, you need to set <code class="language-plaintext highlighter-rouge">-tserver_enforce_access_control</code> to <code class="language-plaintext highlighter-rouge">true</code> on |
| the Tablet Servers to make sure access control is respected across the cluster.</p> |
| |
| <h2 id="creating-policies">Creating policies</h2> |
| |
| <p>After setting up the integration it’s time to create some policies, as now only |
| trusted users are allowed to perform any action, everyone else is locked out.</p> |
| |
| <p>To create your first policy, log in to Ranger Admin, click on the Kudu service |
| you created in the first step of setup, then on the “Add New Policy” button in |
| the top right corner. You’ll need to name the policy and set the resource it |
| will apply to. Kudu doesn’t support databases, but with Ranger integration |
| enabled, it will treat the part of the table name before the first period as the |
| database name, or default to “default” if the table name doesn’t contain a |
| period (configurable with the <code class="language-plaintext highlighter-rouge">-ranger_default_database</code> flag on the |
| <code class="language-plaintext highlighter-rouge">kudu-master</code>).</p> |
| |
| <p>There is no implicit hierarchy in the resources, which means that granting |
| privileges on <code class="language-plaintext highlighter-rouge">db=foo</code> won’t imply privileges on <code class="language-plaintext highlighter-rouge">foo.bar</code>. To create a policy |
| that applies to all tables and all columns in the <code class="language-plaintext highlighter-rouge">foo</code> database you need to |
| create a policy for <code class="language-plaintext highlighter-rouge">db=foo-&gt;tbl=*-&gt;col=*</code>.</p> |
| |
| <p><img src="/img/blog-ranger/create-policy.png" alt="create-policy" class="img-responsive" /></p> |
| |
| <p>For a list of the required privileges to perform operations please refer to our |
| <a href="/docs/security.html#policy-for-kudu-masters">documentation</a>.</p> |
| |
| <h2 id="table-ownership">Table ownership</h2> |
| |
| <p>Kudu 1.13 will introduce table ownership, which enhances the authorization |
| experience when Ranger integration is enabled. Tables are automatically owned by |
| the users creating the table and it’s possible to change the owner as a part of |
| an alter table operation.</p> |
| |
| <p>Ranger supports granting privileges to the table owners via a special <code class="language-plaintext highlighter-rouge">{OWNER}</code> |
| user. You can, for example, grant the <code class="language-plaintext highlighter-rouge">ALL</code> privilege and delegate admin (this |
| is required to change the owner of a table) to <code class="language-plaintext highlighter-rouge">{OWNER}</code> on |
| <code class="language-plaintext highlighter-rouge">db=*-&gt;table=*-&gt;column=*</code>. This way your users will be able to perform any |
| actions on the tables they created without having to explicitly assign |
| privileges per table. They will, of course, need to be granted the <code class="language-plaintext highlighter-rouge">CREATE</code> |
| privilege on <code class="language-plaintext highlighter-rouge">db=*</code> or on a specific database to actually be able to create |
| their own tables.</p> |
| |
| <p><img src="/img/blog-ranger/allow-conditions.png" alt="allow-conditions" class="img-responsive" /></p> |
| |
| <h2 id="conclusion">Conclusion</h2> |
| |
| <p>In this post we’ve covered how to set up and use the newest Kudu integration, |
| Apache Ranger, and a sneak peek into the table ownership feature. Please try |
| them out if you have a chance, and let us know what you think on our <a href="mailto:user@kudu.apache.org">mailing |
| list</a> or <a href="https://getkudu.slack.com">Slack</a>. If you |
| run into any issues, feel free to reach out to us on either platform, or open a |
| <a href="https://issues.apache.org/jira/projects/KUDU">bug report</a>.</p></content><author><name>Attila Bukor</name></author><summary type="html">When Apache Kudu was first released in September 2016, it didn’t support any kind of authorization. Anyone who could access the cluster could do anything they wanted. To remedy this, coarse-grained authorization was added along with authentication in Kudu 1.3.0. This meant allowing only certain users to access Kudu, but those who were allowed access could still do whatever they wanted. The only way to achieve finer-grained access control was to limit access to Apache Impala where access control could be enforced by fine-grained policies in Apache Sentry. This method limited how Kudu could be accessed, so we saw a need to implement fine-grained access control in a way that wouldn’t limit access to Impala only. Kudu 1.10.0 integrated with Apache Sentry to enable finer-grained authorization policies. This integration was rather short-lived as it was deprecated in Kudu 1.12.0 and will be completely removed in Kudu 1.13.0. Most recently, since 1.12.0 Kudu supports fine-grained authorization by integrating with Apache Ranger 2.1 and later. In this post, we’ll cover how this works and how to set it up.</summary></entry><entry><title type="html">Building Near Real-time Big Data Lake</title><link href="/2020/07/30/building-near-real-time-big-data-lake.html" rel="alternate" type="text/html" title="Building Near Real-time Big Data Lake" /><published>2020-07-30T00:00:00-07:00</published><updated>2020-07-30T00:00:00-07:00</updated><id>/2020/07/30/building-near-real-time-big-data-lake</id><content type="html" xml:base="/2020/07/30/building-near-real-time-big-data-lake.html"><p>Note: This is a cross-post from the Boris Tyukin’s personal blog <a href="https://boristyukin.com/building-near-real-time-big-data-lake-part-2/">Building Near Real-time Big Data Lake: Part 2</a></p> |
| |
| <p>This is the second part of the series. In <a href="https://boristyukin.com/building-near-real-time-big-data-lake-part-i/">Part 1</a> |
| I wrote about our use-case for the Data Lake architecture and shared our success story.</p> |
| |
| <!--more--> |
| <h2 id="requirements">Requirements</h2> |
| <p>Before we embarked on our journey, we had identified high-level requirements and guiding principles. |
| It is crucial to think it through to envision who and how will use your Data Lake. Identify your |
| first three projects to keep them while you are building the Data Lake.</p> |
| |
| <p>The best way is to start a few smaller proof-of-concept projects: play with various distributed |
| engines and tools, run tons of benchmarks, and learn from others, who implemented a similar solution |
| successfully. Do not forget to learn from others’ mistakes too.</p> |
| |
| <p>We had settled on these 7 guiding principles before we started looking at technology and architecture:</p> |
| <ol> |
| <li>Scale-out, not scale-up.</li> |
| <li>Design for resiliency and availability.</li> |
| <li>Support both real-time and batch ingestion into a Data Lake.</li> |
| <li>Enable both ad-hoc exploratory analysis as well as interactive queries.</li> |
| <li>Replicate in near real-time 300+ Cerner Millennium tables from 3 remote-hosted Cerner Oracle RAC |
| instances with average latency less than 10 seconds (time between a change made in Cerner EHR system |
| by clinicians and data ingested and ready for consumption in Data Lake).</li> |
| <li>Have robust logging and monitoring processes to ensure reliability of the pipeline and to simplify |
| troubleshooting.</li> |
| <li>Reduce manual work greatly and ease the ongoing support.</li> |
| </ol> |
| |
| <p>We decided to embrace the benefits and scalability of Big Data technology. In fact, it was a pretty |
| easy sell as our leadership was tired of constantly buying expensive software and hardware from |
| big-name vendors and not being able to scale-out to support an avalanche of new projects and requests.</p> |
| |
| <p>We started looking at Change Data Capture (CDC) products to mine and ship database logs from Oracle.</p> |
| |
| <p>We knew we had to implement a metadata- or code-as-configuration driven solution to manage hundreds |
| of tables, without expanding our team.</p> |
| |
| <p>We needed a flexible orchestration and scheduling tool, designed with real-time workloads in mind.</p> |
| |
| <p>Finally, we engaged our and Cerner’s leadership early, as it would take time to hash out all the |
| details, and to make their DBAs confident that we were not going to break their production systems |
| by streaming 1000s of messages every second 24x7. In fact, one of the goals was to relieve production |
| systems from analytical workloads.</p> |
| <h2 id="platform-selection">Platform selection</h2> |
| <p>First off, we had to decide on the actual platform. After spending 3 months researching, 4 options |
| emerged, given the realities of our organization:</p> |
| <ol> |
| <li>On-premises virtualized cluster, using preferred vendors, recommended by our infrastructure team.</li> |
| <li>On-premises Big Data appliance (bundled hardware and software, optimized for Big Data workloads).</li> |
| <li>Big Data cluster in cloud, managed by ourselves (IaaS model, which just means renting a bunch of |
| VMs and running Cloudera or Hortonworks Big Data distribution).</li> |
| <li>A fully managed cloud data platform and native cloud data warehouse (Snowflake, Google BigQuery, |
| Amazon Redshift, and etc.)</li> |
| </ol> |
| |
| <p>Each option had a long list of pros and cons, but ultimately we went with option 2. The price was |
| really attractive, it was a capital expense (our finance people rightfully hate subscriptions), the |
| best performance, security, and control.</p> |
| |
| <p>It was in 2017 when we made a decision. While we could not provision cluster resources and add nodes |
| with a click of button and we learned that software and hardware upgrades were a real chore, it was |
| still very much worth that as we’ve saved a 7 number figure for the organization to get the |
| performance we needed.</p> |
| |
| <p>Owning hardware also made a lot of sense for us as we could not forecast our needs far enough in the |
| future and we could get a really powerful 6 node cluster for a fraction the cost that we would end |
| up paying in subscription fees in the next 12 months. Of course, it did help that we already had a |
| state-of-the-art data center and people managing it.</p> |
| |
| <p>Fully-managed or serverless architecture was not really an option back then, but if you asked me |
| today, this would be the first thing I would look at if I had to build a data lake today |
| (definitely check AWS Lake Formation, AWS Athena, Amazon Redshift, Azure Synapse, Snowflake and |
| Google BigQuery).</p> |
| |
| <p>Your organization, goals, projects and situation could be very different and you should definitely |
| evaluate cloud solutions, especially in 2020 when prices are decreasing, cloud providers are |
| extremely competitive and there are new attractive pricing options with 3 year commitment. Make sure |
| you understand the cost and billing model. Or, hire a company (there are plenty now), that will |
| explain your cloud bills before you get a horrifying check.</p> |
| |
| <p>Some of the things to consider:</p> |
| |
| <ol> |
| <li>Existing data center infrastructure and access to people, supporting it.</li> |
| <li>Integration with current tools (BI, ETL, Advanced Analytics etc.) Do they stay on-premises or can |
| be moved into cloud to avoid networking lags or charges for data egress?</li> |
| <li>Total ownership cost and cost to performance ratio.</li> |
| <li>Do you really need elasticity? This is the first thing that cloud advocates are preaching but |
| think if and how this applies to you.</li> |
| <li>Is time-to-market so crucial for you, or you can wait a few months to build Big Data |
| infrastructure on-premises to save some money and get much better performance and control of |
| physical hardware?</li> |
| <li>Are you okay with locking yourself in to vendor’s solution XYZ? This is an especially crucial |
| question if you are selecting a fully managed platform.</li> |
| <li>Can you easily change your cloud provider? Or can you even afford to put all your trust and faith |
| in a single cloud provider?</li> |
| </ol> |
| |
| <p>Do your homework, spend a lot of time reading and talking to other people (engineers and architects, |
| not sales reps), and make sure you understand what you are signing up for.</p> |
| |
| <p>And remember, there is no magic! You still need to architect, design, build, support, test, and make |
| good choices and use common sense. No matter what your favorite vendor tells you. You might save |
| time by spinning up a cluster in minutes, but you still need people to manage all that. You still |
| need great architects and engineers to realize benefits from all that hot new tech.</p> |
| |
| <h2 id="building-blocks">Building blocks</h2> |
| |
| <p>Once we agreed on the platform of our choice, powered by Cloudera Enterprise Data Hub, we started |
| prototyping and benchmarking various engines and tools that came with it. We looked at other |
| open-source projects, as nothing really prevents you from installing and using any open-source |
| product you desire and trust. One of these products for us was Apache NiFi, which proved to be a |
| tremendous value.</p> |
| |
| <p>After a lot of trials and errors, we decided on this architecture:</p> |
| |
| <p><img src="https://boristyukin.com/content/images/pipelinearchitecture.png" width="100%" /></p> |
| |
| <p>One of the toughest challenges we faced right away was the fact that most of the Big Data data |
| engines were not designed to support mutable data but rather immutable append-only data. All the |
| workarounds we had tried did not work for us and no matter what we did with partitioning strategy, |
| we just needed a simple ability to update and delete data, not only insert. Anyone who worked with |
| RDBMS or legacy columnar databases takes this capability for granted, but surprisingly it is a very |
| difficult task in Big Data world.</p> |
| |
| <p>We considered Apache HBase, but the performance of analytics-style ETL and interactive queries was |
| really bad. We were blown away by Apache Impala’s performance on HDFS as no matter what we threw at |
| Impala, it was hundreds of times faster…but we could not update data in place.</p> |
| |
| <p>At about the same time, Cloudera released and open-sourced Apache Kudu project that became part of |
| its official distribution. We got very excited about it (refer to our benchmarks <a href="http://boristyukin.com/benchmarking-apache-kudu-vs-apache-impala/">here</a>), and decided |
| to proceed with Kudu as a storage engine, while using Apache Impala as SQL query engine. One of the |
| ambitious goals of Apache Kudu is to cut the need for the infamous <a href="https://en.wikipedia.org/wiki/Lambda_architecture">Lambda architecture</a>.</p> |
| |
| <p>After talking to 7 vendors and playing with our top picks, we selected a Change Data Capture product |
| (Oracle GoldenGate for Big Data edition). It deserves a separate post but let’s just say it was the |
| only product out of 7, that was able to handle complexities of the source Oracle RAC systems and |
| offer great performance without the need to install any agents or software on the actual production |
| database. Other solutions had a very long list of limitations for Oracle systems, make sure to read |
| and understand these limitations.</p> |
| |
| <p>Our homegrown tool <a href="http://boristyukin.com/how-to-ingest-a-large-number-of-tables-into-a-big-data-lake-or-why-i-built-metazoo/">MetaZoo</a> |
| has been instrumental to bring order and peace, and that’s why it earned |
| its own blog post!</p> |
| |
| <h2 id="how-it-works">How it works</h2> |
| <p>Initial ingest is pretty typical - we use Sqoop to extract data from Cerner Oracle databases, and |
| NiFi helps orchestrate initial load for hundreds of tables. Actually, this NiFi flow below can |
| handle initial ingest of hundreds of tables!</p> |
| |
| <p><img src="https://boristyukin.com/content/images/nifi_initial.png" width="100%" /></p> |
| |
| <p>Our secret sauce though is <a href="http://boristyukin.com/how-to-ingest-a-large-number-of-tables-into-a-big-data-lake-or-why-i-built-metazoo/">MetaZoo</a>. |
| MetaZoo generates optimal parameters for Sqoop (such as a number of mappers, split-by column, and so |
| forth), generates DDLs for staging and final tables, and SQL commands to transform data before they |
| land in the Data Lake. MetaZoo also provides control tables to record status of every table.</p> |
| |
| <p>The throughput of Sqoop is nothing but amazing. Gone are the days when we had to ask Cerner to dump |
| tables on a hard-drive and ship it by snail mail (do not ask how much it cost us!). And we like how |
| YARN queues help to limit the load on production databases.</p> |
| |
| <p>To give you one example, a few years ago it took us 4 weeks to reload <code class="language-plaintext highlighter-rouge">clinical_event</code> table from |
| Cerner using Informatica into our local Oracle database. With Sqoop and Big Data, it was done in 11 |
| hours!</p> |
| |
| <p>This is what happens during the initial ingest.</p> |
| |
| <p>First, MetaZoo gathers relevant metadata from source system about tables to ingest, and based on |
| that metadata will generate DDL scripts, SQL commands snippets, Sqoop parameters, and more. It will |
| initialize tables in MetaZoo control tables as well.</p> |
| |
| <p>Then NiFi picks a list of tables to ingest from MetaZoo control tables and run the following steps |
| to:</p> |
| |
| <ul> |
| <li>Execute and wait for Sqoop to finish.</li> |
| <li>Apply some basic rules to map data types to the corresponding data types in the lake. We convert |
| timestamps to a proper time zone as well. While you do not want to do any heavy processing or or any |
| data modeling in Data Lake and keep data closer to raw format as much as you can, some light |
| processing upfront goes a long way and make it easier for analysts and developers to use these |
| tables later.</li> |
| <li>Load processed data into final tables after some basic validation.</li> |
| <li>Compute Impala statistics.</li> |
| <li>Set initial ingest status to completed in MetaZoo control tables so it is ready for real-time |
| streaming.</li> |
| </ul> |
| |
| <p>Before we kick off the initial ingest process, we start Oracle GoldenGate extracts and replicats |
| (that’s the actual term) to begin capturing changes from a database and send them into Kafka. Every |
| message, depending on database operation type and GoldenGate configuration, might have before/after |
| table row values, operation type and database commit transaction time (it only extracts changes for |
| committed transactions). Once the initial ingest is finished, and because GoldenGate continues |
| sending changes since the moment we started, we can now start real-time ingest flow in NiFi.</p> |
| |
| <p>A side benefit of decoupling GoldenGate from Kafka and NiFi and Kudu is to make this process |
| resilient to failures. This allows us as well to bring one of these systems down for maintenance |
| without much impact.</p> |
| |
| <p>Below is the NiFi flow than handles real-time streaming from Oracle/GoldenGate/Kafka and persists |
| data into Kudu:</p> |
| |
| <p><img src="https://boristyukin.com/content/images/nifi_rt.png" width="100%" /></p> |
| |
| <ol> |
| <li>NiFi flow consumes Kafka messages, produced by GoldenGate. Every table from every domain has |
| its own Kafka topic. Topics have only one partition to preserve the original order of messages.</li> |
| <li>New messages are queued in NiFi, using a simple First-In-First-Out pattern and grouped by a |
| table. It is important to ensure the order of messages but still process tables concurrently.</li> |
| <li>Messages are transformed, using the same basic rules we apply during the initial ingest.</li> |
| <li>Finally, messages are persisted into Kudu. Some of them represent INSERT type operation, which |
| results in brand new rows added to Kudu tables. Other messages are UPDATE and DELETE operations. |
| And we have to deal with an exotic PK_UPDATE operation, when a primary key was changed for some |
| reason in the source system (e.g. PK=111 was renamed to 222). We had to write a custom Kudu client |
| to handle all these cases using Java Kudu API that was fun to use. NiFi allowed us to write custom |
| processors and integrate that custom Kudu code directly into our flow.</li> |
| <li>Useful metrics are stored in a separate Kudu table. We collect number of messages processed, |
| operation type (insert, update, delete or primary key update), latency, important timestamps. |
| Using this data, we can optimize and tweak the performance of the pipeline, and to monitor it by |
| visualizing data on a dashboard.</li> |
| </ol> |
| |
| <p>The entire flow handles 900+ tables today (as we capture 300 tables from 3 Cerner domains).</p> |
| |
| <p>We process ~2,000 messages per second or 125MM messages per day. GoldenGate accumulates 150Gb worth |
| of database changes per day. In Kudu, we store over 120B rows of data.</p> |
| |
| <p>Our average latency is 6 seconds and the pipeline is running 24x7.</p> |
| |
| <h2 id="user-experience">User experience</h2> |
| <p>I am biased, but I think this is a game-changer for analysts, BI developers, or any data people. |
| What they get is an ability to access near real-time production data, with all the benefits and |
| scalability of Big Data technology.</p> |
| |
| <p>Here, I run a query in Impala to count patients, admitted to our hospitals within the last 7 days, |
| who are still in the hospitals (not discharged yet):</p> |
| |
| <p><img src="https://boristyukin.com/content/images/query1.png" alt="query 1" /></p> |
| |
| <p>Then 5 seconds later I run the same query again to see numbers changed - more patients got admitted |
| and discharged:</p> |
| |
| <p><img src="https://boristyukin.com/content/images/query2.png" alt="query 2" />]</p> |
| |
| <p>This query below counts certain clinical events in the 20B row Kudu table (which is updated in near |
| real-time). While it takes 28 seconds to finish, this query would never even finish I ran it against |
| our Oracle database. It found 13.7B events:</p> |
| |
| <p><img src="https://boristyukin.com/content/images/query3.png" alt="query 3" /></p> |
| |
| <h2 id="credits">Credits</h2> |
| <p>Apache Impala, Apache Kudu and Apache NiFi were the pillars of our real-time pipeline. Back in 2017, |
| Impala was already a rock solid battle-tested project, while NiFi and Kudu were relatively new. We |
| did have some reservations about using them and were concerned about support if/when we needed it |
| (and we did need it a few times).</p> |
| |
| <p>We were amazed by all the help, dedication, knowledge sharing, friendliness, and openness of Impala, |
| NiFi and Kudu developers. Huge thank you to all of you who helped us alone the way. You guys are |
| amazing and you are building fantastic products!</p> |
| |
| <p>To be continued…</p></content><author><name>Boris Tyukin</name></author><summary type="html">Note: This is a cross-post from the Boris Tyukin’s personal blog Building Near Real-time Big Data Lake: Part 2 This is the second part of the series. In Part 1 I wrote about our use-case for the Data Lake architecture and shared our success story.</summary></entry><entry><title type="html">Apache Kudu 1.12.0 released</title><link href="/2020/05/18/apache-kudu-1-12-0-release.html" rel="alternate" type="text/html" title="Apache Kudu 1.12.0 released" /><published>2020-05-18T00:00:00-07:00</published><updated>2020-05-18T00:00:00-07:00</updated><id>/2020/05/18/apache-kudu-1-12-0-release</id><content type="html" xml:base="/2020/05/18/apache-kudu-1-12-0-release.html"><p>The Apache Kudu team is happy to announce the release of Kudu 1.12.0!</p> |
| |
| <p>The new release adds several new features and improvements, including the |
| following:</p> |
| |
| <!--more--> |
| |
| <ul> |
| <li>Kudu now supports native fine-grained authorization via integration with |
| Apache Ranger. Kudu may now enforce access control policies defined for |
| Kudu tables and columns stored in Ranger. See the |
| <a href="/releases/1.12.0/docs/security.html#fine_grained_authz">authorization documentation</a> |
| for more details.</li> |
| <li>Kudu’s web UI now supports proxying via Apache Knox. Kudu may be deployed |
| in a firewalled state behind a Knox Gateway which will forward HTTP requests |
| and responses between clients and the Kudu web UI.</li> |
| <li>Kudu’s web UI now supports HTTP keep-alive. Operations that access multiple |
| URLs will now reuse a single HTTP connection, improving their performance.</li> |
| <li>The <code class="language-plaintext highlighter-rouge">kudu tserver quiesce</code> tool is added to quiesce tablet servers. While a |
| tablet server is quiescing, it will stop hosting tablet leaders and stop |
| serving new scan requests. This can be used to orchestrate a rolling restart |
| without stopping on-going Kudu workloads.</li> |
| <li>Introduced <code class="language-plaintext highlighter-rouge">auto</code> time source for HybridClock timestamps. With |
| <code class="language-plaintext highlighter-rouge">--time_source=auto</code> in AWS and GCE cloud environments, Kudu masters and |
| tablet servers use the built-in NTP client synchronized with dedicated NTP |
| servers available via host-only networks. With <code class="language-plaintext highlighter-rouge">--time_source=auto</code> in |
| environments other than AWS/GCE, Kudu masters and tablet servers rely on |
| their local machine’s clock synchronized by NTP. The default setting for |
| the HybridClock time source (<code class="language-plaintext highlighter-rouge">--time_source=system</code>) is backward-compatible, |
| requiring the local machine’s clock to be synchronized by the kernel’s NTP |
| discipline.</li> |
| <li>The <code class="language-plaintext highlighter-rouge">kudu cluster rebalance</code> tool now supports moving replicas away from |
| specific tablet servers by supplying the <code class="language-plaintext highlighter-rouge">--ignored_tservers</code> and |
| <code class="language-plaintext highlighter-rouge">--move_replicas_from_ignored_tservers</code> arguments (see |
| <a href="https://issues.apache.org/jira/browse/KUDU-2914">KUDU-2914</a> for more |
| details).</li> |
| <li>Write Ahead Log file segments and index chunks are now managed by Kudu’s file |
| cache. With that, all long-lived file descriptors used by Kudu are managed by |
| the file cache, and there’s no longer a need for capacity planning of file |
| descriptor usage.</li> |
| </ul> |
| |
| <p>The above is just a list of the highlights, for a more complete list of new |
| features, improvements and fixes please refer to the <a href="/releases/1.12.0/docs/release_notes.html">release |
| notes</a>.</p> |
| |
| <p>The Apache Kudu project only publishes source code releases. To build Kudu |
| 1.12.0, follow these steps:</p> |
| |
| <ul> |
| <li>Download the Kudu <a href="/releases/1.12.0">1.12.0 source release</a></li> |
| <li>Follow the instructions in the documentation to build Kudu <a href="/releases/1.12.0/docs/installation.html#build_from_source">1.12.0 from |
| source</a></li> |
| </ul> |
| |
| <p>For your convenience, binary JAR files for the Kudu Java client library, Spark |
| DataSource, Flume sink, and other Java integrations are published to the ASF |
| Maven repository and are <a href="https://search.maven.org/search?q=g:org.apache.kudu%20AND%20v:1.12.0">now |
| available</a>.</p> |
| |
| <p>The Python client source is also available on |
| <a href="https://pypi.org/project/kudu-python/">PyPI</a>.</p> |
| |
| <p>Additionally, experimental Docker images are published to |
| <a href="https://hub.docker.com/r/apache/kudu">Docker Hub</a>.</p></content><author><name>Hao Hao</name></author><summary type="html">The Apache Kudu team is happy to announce the release of Kudu 1.12.0! The new release adds several new features and improvements, including the following:</summary></entry><entry><title type="html">Apache Kudu 1.10.1 released</title><link href="/2019/11/20/apache-kudu-1-10-1-release.html" rel="alternate" type="text/html" title="Apache Kudu 1.10.1 released" /><published>2019-11-20T00:00:00-08:00</published><updated>2019-11-20T00:00:00-08:00</updated><id>/2019/11/20/apache-kudu-1-10-1-release</id><content type="html" xml:base="/2019/11/20/apache-kudu-1-10-1-release.html"><p>The Apache Kudu team is happy to announce the release of Kudu 1.10.1!</p> |
| |
| <p>Apache Kudu 1.10.1 is a bug fix release which fixes critical issues discovered |
| in Apache Kudu 1.10.0. In particular, this fixes a licensing issue with |
| distributing libnuma library with the kudu-binary JAR artifact. Users of |
| Kudu 1.10.0 are encouraged to upgrade to 1.10.1 as soon as possible. See the |
| <a href="/releases/1.10.1/docs/release_notes.html">release notes</a> for details.</p> |
| |
| <!--more--> |
| |
| <p>The Apache Kudu project only publishes source code releases. To build Kudu |
| 1.10.1, follow these steps:</p> |
| |
| <ul> |
| <li>Download the Kudu <a href="/releases/1.10.1">1.10.1 source release</a></li> |
| <li>Follow the instructions in the documentation to build Kudu <a href="/releases/1.10.1/docs/installation.html#build_from_source">1.10.1 from |
| source</a></li> |
| </ul> |
| |
| <p>For your convenience, binary JAR files for the Kudu Java client library, Spark |
| DataSource, Flume sink, and other Java integrations are published to the ASF |
| Maven repository and are <a href="https://search.maven.org/search?q=g:org.apache.kudu%20AND%20v:1.10.1">now |
| available</a>.</p> |
| |
| <p>The Python client source is also available on |
| <a href="https://pypi.org/project/kudu-python/">PyPI</a>.</p></content><author><name>Alexey Serbin</name></author><summary type="html">The Apache Kudu team is happy to announce the release of Kudu 1.10.1! Apache Kudu 1.10.1 is a bug fix release which fixes critical issues discovered in Apache Kudu 1.10.0. In particular, this fixes a licensing issue with distributing libnuma library with the kudu-binary JAR artifact. Users of Kudu 1.10.0 are encouraged to upgrade to 1.10.1 as soon as possible. See the release notes for details.</summary></entry><entry><title type="html">Apache Kudu 1.11.1 released</title><link href="/2019/11/20/apache-kudu-1-11-1-release.html" rel="alternate" type="text/html" title="Apache Kudu 1.11.1 released" /><published>2019-11-20T00:00:00-08:00</published><updated>2019-11-20T00:00:00-08:00</updated><id>/2019/11/20/apache-kudu-1-11-1-release</id><content type="html" xml:base="/2019/11/20/apache-kudu-1-11-1-release.html"><p>The Apache Kudu team is happy to announce the release of Kudu 1.11.1!</p> |
| |
| <p>This release contains a fix which addresses a critical issue discovered in |
| 1.10.0 and 1.11.0 and adds several new features and improvements since 1.10.0.</p> |
| |
| <!--more--> |
| |
| <p>Apache Kudu 1.11.1 is a bug fix release which fixes critical issues discovered |
| in Apache Kudu 1.11.0. In particular, this release fixes a licensing issue with |
| distributing libnuma library with the kudu-binary JAR artifact. Users of |
| Kudu 1.11.0 are encouraged to upgrade to 1.11.1 as soon as possible.</p> |
| |
| <p>Apache Kudu 1.11.1 adds several new features and improvements since |
| Apache Kudu 1.10.0, including the following:</p> |
| |
| <ul> |
| <li>Kudu now supports putting tablet servers into maintenance mode: while in this |
| mode, the tablet server’s replicas will not be re-replicated if the server |
| fails. Administrative CLI are added to orchestrate tablet server maintenance |
| (see <a href="https://issues.apache.org/jira/browse/KUDU-2069">KUDU-2069</a>).</li> |
| <li>Kudu now has a built-in NTP client which maintains the internal wallclock |
| time used for generation of HybridTime timestamps. When enabled, system clock |
| synchronization for nodes running Kudu is no longer necessary, |
| (see <a href="https://issues.apache.org/jira/browse/KUDU-2935">KUDU-2935</a>).</li> |
| <li>Aggregated table statistics are now available to Kudu clients. This allows |
| for various query optimizations. For example, Spark now uses it to perform |
| join optimizations |
| (see <a href="https://issues.apache.org/jira/browse/KUDU-2797">KUDU-2797</a> and |
| <a href="https://issues.apache.org/jira/browse/KUDU-2721">KUDU-2721</a>).</li> |
| <li>The kudu CLI tool now supports creating and dropping range partitions |
| for a table |
| (see <a href="https://issues.apache.org/jira/browse/KUDU-2881">KUDU-2881</a>).</li> |
| <li>The kudu CLI tool now supports altering and dropping table columns.</li> |
| <li>The kudu CLI tool now supports getting and setting extra configuration |
| properties for a table |
| (see <a href="https://issues.apache.org/jira/browse/KUDU-2514">KUDU-2514</a>).</li> |
| </ul> |
| |
| <p>See the <a href="/releases/1.11.1/docs/release_notes.html">release notes</a> for details.</p> |
| |
| <p>The Apache Kudu project only publishes source code releases. To build Kudu |
| 1.11.1, follow these steps:</p> |
| |
| <ul> |
| <li>Download the Kudu <a href="/releases/1.11.1">1.11.1 source release</a></li> |
| <li>Follow the instructions in the documentation to build Kudu <a href="/releases/1.11.1/docs/installation.html#build_from_source">1.11.1 from |
| source</a></li> |
| </ul> |
| |
| <p>For your convenience, binary JAR files for the Kudu Java client library, Spark |
| DataSource, Flume sink, and other Java integrations are published to the ASF |
| Maven repository and are <a href="https://search.maven.org/search?q=g:org.apache.kudu%20AND%20v:1.11.1">now |
| available</a>.</p> |
| |
| <p>The Python client source is also available on |
| <a href="https://pypi.org/project/kudu-python/">PyPI</a>.</p> |
| |
| <p>Additionally experimental Docker images are published to |
| <a href="https://hub.docker.com/r/apache/kudu">Docker Hub</a>.</p></content><author><name>Alexey Serbin</name></author><summary type="html">The Apache Kudu team is happy to announce the release of Kudu 1.11.1! This release contains a fix which addresses a critical issue discovered in 1.10.0 and 1.11.0 and adds several new features and improvements since 1.10.0.</summary></entry><entry><title type="html">Apache Kudu 1.10.0 Released</title><link href="/2019/07/09/apache-kudu-1-10-0-release.html" rel="alternate" type="text/html" title="Apache Kudu 1.10.0 Released" /><published>2019-07-09T00:00:00-07:00</published><updated>2019-07-09T00:00:00-07:00</updated><id>/2019/07/09/apache-kudu-1-10-0-release</id><content type="html" xml:base="/2019/07/09/apache-kudu-1-10-0-release.html"><p>The Apache Kudu team is happy to announce the release of Kudu 1.10.0!</p> |
| |
| <p>The new release adds several new features and improvements, including the |
| following:</p> |
| |
| <!--more--> |
| |
| <ul> |
| <li>Kudu now supports both full and incremental table backups via a job |
| implemented using Apache Spark. Additionally it supports restoring |
| tables from full and incremental backups via a restore job implemented using |
| Apache Spark. See the |
| <a href="/releases/1.10.0/docs/administration.html#backup">backup documentation</a> |
| for more details.</li> |
| <li>Kudu can now synchronize its internal catalog with the Apache Hive Metastore, |
| automatically updating Hive Metastore table entries upon table creation, |
| deletion, and alterations in Kudu. See the |
| <a href="/releases/1.10.0/docs/hive_metastore.html#metadata_sync">HMS synchronization documentation</a> |
| for more details.</li> |
| <li>Kudu now supports native fine-grained authorization via integration with |
| Apache Sentry. Kudu may now enforce access control policies defined for Kudu |
| tables and columns, as well as policies defined on Hive servers and databases |
| that may store Kudu tables. See the |
| <a href="/releases/1.10.0/docs/security.html#fine_grained_authz">authorization documentation</a> |
| for more details.</li> |
| <li>Kudu’s web UI now supports SPNEGO, a protocol for securing HTTP requests with |
| Kerberos by passing negotiation through HTTP headers. To enable, set the |
| <code class="language-plaintext highlighter-rouge">--webserver_require_spnego</code> command line flag.</li> |
| <li>Column comments can now be stored in Kudu tables, and can be updated using |
| the AlterTable API |
| (see <a href="https://issues.apache.org/jira/browse/KUDU-1711">KUDU-1711</a>).</li> |
| <li>The performance of mutations (i.e. UPDATE, DELETE, and re-INSERT) to |
| not-yet-flushed Kudu data has been significantly optimized |
| (see <a href="https://issues.apache.org/jira/browse/KUDU-2826">KUDU-2826</a> and |
| <a href="https://github.com/apache/kudu/commit/f9f9526d3">f9f9526d3</a>).</li> |
| <li>Predicate performance for primitive columns and IS NULL and IS NOT NULL |
| has been optimized |
| (see <a href="https://issues.apache.org/jira/browse/KUDU-2846">KUDU-2846</a>).</li> |
| </ul> |
| |
| <p>The above is just a list of the highlights, for a more complete list of new |
| features, improvements and fixes please refer to the <a href="/releases/1.10.0/docs/release_notes.html">release |
| notes</a>.</p> |
| |
| <p>The Apache Kudu project only publishes source code releases. To build Kudu |
| 1.10.0, follow these steps:</p> |
| |
| <ul> |
| <li>Download the Kudu <a href="/releases/1.10.0">1.10.0 source release</a></li> |
| <li>Follow the instructions in the documentation to build Kudu <a href="/releases/1.10.0/docs/installation.html#build_from_source">1.10.0 from |
| source</a></li> |
| </ul> |
| |
| <p>For your convenience, binary JAR files for the Kudu Java client library, Spark |
| DataSource, Flume sink, and other Java integrations are published to the ASF |
| Maven repository and are <a href="https://search.maven.org/search?q=g:org.apache.kudu%20AND%20v:1.10.0">now |
| available</a>.</p> |
| |
| <p>The Python client source is also available on |
| <a href="https://pypi.org/project/kudu-python/">PyPI</a>.</p> |
| |
| <p>Additionally experimental Docker images are published to |
| <a href="https://hub.docker.com/r/apache/kudu">Docker Hub</a>.</p></content><author><name>Grant Henke</name></author><summary type="html">The Apache Kudu team is happy to announce the release of Kudu 1.10.0! The new release adds several new features and improvements, including the following:</summary></entry></feed> |
