Configuring properties for OBS buckets to use in Ozone replication policies

Before you replicate OBS buckets, you must configure additional properties that assist Ozone replication policies to replicate data in OBS buckets.

  1. Add the key-value pairs in the following table to the Ozone Client Advanced Configuration Snippet (Safety Valve) property in the ozone-site.xml file in the source cluster:
    Property Action to take
    fs.s3a.endpoint Enter the same value as in Ozone S3 gateway web UI as the source cluster.
    hadoop.tmp.dir Enter the temporary directory on the target cluster to buffer file uploads.
    fs.s3a.secret.key See Step 3 to get the required value.
    fs.s3a.access.key See Step 3 to get the required value.
    ozone.om.snapshot.load.native.lib Enter false.

    Incremental Ozone replication policy runs use snapshot-diff operation. This property ensures that the replication policy run is not affected if the snapshot-diff operation goes down during the replication policy run.

  2. Add the key-value pairs in the following table to the Ozone Client Advanced Configuration Snippet (Safety Valve) property in the ozone-site.xml file in the target cluster:
    Property Action to take
    fs.s3a.endpoint Enter the same value as in Ozone S3 gateway web UI as the target cluster.
    fs.s3a.secret.key See Step 3 to get the required value.
    fs.s3a.access.key See Step 3 to get the required value.
    fs.s3a.change.detection.version.required Set to false.
    fs.s3a.change.detection.mode Enter none.
    fs.s3a.path.style.access Enter true.
    ozone.om.snapshot.load.native.lib Enter false.

    Incremental Ozone replication policy runs use snapshot-diff operation. This property ensures that the replication policy run is not affected if the snapshot-diff operation goes down during the replication policy run.

  3. If Kerberos is enabled on the source and target cluster, run the ozone s3 getsecret --om-service-id=serviceId command to get the secret and access key. Otherwise, enter any arbitrary value for the secret and access key.

    You can store the keys in a credstore such as JCEKS for non Auto-TLS clusters. After you store the keys, perform the following steps:

    1. Configure the credstore file path for the hadoop.security.credential.provider.path property in the ozone-site.xml file. For more information, see Using DistCp with Amazon S3.
    2. Add the HADOOP_CREDSTORE_PASSWORD parameter to the YARN Service Environment Advanced Configuration Snippet (Safety Valve) property for the YARN service in source Cloudera Manager.
  4. The /s3v volumes store S3 buckets. By default, you can access the buckets in /s3v volumes using S3 interface. To access other buckets through the S3 interface, you must create a “symbolic linked” bucket. You can use the ‘symbolic linked’ bucket in Ozone replication policies.
    Configure the required OBS buckets as S3-compatible buckets using the following commands before you use it in Ozone replication policies:
    1. ozone sh volume create /s3v
    2. ozone sh volume create /[***vol_name***]
    3. ozone sh bucket create /[***vol_name***]/[***bucket_name***]
    4. ozone sh bucket link /[***vol_name***]/[***bucket_name***] /s3v/[***symbolic_linked_bucket_name***]
  5. Import the S3G CA certificate from the cluster to the local JDK path using the following commands:
    1. Run the keytool -importkeystore -destkeystore [***jdk_cacerts_location***] -srckeystore [***cm-auto-global_truststore.jks location***] -srcalias [***cm_alias_on_src_cm***] command on all the hosts of the source Cloudera Manager.
      For example, keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-0
    2. Run the following commands on all the hosts of the target Cloudera Manager:
      1. keytool -importkeystore -destkeystore [***jdk_cacerts location***] -srckeystore [***cm-auto-global_truststore.jks location***] -srcalias [***cm_alias_on_src_cm***]

      2. keytool -importkeystore -destkeystore [***jdk_cacerts_location***] -srckeystore [***cm-auto-global_truststore.jks location***] -srcalias [***cm_alias_on_dest_cm***]

      For example,
      keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts 
      -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-0
      keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts 
      -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-1