使用模板部署通过数据湖创建 Azure HDInsight 时出现问题
Issue in creating Azure HDInsight with Data lake using Template Deployment
我正在尝试使用模板部署 创建 Azure HDInsight with Data lake。但我在执行模板时遇到问题,因为我认为原因是 "Service Principle Name" 与 azure data lake store 的集成。
错误:
"message":“DeploymentDocument 'AmbariConfiguration_1_7' 验证失败。错误:'获取数据湖存储帐户 demodls 时出错:从 AAD 获取 OAuth 令牌时出错AppPrincipalId XXXXXX-XXXXXXXXX-XXXXX-XXX-XXXXX.
请查看下面的屏幕截图了解更多详情。
我已尝试创建 AD webapp 并为该应用分配 "Owner" 角色。然后我将它分配给 Subscription 的所有者。然后为应用程序添加 "Data Lake Permission"。但我仍然认为我可能失踪了。
集群集成片段
"properties": {
"clusterVersion": "[parameters('clusterVersion')]",
"osType": "Linux",
"tier": "standard",
"clusterDefinition": {
"kind": "[parameters('clusterKind')]",
"configurations": {
"gateway": {
"restAuthCredential.isEnabled": true,
"restAuthCredential.username": "[parameters('clusterLoginUserName')]",
"restAuthCredential.password": "[parameters('clusterLoginPassword')]"
},
"core-site": {
"fs.defaultFS": "adl://home",
"dfs.adls.home.hostname": "demodls.azuredatalakestore.net",
"dfs.adls.home.mountpoint": "/clusters/democluster/"
},
"clusterIdentity": {
"clusterIdentity.applicationId": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
"clusterIdentity.certificate": "[parameters('identityCertificate')]",
"clusterIdentity.aadTenantId": "https://login.windows.net/XXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXX",
"clusterIdentity.resourceUri": "https://management.core.windows.net/",
"clusterIdentity.certificatePassword": "[parameters('identityCertificatePassword')]"
}
}
},
在这里我几乎没有疑问像
"SecureString" "parameter.json" 中的 clusterpassword、sshpassword 等值是否应该以明文形式提供,或者我必须将其转换为 Securestring 并为其提供安全字符串值?
字段 "identityCertificate" 应该是 "Certificate.pfx" 文件内容的 "base64" 编码,否则我必须将其转换为 Base64 -> SecureString 并将其输入parameter.json?
帮助非常感谢!谢谢
此致
identityCertificate 应该是证书 .pfx 文件内容的 base64 编码字符串表示形式。它在 ARM 模板定义文件中被标记为类型 SecureString,这样当您继续获取部署历史时,明文就不是 stored/returned。使用 SecureString 标记字段有助于确保密码和其他此类字段不会保留在您的部署历史记录中。
解决集群创建 ARM 模板创作方式问题的一种简单方法是转到 Azure 门户,然后按照您在模板中的需要创建集群。在 'Summary' 步骤中单击 'Create' 之前,下载 ARM 模板以查看正在部署的内容。 'Create' 旁边有一个 link 来执行此操作。
我希望您会注意到指定主要 ADLS 帐户的方式有所不同。按照下载的 ARM 模板中的配置方式进行操作,您应该可以开始了。
@马特 H
我已经下载了创建 HDInsight 时在门户网站生成的模板,但它仍然无法使用。
请找到我下面的 powershell 脚本。
//To Create Resources
$resourceGroupName = "demoesprg"
New-AzureRmResourceGroup -Name $resourceGroupName -Location "East US 2"
$dataLakeStoreName = "demoespdls"
New-AzureRmDataLakeStoreAccount -ResourceGroupName $resourceGroupName -Name $dataLakeStoreName -Location "East US 2"
Test-AzureRmDataLakeStoreAccount -Name $dataLakeStoreName
$myrootdir = "/"
New-AzureRmDataLakeStoreItem -Folder -AccountName $dataLakeStoreName -Path $myrootdir/clusters/demoespcluster
$templatefilepath = "C:\Azure-saml\template.json"
$SSHpass = ConvertTo-SecureString -String "Demoesp1234$" -AsPlainText -Force
//Create .pfx certificate
$certFolder = "C:\Azure-saml\certs"
$certFilePath = "$certFolder\demoespcert.pfx"
$certStartDate = (Get-Date).Date
$certStartDateStr = $certStartDate.ToString("MM/dd/yyyy")
$certEndDate = $certStartDate.AddYears(1)
$certEndDateStr = $certEndDate.ToString("MM/dd/yyyy")
$certName = "demoespcert"
$certPassword = "democert123$"
$certPasswordSecureString = ConvertTo-SecureString $certPassword -AsPlainText -Force
$cert = New-SelfSignedCertificate -DnsName $certName -CertStoreLocation cert:\CurrentUser\My
$certThumbprint = $cert.Thumbprint
$cert = (Get-ChildItem -Path cert:\CurrentUser\My$certThumbprint)
Export-PfxCertificate -Cert $cert -FilePath $certFilePath -Password $certPasswordSecureString
$certificatePFX = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certFilePath, $certPasswordSecureString)
$credential = [System.Convert]::ToBase64String($certificatePFX.GetRawCertData())
//create ActiceDriectory Application
$application = New-AzureRmADApplication `
-DisplayName "ESPSPN" `
-HomePage "https://demoespcluster.hdinsight.net" `
-IdentifierUris "https://demoespcluster.hdinsight.net" `
-CertValue $credential `
-StartDate $certificatePFX.NotBefore `
-EndDate $certificatePFX.NotAfter
Start-Sleep -Seconds 20
//Create Service Principla
$applicationId = $application.ApplicationId
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $applicationId
$objectId = $servicePrincipal.Id
//Assign Permissions
Set-AzureRmDataLakeStoreItemAclEntry -AccountName $dataLakeStoreName -Path / -AceType User -Id $objectId -Permissions All
Set-AzureRmDataLakeStoreItemAclEntry -AccountName $dataLakeStoreName -Path /clusters -AceType User -Id $objectId -Permissions All
Set-AzureRmDataLakeStoreItemAclEntry -AccountName $dataLakeStoreName -Path /clusters/demoespcluster -AceType User -Id $objectId -Permissions All
//Execute Scripts
$tenantID = (Get-AzureRmContext).Tenant.TenantId
$secureCert = [System.Convert]::ToBase64String((Get-Content $certFilePath -Encoding Byte))
//$dsecureCert = ConvertTo-SecureString $secureCert -AsPlainText -Force
New-AzureRmResourceGroupDeployment `
-ResourceGroupName $resourceGroupName `
-TemplateFile $templatefilepath `
-identityCertificate $secureCert `
-identityCertificatePassword $certPasswordSecureString `
-clusterName $certName `
-clusterLoginPassword $SSHpass `
-sshPassword $SSHpass `
-servicePrincipalApplicationId $applicationId
错误:
New-AzureRmResourceGroupDeployment : 11:15:00 PM - DeploymentDocument
'AmbariConfiguration_1_7' failed the validation. Error: 'Error while
getting access to the datalake storage account demoespdls: Access
denied.
我在这里错过了什么?
更新:脚本是正确的,但我的自签名证书有问题。一旦使用了有效证书,我就能够成功创建集群!!谢谢
我正在尝试使用模板部署 创建 Azure HDInsight with Data lake。但我在执行模板时遇到问题,因为我认为原因是 "Service Principle Name" 与 azure data lake store 的集成。
错误:
"message":“DeploymentDocument 'AmbariConfiguration_1_7' 验证失败。错误:'获取数据湖存储帐户 demodls 时出错:从 AAD 获取 OAuth 令牌时出错AppPrincipalId XXXXXX-XXXXXXXXX-XXXXX-XXX-XXXXX.
请查看下面的屏幕截图了解更多详情。
我已尝试创建 AD webapp 并为该应用分配 "Owner" 角色。然后我将它分配给 Subscription 的所有者。然后为应用程序添加 "Data Lake Permission"。但我仍然认为我可能失踪了。
集群集成片段
"properties": {
"clusterVersion": "[parameters('clusterVersion')]",
"osType": "Linux",
"tier": "standard",
"clusterDefinition": {
"kind": "[parameters('clusterKind')]",
"configurations": {
"gateway": {
"restAuthCredential.isEnabled": true,
"restAuthCredential.username": "[parameters('clusterLoginUserName')]",
"restAuthCredential.password": "[parameters('clusterLoginPassword')]"
},
"core-site": {
"fs.defaultFS": "adl://home",
"dfs.adls.home.hostname": "demodls.azuredatalakestore.net",
"dfs.adls.home.mountpoint": "/clusters/democluster/"
},
"clusterIdentity": {
"clusterIdentity.applicationId": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
"clusterIdentity.certificate": "[parameters('identityCertificate')]",
"clusterIdentity.aadTenantId": "https://login.windows.net/XXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXX",
"clusterIdentity.resourceUri": "https://management.core.windows.net/",
"clusterIdentity.certificatePassword": "[parameters('identityCertificatePassword')]"
}
}
},
在这里我几乎没有疑问像
"SecureString" "parameter.json" 中的 clusterpassword、sshpassword 等值是否应该以明文形式提供,或者我必须将其转换为 Securestring 并为其提供安全字符串值?
字段 "identityCertificate" 应该是 "Certificate.pfx" 文件内容的 "base64" 编码,否则我必须将其转换为 Base64 -> SecureString 并将其输入parameter.json?
帮助非常感谢!谢谢
此致
identityCertificate 应该是证书 .pfx 文件内容的 base64 编码字符串表示形式。它在 ARM 模板定义文件中被标记为类型 SecureString,这样当您继续获取部署历史时,明文就不是 stored/returned。使用 SecureString 标记字段有助于确保密码和其他此类字段不会保留在您的部署历史记录中。
解决集群创建 ARM 模板创作方式问题的一种简单方法是转到 Azure 门户,然后按照您在模板中的需要创建集群。在 'Summary' 步骤中单击 'Create' 之前,下载 ARM 模板以查看正在部署的内容。 'Create' 旁边有一个 link 来执行此操作。
我希望您会注意到指定主要 ADLS 帐户的方式有所不同。按照下载的 ARM 模板中的配置方式进行操作,您应该可以开始了。
@马特 H
我已经下载了创建 HDInsight 时在门户网站生成的模板,但它仍然无法使用。
请找到我下面的 powershell 脚本。
//To Create Resources
$resourceGroupName = "demoesprg"
New-AzureRmResourceGroup -Name $resourceGroupName -Location "East US 2"
$dataLakeStoreName = "demoespdls"
New-AzureRmDataLakeStoreAccount -ResourceGroupName $resourceGroupName -Name $dataLakeStoreName -Location "East US 2"
Test-AzureRmDataLakeStoreAccount -Name $dataLakeStoreName
$myrootdir = "/"
New-AzureRmDataLakeStoreItem -Folder -AccountName $dataLakeStoreName -Path $myrootdir/clusters/demoespcluster
$templatefilepath = "C:\Azure-saml\template.json"
$SSHpass = ConvertTo-SecureString -String "Demoesp1234$" -AsPlainText -Force
//Create .pfx certificate
$certFolder = "C:\Azure-saml\certs"
$certFilePath = "$certFolder\demoespcert.pfx"
$certStartDate = (Get-Date).Date
$certStartDateStr = $certStartDate.ToString("MM/dd/yyyy")
$certEndDate = $certStartDate.AddYears(1)
$certEndDateStr = $certEndDate.ToString("MM/dd/yyyy")
$certName = "demoespcert"
$certPassword = "democert123$"
$certPasswordSecureString = ConvertTo-SecureString $certPassword -AsPlainText -Force
$cert = New-SelfSignedCertificate -DnsName $certName -CertStoreLocation cert:\CurrentUser\My
$certThumbprint = $cert.Thumbprint
$cert = (Get-ChildItem -Path cert:\CurrentUser\My$certThumbprint)
Export-PfxCertificate -Cert $cert -FilePath $certFilePath -Password $certPasswordSecureString
$certificatePFX = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certFilePath, $certPasswordSecureString)
$credential = [System.Convert]::ToBase64String($certificatePFX.GetRawCertData())
//create ActiceDriectory Application
$application = New-AzureRmADApplication `
-DisplayName "ESPSPN" `
-HomePage "https://demoespcluster.hdinsight.net" `
-IdentifierUris "https://demoespcluster.hdinsight.net" `
-CertValue $credential `
-StartDate $certificatePFX.NotBefore `
-EndDate $certificatePFX.NotAfter
Start-Sleep -Seconds 20
//Create Service Principla
$applicationId = $application.ApplicationId
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $applicationId
$objectId = $servicePrincipal.Id
//Assign Permissions
Set-AzureRmDataLakeStoreItemAclEntry -AccountName $dataLakeStoreName -Path / -AceType User -Id $objectId -Permissions All
Set-AzureRmDataLakeStoreItemAclEntry -AccountName $dataLakeStoreName -Path /clusters -AceType User -Id $objectId -Permissions All
Set-AzureRmDataLakeStoreItemAclEntry -AccountName $dataLakeStoreName -Path /clusters/demoespcluster -AceType User -Id $objectId -Permissions All
//Execute Scripts
$tenantID = (Get-AzureRmContext).Tenant.TenantId
$secureCert = [System.Convert]::ToBase64String((Get-Content $certFilePath -Encoding Byte))
//$dsecureCert = ConvertTo-SecureString $secureCert -AsPlainText -Force
New-AzureRmResourceGroupDeployment `
-ResourceGroupName $resourceGroupName `
-TemplateFile $templatefilepath `
-identityCertificate $secureCert `
-identityCertificatePassword $certPasswordSecureString `
-clusterName $certName `
-clusterLoginPassword $SSHpass `
-sshPassword $SSHpass `
-servicePrincipalApplicationId $applicationId
错误:
New-AzureRmResourceGroupDeployment : 11:15:00 PM - DeploymentDocument 'AmbariConfiguration_1_7' failed the validation. Error: 'Error while getting access to the datalake storage account demoespdls: Access denied.
我在这里错过了什么?
更新:脚本是正确的,但我的自签名证书有问题。一旦使用了有效证书,我就能够成功创建集群!!谢谢