BlueData DataTap Setup

This section provides instructions for configuring Driverless AI to work with BlueData DataTap.

Note: Depending on your Docker install version, use either the docker run --runtime=nvidia (>= Docker 19.03) or nvidia-docker (< Docker 19.03) command when starting the Driverless AI Docker image. Use docker version to check which version of Docker you are using.

Description of Configuration Attributes

  • dtap_auth_type: Selects DTAP authentication. Available values are:

    • noauth: No authentication needed

    • principal: Authenticate with DataTap with a principal user

    • keytab: Authenticate with a Key tab (recommended). If running Driverless AI as a service, then the Kerberos keytab needs to be owned by the Driverless AI user.

    • keytabimpersonation: Login with impersonation using a keytab

  • dtap_config_path: The location of the DTAP (HDFS) config folder path. This folder can contain multiple config files. Note: The DTAP config file core-site.xml needs to contain DTap FS configuration, for example:

    <configuration>
      <property>
        <name>fs.dtap.impl</name>
        <value>com.bluedata.hadoop.bdfs.Bdfs</value>
        <description>The FileSystem for BlueData dtap: URIs.</description>
      </property>
    </configuration>
    
  • dtap_key_tab_path: The path of the principal key tab file. For use when dtap_auth_type=principal.

  • dtap_app_principal_user: The Kerberos app principal user (recommended).

  • dtap_app_login_user: The user ID of the current user (for example, user@realm).

  • dtap_app_jvm_args: JVM args for DTap distributions. Separate each argument with spaces.

  • dtap_app_classpath: The DTap classpath.

  • dtap_init_path: Specifies the starting DTAP path displayed in the UI of the DTAP browser.

  • enabled_file_systems: The file systems you want to enable. This must be configured in order for data connectors to function properly.

Example 1: Enable DataTap with No Authentication

This example enables the DataTap data connector and disables authentication. It does not pass any configuration file; however it configures Docker DNS by passing the name and IP of the DTap name node. This lets users reference data stored in DTap directly using the name node address, for example: dtap://name.node/datasets/iris.csv or dtap://name.node/datasets/. (Note: The trailing slash is currently required for directories.)

  nvidia-docker run \
    --pid=host \
    --init \
    --rm \
    --shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \
    --add-host name.node:172.16.2.186 \
    -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,dtap" \
    -e DRIVERLESS_AI_DTAP_AUTH_TYPE='noauth'  \
    -p 12345:12345 \
    -v /etc/passwd:/etc/passwd \
    -v /tmp/dtmp/:/tmp \
    -v /tmp/dlog/:/log \
    -v /tmp/dlicense/:/license \
    -v /tmp/ddata/:/data \
    -u $(id -u):$(id -g) \
    h2oai/dai-ubi8-x86_64:1.11.0-cuda11.8.0.xx

Example 2: Enable DataTap with Keytab-Based Authentication

Notes:

  • If using Kerberos Authentication, the the time on the Driverless AI server must be in sync with Kerberos server. If the time difference between clients and DCs are 5 minutes or higher, there will be Kerberos failures.

  • If running Driverless AI as a service, then the Kerberos keytab needs to be owned by the Driverless AI user; otherwise Driverless AI will not be able to read/access the Keytab and will result in a fallback to simple authentication and, hence, fail.

This example:

  • Places keytabs in the /tmp/dtmp folder on your machine and provides the file path as described below.

  • Configures the environment variable DRIVERLESS_AI_DTAP_APP_PRINCIPAL_USER to reference a user for whom the keytab was created (usually in the form of user@realm).

  nvidia-docker run \
      --pid=host \
      --init \
      --rm \
      --shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \
      -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,dtap" \
      -e DRIVERLESS_AI_DTAP_AUTH_TYPE='keytab'  \
      -e DRIVERLESS_AI_DTAP_KEY_TAB_PATH='tmp/<<keytabname>>' \
      -e DRIVERLESS_AI_DTAP_APP_PRINCIPAL_USER='<<user@kerberosrealm>>' \
      -p 12345:12345 \
      -v /etc/passwd:/etc/passwd \
      -v /tmp/dtmp/:/tmp \
      -v /tmp/dlog/:/log \
      -v /tmp/dlicense/:/license \
      -v /tmp/ddata/:/data \
      -u $(id -u):$(id -g) \
      h2oai/dai-ubi8-x86_64:1.11.0-cuda11.8.0.xx

Example 3: Enable DataTap with Keytab-Based Impersonation

Notes:

  • If using Kerberos, be sure that the Driverless AI time is synched with the Kerberos server.

  • If running Driverless AI as a service, then the Kerberos keytab needs to be owned by the Driverless AI user.

This example:

  • Places keytabs in the /tmp/dtmp folder on your machine and provides the file path as described below.

  • Configures the DRIVERLESS_AI_DTAP_APP_PRINCIPAL_USER variable, which references a user for whom the keytab was created (usually in the form of user@realm).

  • Configures the DRIVERLESS_AI_DTAP_APP_LOGIN_USER variable, which references a user who is being impersonated (usually in the form of user@realm).

  # Docker instructions
  nvidia-docker run \
      --pid=host \
      --init \
      --rm \
      --shm-size=2g --cap-add=SYS_NICE --ulimit nofile=131071:131071 --ulimit nproc=16384:16384 \
      -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,dtap" \
      -e DRIVERLESS_AI_DTAP_AUTH_TYPE='keytabimpersonation'  \
      -e DRIVERLESS_AI_DTAP_KEY_TAB_PATH='tmp/<<keytabname>>' \
      -e DRIVERLESS_AI_DTAP_APP_PRINCIPAL_USER='<<appuser@kerberosrealm>>' \
      -e DRIVERLESS_AI_DTAP_APP_LOGIN_USER='<<thisuser@kerberosrealm>>' \
      -p 12345:12345 \
      -v /etc/passwd:/etc/passwd \
      -v /tmp/dtmp/:/tmp \
      -v /tmp/dlog/:/log \
      -v /tmp/dlicense/:/license \
      -v /tmp/ddata/:/data \
      -u $(id -u):$(id -g) \
      h2oai/dai-ubi8-x86_64:1.11.0-cuda11.8.0.xx