使用 SSH 隧道访问 Apache Ambari Web UI、JobHistory、NameNode、Apache Oozie 和其他 Web UIUse SSH Tunneling to access Apache Ambari web UI, JobHistory, NameNode, Apache Oozie, and other web UIs

使用 HDInsight 群集可以通过 Internet 访问 Apache Ambari Web UI,但某些功能需要 SSH 隧道。HDInsight clusters provide access to the Apache Ambari web UI over the Internet, but some features require an SSH tunnel. 例如,如果没有 SSh 隧道,将无法通过 Internet 访问 Apache Oozie 服务的 Web UI。For example, the web UI for the Apache Oozie service cannot be accessed over the internet without an SSh tunnel.

为何使用 SSH 隧道?Why use an SSH tunnel

Ambari 中的多个菜单只能通过 SSH 隧道工作。Several of the menus in Ambari only work through an SSH tunnel. 这些菜单依赖于其他节点类型(例如辅助角色节点)上运行的网站和服务。These menus rely on web sites and services running on other node types, such as worker nodes.

以下 Web UI 需要 SSH 隧道:The following Web UIs require an SSH tunnel:

  • JobHistoryJobHistory
  • NameNodeNameNode
  • 线程堆栈Thread Stacks
  • Oozie Web UIOozie web UI
  • HBase Master 和日志 UIHBase Master and Logs UI

如果通过脚本操作自定义群集,则安装的所有服务或实用工具都需要 SSH 隧道才能公开 Web 服务。If you use Script Actions to customize your cluster, any services or utilities that you install that expose a web service require an SSH tunnel. 例如,如果使用脚本操作安装 Hue,则必须使用 SSH 隧道来访问 Hue Web UI。For example, if you install Hue using a Script Action, you must use an SSH tunnel to access the Hue web UI.

Important

如果可以通过虚拟网络直接访问 HDInsight,则不需要使用 SSH 隧道。If you have direct access to HDInsight through a virtual network, you do not need to use SSH tunnels. 有关通过虚拟网络直接访问 HDInsight 的示例,请参阅将 HDInsight 连接到本地网络一文。For an example of directly accessing HDInsight through a virtual network, see the Connect HDInsight to your on-premises network document.

什么是 SSH 隧道What is an SSH tunnel

安全外壳 (SSH) 隧道将本地计算机上的端口连接到 HDInsight 上的头节点。Secure Shell (SSH) tunneling connects a port on your local machine to a head node on HDInsight. 发送到本地端口的流量通过 SSH 连接路由到头节点。Traffic sent to the local port is routed through an SSH connection to the head node. 请求将得到解析,就如同它源自头节点一样。The request is resolved as if it originated on the head node. 然后,通过与工作站建立的隧道将响应路由回去。The response is then routed back through the tunnel to your workstation.

先决条件Prerequisites

  • SSH 客户端。An SSH client. 大多数操作系统通过 ssh 命令提供 SSH 客户端。Most operating systems provide an SSH client through the ssh command. 有关详细信息,请参阅 将 SSH 与 HDInsight 配合使用For more information, see Use SSH with HDInsight.

  • 可配置为使用 SOCKS5 代理的 Web 浏览器。A web browser that can be configured to use a SOCKS5 proxy.

    Warning

    内置于 Windows Internet 设置中的 SOCKS 代理支持不支持 SOCKS5,不适用于此文档中的步骤。The SOCKS proxy support built into Windows Internet settings does not support SOCKS5, and does not work with the steps in this document. 以下浏览器依赖于 Windows 代理设置,当前不适用于此文档中的步骤:The following browsers rely on Windows proxy settings, and do not currently work with the steps in this document:

    • Microsoft EdgeMicrosoft Edge
    • Microsoft Internet ExplorerMicrosoft Internet Explorer

    Google Chrome 也依赖于 Windows 代理设置。Google Chrome also relies on the Windows proxy settings. 但是,可以安装支持 SOCKS5 的扩展。However, you can install extensions that support SOCKS5. 我们建议使用 FoxyProxy StandardWe recommend FoxyProxy Standard.

使用 SSH 命令创建隧道Create a tunnel using the SSH command

使用以下 ssh 命令创建 SSH 隧道。Use the following command to create an SSH tunnel using the ssh command. sshuser 替换为 HDInsight 群集的 SSH 用户,并将 clustername 替换为 HDInsight 群集的名称:Replace sshuser with an SSH user for your HDInsight cluster, and replace clustername with the name of your HDInsight cluster:

ssh -C2qTnNf -D 9876 sshuser@clustername-ssh.azurehdinsight.net

此命令创建一个通过 SSH 将流量路由到群集本地端口 9876 的连接。This command creates a connection that routes traffic to local port 9876 to the cluster over SSH. 选项包括:The options are:

  • D 9876 - 通过隧道路由流量的本地端口。D 9876 - The local port that routes traffic through the tunnel.
  • C - 压缩所有数据,因为 Web 流量大多为文本。C - Compress all data, because web traffic is mostly text.
  • 2 - 强制 SSH 仅尝试协议版本 2。2 - Force SSH to try protocol version 2 only.
  • q - 静默模式。q - Quiet mode.
  • T - 禁用 pseudo-tty 分配,因为将仅转发端口。T - Disable pseudo-tty allocation, since you are just forwarding a port.
  • n - 防止读取 STDIN,因为将仅转发端口。n - Prevent reading of STDIN, since you are just forwarding a port.
  • N - 不执行远程命令,因为将仅转发端口。N - Do not execute a remote command, since you are just forwarding a port.
  • f - 在后台运行。f - Run in the background.

在命令完成后,发送到本地计算机上的端口 9876 的流量将路由到群集头节点。Once the command finishes, traffic sent to port 9876 on the local computer is routed to the cluster head node.

使用 PuTTY 创建隧道Create a tunnel using PuTTY

PuTTY 是适用于 Windows 的图形 SSH 客户端。PuTTY is a graphical SSH client for Windows. 如果不熟悉 PuTTY,请参阅 PuTTY 文档If you are not familiar with PuTTY, see the PuTTY documentation. 执行以下步骤可使用 PuTTY 创建 SSH 隧道:Use the following steps to create an SSH tunnel using PuTTY:

创建或加载会话Create or load a session

  1. 打开 PuTTY,并确保在左侧菜单中选择“会话”。Open PuTTY and ensure Session is selected on the left menu. 如果你已保存了一个会话,请从“已保存的会话”列表中选择该会话名称并单击“加载”。If you have already saved a session, select the session name from the Saved Sessions list and click Load.

  2. 如果你没有已保存的会话,请输入你的连接信息:If you don't already have a saved session, enter your connection information:

    • 主机名(或 IP 地址) - HDInsight 群集的 SSH 地址。Host Name (or IP address) - The SSH address for the HDInsight cluster. 例如,mycluster-ssh.azurehdinsight.netFor example, mycluster-ssh.azurehdinsight.net
    • 端口 - 22Port - 22
    • 连接类型 - SSHConnection Type - SSH
  3. 单击“保存” Click Save

    创建 SSH 会话

  4. 在对话框左侧的“类别”部分中,依次展开“连接”和“SSH”,并选择“隧道”。In the Category section to the left of the dialog, expand Connection, expand SSH, and then select Tunnels.

  5. 提供以下有关“用于控制 SSH 端口转发的选项”窗体的信息:Provide the following information on the Options controlling SSH port forwarding form:

    • 源端口 - 客户端上要转发的端口。Source port - The port on the client that you wish to forward. 例如 9876For example, 9876.

    • 目标 - HDInsight 群集的 SSH 地址。Destination - The SSH address for the HDInsight cluster. 例如, mycluster-ssh.azurehdinsight.netFor example, mycluster-ssh.azurehdinsight.net.

    • 动态 - 启用动态 SOCKS 代理路由。Dynamic - Enables dynamic SOCKS proxy routing.

      隧道选项图像

  6. 单击“添加”以添加设置,并单击“打开”以打开 SSH 连接。Click Add to add the settings, and then click Open to open an SSH connection.

  7. 出现提示时,登录到服务器。When prompted, log in to the server.

从浏览器使用隧道Use the tunnel from your browser

Important

本部分中的步骤使用 Mozilla FireFox 浏览器,因为它在所有平台中提供相同的代理设置。The steps in this section use the Mozilla FireFox browser, as it provides the same proxy settings across all platforms. 对于其他新式浏览器(如 Google Chrome),可能需要 FoxyProxy 等扩展才能使用隧道。Other modern browsers, such as Google Chrome, may require an extension such as FoxyProxy to work with the tunnel.

  1. 将浏览器配置为使用 localhost,并将创建隧道时使用的端口配置为 SOCKS v5 代理。Configure the browser to use localhost and the port you used when creating the tunnel as a SOCKS v5 proxy. Firefox 中的设置如下所示。Here's what the Firefox settings look like. 如果使用的端口不是 9876,请将端口更改为所用的端口:If you used a different port than 9876, change the port to the one you used:

    Firefox 设置图像

    Note

    通过选择“远程 DNS”,可使用 HDInsight 群集解析域名系统 (DNS) 请求。Selecting Remote DNS resolves Domain Name System (DNS) requests by using the HDInsight cluster. 此设置使用群集的头节点解析 DNS。This setting resolves DNS using the head node of the cluster.

  2. 通过访问 https://www.whatismyip.com/ 等网站验证隧道是否正常工作。Verify that the tunnel works by visiting a site such as https://www.whatismyip.com/. 返回的 IP 应是 Microsoft Azure 数据中心使用的 IP。The IP returned should be one used by the Microsoft Azure datacenter.

Ambari Web UI 访问验证Verify with Ambari web UI

建立群集后,请通过以下步骤验证是否可以从 Ambari Web 访问服务 Web UI:Once the cluster has been established, use the following steps to verify that you can access service web UIs from the Ambari Web:

  1. 在浏览器中,转到 http://headnodehost:8080。In your browser, go to http://headnodehost:8080. headnodehost 地址通过隧道发送到群集,并解析为运行 Ambari 的头节点。The headnodehost address is sent over the tunnel to the cluster and resolve to the head node that Ambari is running on. 出现提示时,请输入群集的管理员用户名 (admin) 和密码。When prompted, enter the admin user name (admin) and password for your cluster. Ambari Web UI 可能会再次出现提示。You may be prompted a second time by the Ambari web UI. 如果出现,请重新输入信息。If so, reenter the information.

    Note

    如果使用 http://headnodehost:8080 地址连接到群集,则将通过隧道进行连接。When using the http://headnodehost:8080 address to connect to the cluster, you are connecting through the tunnel. 通信是使用 SSH 隧道而不是 HTTPS 保护的。Communication is secured using the SSH tunnel instead of HTTPS. 若要使用 HTTPS 通过 Internet 进行连接,请使用 https://clustername.azurehdinsight.net,其中“clustername”是群集的名称。To connect over the internet using HTTPS, use https://clustername.azurehdinsight.net, where clustername is the name of the cluster.

  2. 在 Ambari Web UI 中,请选择页面左侧列表中的“HDFS”。From the Ambari Web UI, select HDFS from the list on the left of the page.

    已选择“HDFS”的截图

  3. 显示 HDFS 服务信息时,请选择“快速链接”。When the HDFS service information is displayed, select Quick Links. 将显示群集头节点列表。A list of the cluster head nodes appears. 选择其中一个头节点,并选择“NameNode UI”。Select one of the head nodes, and then select NameNode UI.

    已展开“快速链接”菜单的截图

    Note

    选择“快速链接”时,可能会看到等待指示器。When you select Quick Links, you may get a wait indicator. 如果 Internet 连接速度慢,则可能会出现此情况。This condition can occur if you have a slow internet connection. 请等待一两分钟,让系统从服务器接收数据,然后再次尝试列出节点列表。Wait a minute or two for the data to be received from the server, then try the list again.

    “快速链接”菜单中的某些项可能在屏幕右侧截断。Some entries in the Quick Links menu may be cut off by the right side of the screen. 如果是这样,请使用鼠标展开菜单,然后使用向右键向右滚动屏幕,查看菜单的余下内容。If so, expand the menu using your mouse and use the right arrow key to scroll the screen to the right to see the rest of the menu.

  4. 随后将显示类似于下图的页面:A page similar to the following image is displayed:

    NameNode UI 的截图

    Note

    请注意此页的 URL,它应类似于 http://hn1-CLUSTERNAME.randomcharacters.cx.internal.cloudapp.net:8088/cluster。Notice the URL for this page; it should be similar to http://hn1-CLUSTERNAME.randomcharacters.cx.internal.cloudapp.net:8088/cluster. 此 URI 使用节点的内部完全限定域名 (FQDN),只能在使用 SSH 隧道的情况下访问它。This URI is using the internal fully qualified domain name (FQDN) of the node, and is only accessible when using an SSH tunnel.

后续步骤Next steps

了解如何创建和使用 SSH 隧道后,请参阅以下文档了解 Ambari 的其他用法:Now that you have learned how to create and use an SSH tunnel, see the following document for other ways to use Ambari:

有关将 SSH 与 HDInsight 配合使用的详细信息,请参阅将 SSH 与 HDInsight 配合使用For more information on using SSH with HDInsight, see Use SSH with HDInsight.