From Wikitech
Jump to: navigation, search

Command line access

You can access the Hadoop and Hive on the the stats machines stat1005 and stat1004. For information on getting access, see Analytics/Data access and production shell access.

HTTP Access

Access to HTTP GUIs in the Analytics Cluster is currently very restricted. You must have shell accounts on analytics nodes. You must use a SOCKS proxy or ssh tunnels to access to HTTP services.

At the very minimum, you must have a shell account on the primary NameNode (analytics1001). HDFS uses POSIX accounts on the NameNode (analytics1001) for granting access to files.

Hue (Hadoop User Experience) GUI is available at Log in using your shell username and your LDAP credentials. If you already have cluster access, but can't log into Hue, it is likely that your LDAP account needs to be manually synced. Ask an Analytics Opsen (ottomata ( or elukey ( ) for help.

Admin Instructions to sync a Hue LDAP account

When a new Hadoop user is added, an admin should give them a Hue account. If this ticket is resolved, this process should be automatic.

  1. Log into
  2. In the upper right, click on your username, and select Manage Users (you will only be able to do this if you are Hue admin. Another admin can make you one.)
  3. Click 'Add/Sync LDAP User'
  4. Fill in the form with their shell username (not LDAP/Wikitech login), deselect both 'Distinguished name' and 'Create home directory', and click 'Add/Sync user'



sshuttle is a 'Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.'. You can use this to proxy traffic through a bastion host to the cluster.

Download and install sshuttle following these instructions. Then, run

 ./sshuttle --dns -vvr

Be warned, this will proxy DNS requests through the Wikimedia network, and any requests to an IP on the internal Wikimedia network will be proxied through the bastion.

While this is running, you should be able to navigate to internally hosted web services from your browser. Try accessing the ResourceManager jobbrowser at http://analytics1001.eqiad.wmnet:8088/

ssh tunnel(s)

If you are in the wmf LDAP group (every WMF employee/contractor) and you care only about the Yarn Resource Manager UI, you can login directly to

Otherwise, If you have access to the nodes you want to send HTTP requests to, then you can access specific HTTP services using direct ssh tunneling.

To access the Hadoop Resourcemanager jobbrowser, try running:

 ssh -N stat1004.eqiad.wmnet -L 8088:analytics1001.eqiad.wmnet:8088


 ssh -N -L 8088:analytics1001.eqiad.wmnet:8088

And then navigate to http://localhost:8088/cluster in your browser.

You might want to check out the FairScheduler interface here too. It will show you usage of the cluster per user: http://localhost:8088/cluster/scheduler

SOCKS proxy & FoxyProxy

Also see the explanation in Help:Access#Setting up the proxy

For this to work, you need automatic ssh proxying to stat1004.eqiad.wmnet through You can add the following to your .ssh/config file if you don't already have something more generic (see SSH access):

 Host analytics*
     ProxyCommand ssh -a -W %h:%p 

Once that works (verify that you can ssh into stat1004.eqiad.wmnet), you can open up a SOCKS proxy through stat1004.eqiad.wmnet:

 ssh -N -D 8999 stat1004.eqiad.wmnet

Finally, configure your browser to connect via host: localhost port 8999. If you use FoxyProxy, you can set up specific URL patterns that you would like to proxy. https?://analytics.* should do.

Once there, you should be able to navigate to services. Try out http://analytics1001.eqiad.wmnet:8088/cluster to be sure that it works.