Post Syndicated from Tanzir Musabbir original https://aws.amazon.com/blogs/big-data/build-a-self-service-environment-for-each-line-of-business-using-amazon-emr-and-aws-service-catalog/
Enterprises often want to centralize governance and compliance requirements, and provide a common set of policies on how Amazon EMR instances should be set up. You can use AWS Service Catalog to centrally manage commonly deployed Amazon EMR cluster configurations, and this helps you achieve consistent governance and meet your compliance requirements, while at the same time enabling your end users to quickly deploy only the approved EMR cluster configurations on a self-service basis.
In this post, we will demonstrate how enterprise administrators can use AWS Service Catalog to create and manage catalogs, that data engineers and data scientists use to quickly discover and deploy clusters using a self-service environment. With AWS Service Catalog you can control which EMR release versions are available, cluster configuration, and permission access by individual, group, department, or cost center.
The following are a few key AWS Service Catalog concepts:
- An AWS Service Catalog product is a blueprint for building the AWS resources that you want available for deployment. You create your products by importing AWS CloudFormation templates.
- A portfolio is a collection of products. With AWS Service Catalog, you can create a customized portfolio for each type of user in your organization and selectively grant access to the appropriate portfolio.
- A provisioned product is a collection of resources that result from instantiating an AWS CloudFormation
You can use AWS Service Catalog to provide Amazon EMR as a self-serve Extract, Transform, Load (ETL) platform at scale while hiding all the security and network configurations from end users.
As an administrator in AWS Service Catalog, you can create one or more Service Catalog products that define different configurations to be used for EMR clusters. In those Service Catalog products, you can define the security and network configurations to be used for the EMR cluster, you can define auto-scaling rules, instance configurations, different purchase options, or you can preconfigure EMR to run different EMR Step jobs. On the other hand, as a user in Service Catalog, you can browse through different EMR templates through Service Catalog products and provision the product based on your requirement. By following this approach, you can make your EMR usage self-serviceable, reduce the EMR learning curve for your users, and ensure adherence to security standards and best practices.
The following image illustrates how the interactions look between Amazon EMR administrators and end-users when using AWS Service Catalog to provision EMR clusters.
The use cases in this post have three AWS Identity and Access Management (IAM) users with different access permissions:
- emr-admin: This user is the administrator and has access to all the resources. This user creates EMR clusters for their end-users based on their requirements.
- emr-data-engineer: The data engineer uses Spark and Hive most of the time. They run different ETL scripts on Hive and Spark to process, transform, and enrich their datasets.
- emr-data-analyst: This user is very familiar with SQL and mostly uses Hue to submit queries to Hive.
You can solve several Amazon EMR operational use cases using AWS Service Catalog. The following sections discuss three different use cases. Later in this post, you walk through each of the use cases with a solution.
Use case 1: Ensuring least privilege and appropriate access
The administrator wants to enforce a few organizational standards. The first one is no default
EMR_EC2_ROLE for any EMR cluster. Instead, the administrator wants to have a role that has limited access to Amazon Simple Storage Service (Amazon S3) and assigns that role automatically every time an EMR cluster is launched. Second, end-users sometimes forget to add appropriate tags to their resources. Because of that, often times it is hard for the administrator to identify their resources and allocate cost appropriately. So, the administrator wants to have a mechanism that assigns tags to EMR clusters automatically when they launch.
Use case 2: Providing Amazon EMR as a self-serve ETL platform with Spark and Hive
Data engineers use Spark and Hive applications, and they prefer to have a platform where they just submit their jobs without spending time creating the cluster. They also want to try out different Amazon EMR versions to see how their jobs run on different Spark or Hive versions. They don’t want to spend time learning AWS or Amazon EMR. Additionally, the administrator doesn’t want to give full Amazon EMR access to all users.
Use case 3: Automatically scaling the Hive cluster for analysts
Data analysts have strong SQL backgrounds, so they typically use Hue to submit their Hive queries. They run queries against a large dataset, so they want to have an EMR cluster that can scale when needed. They also don’t have access to the Amazon EMR console and don’t know how to configure automatic scaling for Amazon EMR.
Service Catalog, self-serve your Amazon EMR users, enforce best practices and compliance, and speed up the adoption process.
At a high level, the solution includes the following steps:
- Configuring the AWS environment to run this solution.
- Creating a CloudFormation template.
- Setting up AWS Service Catalog products and portfolios.
- Managing access to AWS Service Catalog and provisioning products.
- Demonstrating the self-service Amazon EMR platform for users.
- Enforcing best practices and compliance through AWS Service Catalog.
- Executing ETL workloads on Amazon EMR using AWS Service Catalog.
- Optionally, setting up AWS Service Catalog and launching Amazon EMR products through the AWS Command Line Interface (AWS CLI).
The following section looks at the CloudFormation template, which you use to set up the AWS environment to run this solution.
Setting up the AWS environment
To set up this solution, you need to create a few AWS resources. The CloudFormation template provided in this post creates all the required AWS resources. This template requires you to pass the following parameters during the launch:
- A password for your test users.
- An Amazon Compute Cloud (Amazon EC2) key pair.
- The latest AMI ID for the EC2 helper instance. This instance configures the environment and sets up the required files and templates for this solution.
This template is designed only to show how you can use Amazon EMR with AWS Service Catalog. This setup isn’t intended for production use without modification.
To launch the CloudFormation stack, choose Launch Stack:
Launching this stack creates several AWS resources. The following resources shown in the AWS CloudFormation output are the ones you need in the next step:
|URL you use to switch between multiple users|
|Name of the S3 bucket to store blog-related files|
|Password to use for all the test users|
|IAM user name for the administrator user|
|IAM user name for the data engineer user|
|IAM user name for the data analyst user|
|Amazon S3 path for the Hive script|
|Path for the Hive input parameter|
|Path for the Hive output parameter|
|Amazon S3 path for the Spark script|
|Path for the Spark input parameter|
|Path for the Spark output parameter|
When the CloudFormation template is complete, record the outputs listed on the Outputs tab on the AWS CloudFormation console. See the following screenshot.
(Optional) Configuring the AWS CLI
The AWS CLI is a unified tool to manage your AWS services. In the optional step, you use the AWS CLI to create AWS Service Catalog products and portfolios. Installation of AWS CLI isn’t required for this solution. For instructions on configuring the AWS CLI in your environment, see Configuring the AWS CLI.
Provisioning EMR clusters through AWS Service Catalog
You can create AWS Service Catalog products from the existing CloudFormation template and use those products to provision a variety of EMR clusters. You can create an EMR cluster and consume the cluster’s services without having access to the cluster, which improves the Amazon EMR adoption process.
The following CloudFormation template creates an EMR cluster. This template takes two parameters:
- Cluster size – You select how many core nodes you want to have in the EMR cluster
- Compute type – Based on the compute type you choose; the template selects the respective EC2 instance type
As an account administrator, you can define the internal configuration for the EMR cluster. End users are not required to know all the security groups, subnet ID, key pair, and other information. They also don’t need to access the EMR cluster or spend time setting up your cluster. As an administrator, you define a template for the cluster; enforce all the compliance, versions, applications, automatic scaling rules through the CloudFormation template, and expose this template as a product through AWS Service Catalog.
The following section walks you through the solution for each use case.
Use cases walkthrough
The CloudFormation template already configured AWS Service Catalog portfolios and products. You can review these on the AWS Service Catalog console.
- Use the
ConsoleLoginURL from the AWS CloudFormation console Outputs tab and sign in as an
- On the AWS Service Catalog console, you can see two portfolios for engineers and analysts. In each of those portfolios, you can see two products.
The Data Analysts Stack contains products for the analyst and is assigned to the user
emr-data-analyst. The Data Engineering Stack contains products for engineers and is assigned to the
emr-data-engineer user. Upon logging in, they can see their respective products and portfolios.
Use case 1: Ensuring least privilege and appropriate access
The cluster administrator creates the least privilege IAM role for their users and associated that role through the Service Catalog product. Similarly, the administrator also assigns appropriate tags for each product. When data engineers or analysts launch an EMR cluster using any of their assigned products, the cluster has the least privilege access and resources are tagged automatically. To confirm this access is in place, complete the following steps:
- Sign in to the AWS Management Console as either
emr-data-engineer user or
Your console looks slightly different because the end-user does not manage the products, they just use the product to launch the clusters or execute jobs on the cluster.
- Choose Default EMR and provision this product by choosing Launch Product.
- For the name of the provisioned product, enter
The next screen shows a list of allowed parameters your administrator thinks you may need.
- Leave all parameters as default.
- For the cluster name, enter
- Review all the information and launch the product.
It takes few minutes to spin up the cluster. When the cluster is ready, the status changes to
Succeeded. The provision product page also shows you a list of outputs your product owner wants you to see. For example, using output values, your product owner can share Master DNS Address, Resource Manager URL, and Hue URL as shown in the following figure.
To verify if this launched EMR cluster has the expected IAM role and tags, sign in as
emr-admin user and go to the AWS EMR Console to review the service role for EC2 instances and tags.
Use case 2: Providing Amazon EMR as a self-serve ETL platform with Spark and Hive
For this use case, data engineers have two different ETL scripts:
- A Spark script that reads Amazon reviews stored in Amazon S3 and converts them into Parquet before writing back to Amazon S3
- A Hive script that reads Amazon reviews data from Amazon S3 and finds out the top toys based on customer ratings.
The administrator creates a product to self-serve these users; the product defines the job type and the job parameters. End users selects the job type and passes script, input and output locations.
- Sign in as
- Select the EMR ETL Engine product.
- Choose Launch.
The next page shows if the product has multiple versions. Because the engineer wants to try out two different Amazon EMR versions, the administrator provided both options through the product version. You can launch the EMR cluster with the required version by selecting your preferred product version.
- Enter the name of the product.
- For this post, select EMR 5.29.0.
- Choose Next.
- For JobType, choose Spark.
- For JobArtifacts, enter the following value (you can get these values from the AWS CloudFormation output):
- Choose Next.
Based on your configuration, an EMR cluster launches. When the cluster is ready, the Spark job runs.
- In a different browser, sign in as
emr-admin using the
ConsoleLoginURL (from the AWS CloudFormation output).
You can see the cluster status, job status, and output path from the Amazon EMR console.
Now, go to Amazon S3 console to check the output path:
The Parquet files are written inside the Spark folder.
- To test the Hive job, go back to the first browser where you already signed in as
- Choose Provisioned products list.
- Choose the product options menu (right-click) and choose Update provisioned product.
- On the next page, you can select a different version or the same version.
- In the Parameters section, choose Hive.
- In the JobArtifacts field, enter the following Hive parameters:
- Choose Update.
If you select the same version, AWS Service Catalog compares the old provisioned product with the updated product and only runs the portion that you changed. For this post, I chose the same Amazon EMR version and only updated the job type and parameters. You can see that the same EMR cluster is still there, but on the Steps tab, a new step is executed for Hive.
- On the Amazon S3 console using the second browser, verify that a new folder
hive is created with data that represents top toys based on Amazon reviews.
To recap, you saw how to use AWS Service Catalog to provide a product to run your ETL jobs. Your data engineers can focus on their ETL scripts and your platform can self-serve them to run their ETL jobs on the EMR cluster.
Use case 3: Automatically scaling the Hive cluster for data analysts
To automatically scale the Hive cluster for data analysts, complete the following steps:
- Using the console login URL from the AWS CloudFormation output, and sign in as
emr-data-analyst and go to AWS Service Catalog console.
You can see a different set of products for this user.
For this use case, your data analysts want to have an automatically scaling EMR cluster with Hive application. The administrator set up the
Auto-scaling EMR product with preconfigured rules.
- Choose Auto-scaling EMR.
- Enter a provisioned product name.
- Select Hive Auto-scaling.
- Choose Next.
- In the Parameters section, leave the options at their default and enter a cluster name.
- Launch the product.
The product owner also provided a client URL (for example, Hue URL) through the product output so business analysts can connect to it.
- Sign in as
emr-admin and validate if this new cluster is configured with the expected automatic scaling rules.
- On the Amazon EMR console, choose the cluster.
You can see the configuration on the Hardware tab.
In this use case, you learned how to use AWS Service Catalog to provide business analyst users a preconfigured, automatically scaled EMR cluster.
(Optional) Setting up AWS Service Catalog for Amazon EMR using AWS CLI
In the previous section, I demonstrated the solution using the AWS Service Catalog console. In the following section, I will show you how you use AWS Service Catalog using the AWS CLI. You can create AWS Service Catalog products and portfolios, assign IAM principals, and launch products.
- Create a portfolio named
CLI – Stack for the user
emr-admin. See the following command:
You receive a JSON output.
- Record the portfolio id
port-xxxxxxxx from the output to use later.
emr-admin user is the provider for this portfolio. The user is created with power user access, so the user can see the full-service catalog console and can manage products and portfolios.
You can associate this portfolio with multiple users. By assigning them to a portfolio, they can use the portfolio, browse through its products, and provision new products. For this use case, you associate a portfolio to
emr-admin and the AWS CLI user name (the name of the user that you used to configure your AWS CLI). Make sure to update the portfolio and AWS account ID.
- Enter the following code:
- To verify the portfolio to the user’s association, enter the following command with the portfolio ID:
It will list out the associated principals for the above portfolio as shown in this following figure:
The CloudFormation template already copied the Amazon EMR template into your Amazon S3 account at the path
- To create the product
CLI - Sample EMR using that template from Amazon S3, enter the following command:
- Record the product ID and provision ID from the JSON output.
You now have a product and a portfolio. A portfolio can have one to many products, and each product can have multiple versions.
- To assign the
CLI -Sample EMR product to the portfolio you created in Step 1, enter the following command:
A launch constraint specifies the IAM role that AWS Service Catalog assumes when an end-user launches a product. With a launch constraint, you can control end-user access to your AWS resources and limit usage.
The CloudFormation template already created the role
Blog-SCLaunchRole; create a launch constraint using that IAM role. Use the portfolio and product IDs that you collected from the previous step and your AWS account ID.
- To create the launch constraint, enter the following command:
- Record the launch constraint ID to use later.
You now have an AWS Service Catalog product that you can use to provision an EMR cluster. The CloudFormation template that you used to create the
CLI - Sample EMR product takes three parameters (
- To pass those three parameters as a key value pair, enter the following command (use the product ID and provision ID that you recorded earlier):
- Check the provisioned product’s status by using the provisioned product ID:
To recap, in this section you learned how to use AWS Service Catalog CLI to configure AWS Service Catalog products and portfolios, and how to provision an EMR cluster through AWS Service Catalog product.
To clean up the resources you created, complete the following steps:
- Terminate the product that you provisioned in the previous step:
- Disassociate the product
CLI – Sample EMR from the portfolio
CLI – Stack:
- Disassociate IAM principals from the portfolio
CLI – Stack:
- Delete the launch constraint created in the previous step:
- Delete the product
CLI – Sample EMR:
- Delete the portfolio
CLI – Stack:
Cleaning up additional resources
You must also clean up the resources you created with the CloudFormation template.
- On the AWS Service Catalog console, choose Provisioned products list.
- Terminate each product that you provisioned for these use cases.
- Check each of the users and their provisioned products to make sure they’re terminated.
- On the Amazon S3 console, empty the bucket
- If you are using the AWS CLI, delete the objects in the
blog-emr-sc-<account-id> bucket with the following command (make sure you’re running this command on the correct bucket):
- If you ran the optional AWS CLI section, make sure you follow the cleanup process mentioned in that section.
- On the AWS CloudFormation console or AWS CLI, delete the stack named
To enhance this solution, you can explore the following options:
- In this post, I enforced resource tagging through AWS CloudFormation. You can also use the AWS Service Catalog TagOptions library to provide a consistent taxonomy and tagging of AWS Service Catalog resources. During a product launch (provisioning), AWS Service Catalog aggregates the associated portfolio and product
TagOptions and applies them to the provisioned product.
- This solution demonstrates the usage of launch constraints and how you can provide limited access to your AWS resources to your users. You can also use template constraints to manage parameters. Template constraints make sure that end-users only have options that you allow them when launching products. This can help you maintain your organization’s compliance requirements.
- You can integrate AWS Budgets with AWS Service Catalog. By associating AWS Budgets with your products and portfolios, you can track your usage and service costs. You can set a custom budget for each of the portfolios and trigger alerts when your costs exceed your threshold.
In this post, I showed you how you can simplify your Amazon EMR provisional process using the AWS Service Catalog, how to make Amazon EMR a self-service platform for your end-users, and how you can enforce best practices and compliance to your EMR clusters. You also walked through three different use cases and implemented solutions with AWS Service Catalog. Give this solution a try and share your experience with us!
About the Author
Tanzir Musabbir is a Data & Analytics Architect with AWS. At AWS, he works with our customers to provide them architectural guidance for running analytics solutions on Amazon EMR, Amazon Athena & AWS Glue. Tanzir is a big Real Madrid fan and he loves to travel in his free time.