英文:
How “Open port 444” is set on Athena
问题
Athena的文档指出,必须打开端口444以支持流式查询结果。
当通过JDBC查询Athena时,我遇到了错误,一旦禁用查询结果流式传输并使用分页,错误就消失了。
对于像Athena这样的完全托管的无服务器提供,我对“保持端口444开放”部分感到困惑 - 文档中没有提到如何实现这一点,而我所有的搜索工作都没有提供令人满意的答案。
Athena使用哪个VPC?使用了什么安全组?我是否可以更改规则以允许通过端口444进行出站流量?
缺少的是什么要素?
英文:
Athena’s documentation states that Port 444 must be open to support streaming query results.
I do encounter error while querying Athena via JDBC, and the error is gone as soon as I disable query result streaming and use pagination.
I am confused by that “keep port 444 open” part” - what does that mean to a fully managed, serverless offering like Athena - nothing more from the doc is said about how to do that and all my googling effort cannot provide a satisfactory answer.
What VPC is used by Athena? And what security group is used? Can I alternate the rules to allow outbound traffics via port 444?
What is the missing piece?
答案1
得分: 1
注意:我没有使用你所链接的China-Regions,而且我认为它们可能与AWS全球基础架构的“其余部分”有细微的不同,所以请谨慎考虑这一点。
文档概述了以下重点,有助于解释何时会受到影响:
打开端口444 - 保持端口444打开,Athena用于流式传输查询结果。当您使用PrivateLink端点连接到Athena时,请确保附加到PrivateLink端点的安全组对端口444的入站流量是打开的。如果端口444被阻止,您可能会收到错误消息
[Simba][AthenaJDBC](100123) An error has occurred. Exception during column initialization。
如果您从运行在VPC内的资源通过接口VPC端点调用Athena服务,这个接口端点需要附加一个安全组,也要打开端口444以接受入站流量,不仅仅是通常的端口(80、443)。
如果您不使用接口VPC端点,而是调用公共Athena端点(默认情况下),这对您来说不重要,因为AWS将确保该端口可以接收端口444上的流量。
英文:
Caveat: I haven't used the China-Regions which you're linking to, and I think they may be subtly different from the "rest" of the AWS Global Infrastructure so take this with a grain of salt.
The docs outline the following point, which helps to explain when this affects you:
> Open port 444 – Keep port 444, which Athena uses to stream query results, open to outbound traffic. When you use a PrivateLink endpoint to connect to Athena, ensure that the security group attached to the PrivateLink endpoint is open to inbound traffic on port 444. If port 444 is blocked, you may receive the error message [Simba][AthenaJDBC](100123) An error has occurred. Exception during column initialization.
If you're calling the Athena service from a resource running inside a VPC via an Interface VPC-Endpoint, this interface endpoint needs to have a security group attached, that also opens port 444 for inbound traffic, not only the usual suspects (80, 443).
If you're not using an interface VPC-endpoint and instead make a call to the public Athena endpoint (the default), this won't matter to you as AWS will ensure that this can receive traffic on port 444.
答案2
得分: 0
以下是已翻译的部分:
-
IAM权限:向使用于配置JDBC驱动的access_key的主体添加
athena:GetQueryResultsStream策略。您可能需要额外的权限。athena:GetQueryResultsStream策略仅允许您流式传输查询结果。 -
确保端口444没有被阻止,沿途检查完整的网络路径
- Athena地址JDBC使用的端口444是否可访问,请检查安全组设置
- 是否存在中间代理服务器可能导致端口444不可用?
- 运行JDBC程序的机器是否允许向端口444发出出站流量?
英文:
To have your JDBC driver works well with the Athena, check following 2 points:
-
IAM Permission: Add the
athena:GetQueryResultsStreampolicy to the principal, whose access_key is used to configurate the JDBC driver. You may need additional permissions. The policyathena:GetQueryResultsStreamonly allows you to stream the query result. -
Port 444 is not blocked, all along the way: think about the complete network journey
- Is the Athena address JDBC used accessible on port 444, check security group settings
- Are there any proxy servers in-between can make port 444 unavailable?
- Does the machine running the JDBC program allow outbound traffic towards port 444
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论