fix krb5_hdfs_storage (#108)

cyjseagull · web-flow · commit ae83bb09e7bb · 2024-12-03T16:49:30.000+08:00
* ppc_model support krb5 auth

* fix krb5_hdfs_storage

* fix wedpr_ml_toolkit hdfs storage
diff --git a/python/ppc_common/deps_services/krb5_hdfs_storage.py b/python/ppc_common/deps_services/krb5_hdfs_storage.py
@@ -1,24 +1,16 @@
 # -*- coding: utf-8 -*-
-import os
-from krbcontext.context import krbContext
 from hdfs.ext.kerberos import KerberosClient
 from ppc_common.deps_services.hdfs_storage import HdfsStorage
 from ppc_common.deps_services.storage_api import HDFSStorageConfig
 
 
 class Krb5HdfsStorage(HdfsStorage):
-    def __init__(self, hdfs_config: HDFSStorageConfig):
+    def __init__(self, hdfs_config: HDFSStorageConfig, logger):
         super().__init__(hdfs_config, False)
         self.hdfs_config = hdfs_config
-        self.krb5_ctx = krbContext(
-            using_keytab=True,
-            principal=self.hdfs_config.hdfs_auth_principal,
-            keytab_file=self.hdfs_config.hdfs_auth_secret_file_path)
-
-        self.client = KerberosClient(self.hdfs_config.hdfs_url)
         self.client = KerberosClient(
-            krb_principal=self.hdfs_config.hdfs_auth_principal,
-            krb_keytab=self.hdfs_config.hdfs_auth_secret_file_path,
-            krb_ccache_path="/tmp/hdfs",
-            hdfs_namenode_address=self.hdfs_config.hdfs_url,
+            url=self.hdfs_config.hdfs_url,
+            principal=self.hdfs_config.hdfs_auth_principal,
+            hostname_override=self.hdfs_config.hdfs_hostname_override,
+            password=self.hdfs_config.hdfs_auth_password,
             timeout=10000)
diff --git a/python/ppc_common/deps_services/storage_api.py b/python/ppc_common/deps_services/storage_api.py
@@ -18,18 +18,19 @@ def __init__(self, hdfs_url: str = None,
                  hdfs_home: str = None,
                  enable_krb5_auth: bool = False,
                  hdfs_auth_principal: str = None,
-                 hdfs_auth_secret_file_path: str = None):
+                 hdfs_auth_password: str = None,
+                 hdfs_hostname_override: str = None):
         self.hdfs_url = hdfs_url
         self.hdfs_user = hdfs_user
         self.hdfs_home = hdfs_home
         self.enable_krb5_auth = enable_krb5_auth
         self.hdfs_auth_principal = hdfs_auth_principal
-        self.hdfs_auth_secret_file_path = hdfs_auth_secret_file_path
+        self.hdfs_auth_password = hdfs_auth_password
+        self.hdfs_hostname_override = hdfs_hostname_override
 
     def __repr__(self):
         return f"hdfs_user: {self.hdfs_user}, hdfs_home: {self.hdfs_home}, hdfs_url: {self.hdfs_url}, " \
-               f"enable_krb5_auth: {self.enable_krb5_auth}, hdfs_auth_principal: {self.hdfs_auth_principal}, " \
-               f"hdfs_auth_secret_file_path: {self.hdfs_auth_secret_file_path}"
+               f"enable_krb5_auth: {self.enable_krb5_auth}, hdfs_auth_principal: {self.hdfs_auth_principal}"
 
     def load_config(self, config: dict, logger):
         self.hdfs_url = common_func.get_config_value(
@@ -38,6 +39,7 @@ def load_config(self, config: dict, logger):
             'HDFS_USER', self.DEFAULT_HDFS_USER, config, False)
         self.hdfs_home = common_func.get_config_value(
             "HDFS_HOME", os.path.join(self.DEFAULT_HDFS_USER_PATH, self.hdfs_user), config, False)
+
         # the auth information
         self.enable_krb5_auth = common_func.get_config_value(
             "HDFS_ENABLE_AUTH", False, config, False)
@@ -48,14 +50,22 @@ def load_config(self, config: dict, logger):
         self.hdfs_auth_principal = common_func.get_config_value(
             "HDFS_AUTH_PRINCIPAL", None, config, require_auth_info
         )
-        # the keytab file path
-        self.hdfs_auth_secret_file_path = common_func.get_config_value(
-            "HDFS_AUTH_KEYTAB_PATH", None, config, require_auth_info
-        )
+        # the password
+        self.hdfs_auth_password = common_func.get_config_value(
+            "HDFS_AUTH_PASSWORD", None, config, require_auth_info)
+        #  the hostname override
+        self.hdfs_hostname_override = common_func.get_config_value(
+            "HDFS_HOSTNAME_OVERRIDE", None, config, require_auth_info)
         if logger is not None:
             logger.info(f"*** load hdfs storage config : {self}")
         else:
             print(f"*** load hdfs storage config : {self}")
+        self._check()
+
+    def _check(self):
+        common_func.require_non_empty("HDFS_URL", self.hdfs_url)
+        common_func.require_non_empty("HDFS_USER", self.hdfs_user)
+        common_func.require_non_empty("HDFS_HOME", self.hdfs_home)
 
 
 class StorageApi(ABC):
diff --git a/python/ppc_common/deps_services/storage_loader.py b/python/ppc_common/deps_services/storage_loader.py
@@ -6,16 +6,16 @@
 
 class HDFSStorageLoader:
     @staticmethod
-    def load(hdfs_config: HDFSStorageConfig):
+    def load(hdfs_config: HDFSStorageConfig, logger):
         if hdfs_config.enable_krb5_auth is False:
             return HdfsStorage(hdfs_config)
-        return Krb5HdfsStorage(hdfs_config)
+        return Krb5HdfsStorage(hdfs_config, logger)
 
 
 def load(config: dict, logger):
     if config['STORAGE_TYPE'] == StorageType.HDFS.value:
         hdfs_config = HDFSStorageConfig()
         hdfs_config.load_config(config, logger)
-        return HDFSStorageLoader.load(hdfs_config)
+        return HDFSStorageLoader.load(hdfs_config, logger)
     else:
         raise Exception('unsupported storage type')
diff --git a/python/ppc_common/deps_services/tests/hdfs_storage_test.py b/python/ppc_common/deps_services/tests/hdfs_storage_test.py
@@ -2,23 +2,28 @@
 import unittest
 from ppc_common.deps_services.storage_api import HDFSStorageConfig
 from ppc_common.deps_services.storage_loader import HDFSStorageLoader
+import logging
 
 
 class HDFSStorageWrapper:
     def __init__(self):
+        self.logger = logging.getLogger("HDFSStorageWrapper")
         # use the default config
-        hdfs_url = "hdfs://127.0.0.1:9900"
-        hdfs_user = "wedpr"
+        hdfs_url = "http://127.0.0.1:50070"
+        hdfs_user = "root"
         hdfs_home = "/user/ppc"
-        enable_krb5_auth = False
-        hdfs_auth_principal = ""
-        hdfs_auth_secret_file_path = ""
+        enable_krb5_auth = True
+        hdfs_auth_principal = "root@NODE.DC1.CONSUL"
+        hdfs_auth_password = "root"
+        hdfs_hostname_override = "wedpr-0001"
         self.hdfs_config = HDFSStorageConfig(
             hdfs_url=hdfs_url, hdfs_user=hdfs_user,
             hdfs_home=hdfs_home, enable_krb5_auth=enable_krb5_auth,
             hdfs_auth_principal=hdfs_auth_principal,
-            hdfs_auth_secret_file_path=hdfs_auth_secret_file_path)
-        self.hdfs_storage = HDFSStorageLoader.load(self.hdfs_config)
+            hdfs_auth_password=hdfs_auth_password,
+            hdfs_hostname_override=hdfs_hostname_override)
+        self.hdfs_storage = HDFSStorageLoader.load(
+            self.hdfs_config, self.logger)
 
     def test_file_op(self, file_path):
         hdfs_file_path = f"test/{file_path}"
diff --git a/python/ppc_common/ppc_utils/common_func.py b/python/ppc_common/ppc_utils/common_func.py
@@ -26,3 +26,8 @@ def get_file_encoding(file_path):
             raise Exception(f"Unknown File Encoding, file: {file_path}")
         encoding = file_chardet["encoding"]
     return encoding
+
+
+def require_non_empty(value_property, value):
+    if value is None or len(value) == 0:
+        raise Exception(f"the ${value_property} must non-empty!")
diff --git a/python/ppc_model/conf/application-sample.yml b/python/ppc_model/conf/application-sample.yml
@@ -16,14 +16,15 @@ SQLALCHEMY_DATABASE_URI: "mysql://[*user_ppcsmodeladm]:[*pass_ppcsmodeladm]@[@43
 HDFS_URL: "http://127.0.0.1:50070"
 # HDFS,
 STORAGE_TYPE: "HDFS"
-HDFS_URL: "http://127.0.0.1:9870"
 HDFS_USER: "root"
 HDFS_HOME: "/user/ppc/model/webank"
 HDFS_ENABLE_AUTH: False
 # the hdfs auth principal
 HDFS_AUTH_PRINCIPAL: "root@NODE.DC1.CONSUL"
-# the auth key-tab path
-HDFS_AUTH_KEYTAB_PATH: "./hdfs-wedpr.keytab"
+# the auth password
+HDFS_AUTH_PASSWORD: ""
+# the host name override
+HDFS_HOSTNAME_OVERRIDE: "wedpr-0001"
 
 JOB_TEMP_DIR: ".cache/job"
 
diff --git a/python/ppc_model/model_crypto/crypto_aes.py b/python/ppc_model/model_crypto/crypto_aes.py
@@ -23,17 +23,16 @@ def load_key_from_file(filename):
         key = file.read()
     return key
 
-
-# key = load_key_from_file('aes_key.bin')
+# AES加密函数
 
 
-# AES加密函数
 def encrypt_data(key, plaintext):
     # 使用随机生成的初始向量 (IV)
     iv = os.urandom(16)  # AES块大小为128位（16字节）
-    
+
     # 创建AES加密器
-    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+    cipher = Cipher(algorithms.AES(key), modes.CBC(iv),
+                    backend=default_backend())
     encryptor = cipher.encryptor()
 
     # 对数据进行填充（AES要求输入的块大小为128位）
@@ -54,11 +53,13 @@ def decrypt_data(key, ciphertext):
     actual_ciphertext = ciphertext[16:]
 
     # 创建AES解密器
-    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+    cipher = Cipher(algorithms.AES(key), modes.CBC(iv),
+                    backend=default_backend())
     decryptor = cipher.decryptor()
 
     # 解密数据
-    decrypted_padded_data = decryptor.update(actual_ciphertext) + decryptor.finalize()
+    decrypted_padded_data = decryptor.update(
+        actual_ciphertext) + decryptor.finalize()
 
     # 去除填充
     unpadder = padding.PKCS7(128).unpadder()
diff --git a/python/requirements.txt b/python/requirements.txt
@@ -56,5 +56,4 @@ MarkupSafe>=2.1.1
 urllib3==1.26.18
 phe
 chardet
-krbcontext
-requests_kerberos
+requests_kerberos>=0.15.0
diff --git a/python/wedpr_ml_toolkit/conf/config.properties b/python/wedpr_ml_toolkit/conf/config.properties
@@ -5,4 +5,9 @@ remote_entrypoints=http://127.0.0.1:16000,http://127.0.0.1:16001
 agency_name=WeBank
 workspace_path=/user/wedpr/webank/
 user=test_user
+
 storage_endpoint=http://127.0.0.1:50070
+enable_krb5_auth=False
+hdfs_auth_principal=root@NODE.DC1.CONSUL
+hdfs_auth_password=root
+hdfs_hostname_override=wedpr-0001
diff --git a/python/wedpr_ml_toolkit/requirements.txt b/python/wedpr_ml_toolkit/requirements.txt
@@ -2,4 +2,4 @@ setuptools>=70.0.0
 hdfs>=2.7.2
 requests~=2.31.0
 requests_toolbelt==0.9.1
-
+requests_kerberos>=0.15.0
diff --git a/python/wedpr_ml_toolkit/wedpr_ml_toolkit/common/utils/hdfs_storage_impl.py b/python/wedpr_ml_toolkit/wedpr_ml_toolkit/common/utils/hdfs_storage_impl.py
@@ -3,25 +3,27 @@
 
 from hdfs.client import InsecureClient
 from wedpr_ml_toolkit.common.utils import utils
+from wedpr_ml_toolkit.config.wedpr_ml_config import StorageConfig
+from hdfs.ext.kerberos import KerberosClient
 
 
 class HdfsStorageImpl:
-
-    DEFAULT_HDFS_USER = "ppc"
-    DEFAULT_HDFS_USER_PATH = "/user/"
-
     # endpoint: http://127.0.0.1:50070
-    def __init__(self, endpoint, hdfs_user, hdfs_home=None):
-        self.endpoint = endpoint
-        self._user = hdfs_user
-        self._hdfs_storage_path = hdfs_home
-        if hdfs_home is None:
-            self._hdfs_storage_path = os.path.join(
-                HdfsStorage.DEFAULT_HDFS_USER_PATH, self._user)
-
-        self.client = InsecureClient(endpoint, user=self._user)
-        # print(self.client.list('/'))
-        # print(self.client.list('/user/root/'))
+    def __init__(self, storage_config: StorageConfig):
+        self.hdfs_config = storage_config
+        self._hdfs_storage_path = self.hdfs_config.user_config.get_workspace_path()
+        self.client = None
+        if self.hdfs_config.get_enable_krb5_auth() is True:
+            self.client = KerberosClient(
+                url=self.hdfs_config.storage_endpoint,
+                principal=self.hdfs_config.hdfs_auth_principal,
+                hostname_override=self.hdfs_config.hdfs_hostname_override,
+                password=self.hdfs_config.hdfs_auth_password,
+                timeout=10000)
+        else:
+            self.client = InsecureClient(
+                self.hdfs_config.storage_endpoint,
+                user=self.hdfs_config.user_config.user)
 
     def get_home_path(self):
         return self._hdfs_storage_path
diff --git a/python/wedpr_ml_toolkit/wedpr_ml_toolkit/common/utils/utils.py b/python/wedpr_ml_toolkit/wedpr_ml_toolkit/common/utils/utils.py
@@ -50,3 +50,9 @@ def get_config_value(key, default_value, config_value, required):
     if value is None:
         return default_value
     return value
+
+
+def str_to_bool(str_value):
+    if str_value.lower() == "true":
+        return True
+    return False
diff --git a/python/wedpr_ml_toolkit/wedpr_ml_toolkit/config/wedpr_ml_config.py b/python/wedpr_ml_toolkit/wedpr_ml_toolkit/config/wedpr_ml_config.py
@@ -3,6 +3,7 @@
 from wedpr_ml_toolkit.common.utils.base_object import BaseObject
 from wedpr_ml_toolkit.common.utils.constant import Constant
 from wedpr_ml_toolkit.common.utils.properies_parser import Properties
+from wedpr_ml_toolkit.common.utils import utils
 
 
 class AuthConfig(BaseObject):
@@ -39,11 +40,6 @@ def __init__(self,
         self.update_dataset_uri = update_dataset_uri
 
 
-class StorageConfig(BaseObject):
-    def __init__(self, storage_endpoint: str = None):
-        self.storage_endpoint = storage_endpoint
-
-
 class UserConfig(BaseObject):
     def __init__(self, agency_name: str = None, workspace_path: str = None, user_name: str = None):
         self.agency_name = agency_name
@@ -54,6 +50,31 @@ def get_workspace_path(self):
         return os.path.join(self.workspace_path, self.user)
 
 
+class StorageConfig(BaseObject):
+    def __init__(self,
+                 user_config: UserConfig,
+                 storage_endpoint: str = None,
+                 enable_krb5_auth: bool = False,
+                 hdfs_auth_principal: str = None,
+                 hdfs_auth_password: str = None,
+                 hdfs_hostname_override: str = None):
+        self.user_config = user_config
+        self.storage_endpoint = storage_endpoint
+        self.enable_krb5_auth = enable_krb5_auth
+        self.hdfs_auth_principal = hdfs_auth_principal
+        self.hdfs_auth_password = hdfs_auth_password
+        self.hdfs_hostname_override = hdfs_hostname_override
+
+    def get_enable_krb5_auth(self) -> bool:
+        if self.enable_krb5_auth is None or len(self.enable_krb5_auth) == 0:
+            return False
+        return utils.str_to_bool(self.enable_krb5_auth)
+
+    def __repr__(self):
+        return f"hdfs_user: {self.hdfs_user}, hdfs_home: {self.hdfs_home}, hdfs_url: {self.hdfs_url}, " \
+            f"enable_krb5_auth: {self.enable_krb5_auth}, hdfs_auth_principal: {self.hdfs_auth_principal}"
+
+
 class HttpConfig(BaseObject):
     def __init__(self, timeout_seconds=3):
         self.timeout_seconds = timeout_seconds
@@ -65,13 +86,13 @@ def __init__(self, config_dict):
         self.auth_config.set_params(**config_dict)
         self.job_config = JobConfig()
         self.job_config.set_params(**config_dict)
-        self.storage_config = StorageConfig()
-        self.storage_config.set_params(**config_dict)
         self.user_config = UserConfig()
         self.user_config.set_params(**config_dict)
         self.http_config = HttpConfig()
         self.http_config.set_params(**config_dict)
         self.dataset_config = DatasetConfig()
+        self.storage_config = StorageConfig(self.user_config)
+        self.storage_config.set_params(**config_dict)
 
 
 class WeDPRMlConfigBuilder:
diff --git a/python/wedpr_ml_toolkit/wedpr_ml_toolkit/context/result/result_context.py b/python/wedpr_ml_toolkit/wedpr_ml_toolkit/context/result/result_context.py
@@ -56,7 +56,7 @@ def check_and_get_job_type(job_context: JobContext, job_result_detail: JobDetail
         return job_result_detail.job_object.jobType
 
     def _generate_result_dataset_(self, dataset_file_path):
-        dataset_meta = DatasetMeta(user=self.job_context.storage_entry_point.user_config.user,
+        dataset_meta = DatasetMeta(user=self.job_context.user_config.user,
                                    agency=self.job_context.user_config.agency_name,
                                    file_path=dataset_file_path)
         return DatasetContext(storage_entrypoint=self.job_context.storage_entry_point,
diff --git a/python/wedpr_ml_toolkit/wedpr_ml_toolkit/transport/storage_entrypoint.py b/python/wedpr_ml_toolkit/wedpr_ml_toolkit/transport/storage_entrypoint.py
@@ -7,11 +7,9 @@
 
 
 class StorageEntryPoint:
-    def __init__(self, user_config: UserConfig, storage_config: StorageConfig):
+    def __init__(self, storage_config: StorageConfig):
         self.storage_config = storage_config
-        self.user_config = user_config
-        self.storage_client = HdfsStorageImpl(
-            self.storage_config.storage_endpoint, self.user_config.user, self.user_config.get_workspace_path())
+        self.storage_client = HdfsStorageImpl(self.storage_config)
 
     def upload_bytes(self, data, hdfs_path):
         self.storage_client.save_data(data, hdfs_path)
diff --git a/python/wedpr_ml_toolkit/wedpr_ml_toolkit/wedpr_ml_toolkit.py b/python/wedpr_ml_toolkit/wedpr_ml_toolkit/wedpr_ml_toolkit.py
@@ -33,8 +33,8 @@ def __init__(self, config: WeDPRMlConfig):
         self.dataset_client = WeDPRDatasetClient(http_config=self.config.http_config,
                                                  auth_config=self.config.auth_config,
                                                  dataset_config=self.config.dataset_config)
-        self.storage_entry_point = StorageEntryPoint(self.config.user_config,
-                                                     self.config.storage_config)
+        self.storage_entry_point = StorageEntryPoint(
+            self.config.storage_config)
 
     def get_config(self) -> WeDPRMlConfig:
         return self.config
