Skip to content

Commit 04eed68

Browse files
committed
Using locks and monitors to ensure proper configs for setting up kerberized cluster in integration tests
1 parent d7441ba commit 04eed68

30 files changed

+835
-525
lines changed

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/hadoopsteps/HadoopKerberosKeytabResolverStep.scala

Lines changed: 44 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -17,19 +17,26 @@
1717
package org.apache.spark.deploy.kubernetes.submit.submitsteps.hadoopsteps
1818

1919
import java.io._
20-
import java.security.PrivilegedExceptionAction
20+
21+
import scala.collection.JavaConverters._
22+
import scala.util.Try
2123

2224
import io.fabric8.kubernetes.api.model.SecretBuilder
2325
import org.apache.commons.codec.binary.Base64
2426
import org.apache.hadoop.conf.Configuration
27+
import org.apache.hadoop.fs.FileSystem
2528
import org.apache.hadoop.security.{Credentials, UserGroupInformation}
29+
import org.apache.hadoop.security.token.{Token, TokenIdentifier}
30+
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier
2631

2732
import org.apache.spark.SparkConf
2833
import org.apache.spark.deploy.SparkHadoopUtil
2934
import org.apache.spark.deploy.kubernetes.{KerberosConfBootstrapImpl, PodWithMainContainer}
3035
import org.apache.spark.deploy.kubernetes.constants._
3136
import org.apache.spark.internal.Logging
3237

38+
39+
3340
/**
3441
* Step that configures the ConfigMap + Volumes for the driver
3542
*/
@@ -59,20 +66,26 @@ private[spark] class HadoopKerberosKeytabResolverStep(
5966
}
6067
// In the case that keytab is not specified we will read from Local Ticket Cache
6168
val jobUserUGI = maybeJobUserUGI.getOrElse(UserGroupInformation.getCurrentUser)
62-
logInfo(s"Primary group name: ${jobUserUGI.getPrimaryGroupName}")
63-
val credentials: Credentials = jobUserUGI.getCredentials
64-
val credentialsManager = newHadoopTokenManager(submissionSparkConf, hadoopConf)
65-
var renewalTime = Long.MaxValue
66-
jobUserUGI.doAs(new PrivilegedExceptionAction[Void] {
67-
override def run(): Void = {
68-
renewalTime = Math.min(
69-
obtainCredentials(credentialsManager, hadoopConf, credentials),
70-
renewalTime)
71-
null
72-
}
73-
})
74-
if (credentials.getAllTokens.isEmpty) logError("Did not obtain any Delegation Tokens")
75-
val data = serialize(credentials)
69+
logInfo(s"Retrieved Job User UGI: $jobUserUGI")
70+
val originalCredentials: Credentials = jobUserUGI.getCredentials
71+
logInfo(s"Original tokens: ${originalCredentials.toString}")
72+
logInfo(s"All tokens: ${originalCredentials.getAllTokens}")
73+
logInfo(s"All secret keys: ${originalCredentials.getAllSecretKeys}")
74+
val dfs: FileSystem = FileSystem.get(hadoopConf)
75+
// This is not necessary with [Spark-20328] since we would be using
76+
// Spark core providers to handle delegation token renewal
77+
val renewer: String = jobUserUGI.getShortUserName
78+
logInfo(s"Renewer is: $renewer")
79+
val renewedCredentials: Credentials = new Credentials(originalCredentials)
80+
dfs.addDelegationTokens(renewer, renewedCredentials)
81+
val renewedTokens = renewedCredentials.getAllTokens.asScala
82+
logInfo(s"Renewed tokens: ${renewedCredentials.toString}")
83+
logInfo(s"All renewed tokens: ${renewedTokens}")
84+
logInfo(s"All renewed secret keys: ${renewedCredentials.getAllSecretKeys}")
85+
if (renewedTokens.isEmpty) logError("Did not obtain any Delegation Tokens")
86+
val data = serialize(renewedCredentials)
87+
val renewalTime = getTokenRenewalInterval(renewedTokens, hadoopConf)
88+
.getOrElse(Long.MaxValue)
7689
val delegationToken = HDFSDelegationToken(data, renewalTime)
7790
val initialTokenLabelName = s"$KERBEROS_SECRET_LABEL_PREFIX-1-$renewalTime"
7891
logInfo(s"Storing dt in $initialTokenLabelName")
@@ -97,24 +110,24 @@ private[spark] class HadoopKerberosKeytabResolverStep(
97110
dtSecret = Some(secretDT))
98111
}
99112

100-
// Functions that should be in SparkHadoopUtil with Rebase to 2.2
113+
// Functions that should be in Core with Rebase to 2.3
101114
@deprecated("Moved to core in 2.2", "2.2")
102-
private def obtainCredentials(instance: Any, args: AnyRef*): Long = {
103-
val method = Class
104-
.forName("org.apache.spark.deploy.yarn.security.ConfigurableCredentialManager")
105-
.getMethod("obtainCredentials", classOf[Configuration], classOf[Configuration])
106-
method.setAccessible(true)
107-
method.invoke(instance, args: _*).asInstanceOf[Long]
115+
private def getTokenRenewalInterval(
116+
renewedTokens: Iterable[Token[_ <: TokenIdentifier]],
117+
hadoopConf: Configuration): Option[Long] = {
118+
val renewIntervals = renewedTokens.filter {
119+
_.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier]}
120+
.flatMap { token =>
121+
Try {
122+
val newExpiration = token.renew(hadoopConf)
123+
val identifier = token.decodeIdentifier().asInstanceOf[AbstractDelegationTokenIdentifier]
124+
val interval = newExpiration - identifier.getIssueDate
125+
logInfo(s"Renewal interval is $interval for token ${token.getKind.toString}")
126+
interval
127+
}.toOption}
128+
if (renewIntervals.isEmpty) None else Some(renewIntervals.min)
108129
}
109-
@deprecated("Moved to core in 2.2", "2.2")
110-
// This method will instead be using HadoopDelegationTokenManager from Spark 2.2
111-
private def newHadoopTokenManager(args: AnyRef*): Any = {
112-
val constructor = Class
113-
.forName("org.apache.spark.deploy.yarn.security.ConfigurableCredentialManager")
114-
.getConstructor(classOf[SparkConf], classOf[Configuration])
115-
constructor.setAccessible(true)
116-
constructor.newInstance(args: _*)
117-
}
130+
118131
@deprecated("Moved to core in 2.2", "2.2")
119132
private def serialize(creds: Credentials): Array[Byte] = {
120133
val byteStream = new ByteArrayOutputStream

resource-managers/kubernetes/docker-minimal-bundle/src/main/docker/kerberos-test/Dockerfile

Lines changed: 3 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -21,25 +21,7 @@ FROM spark-base
2121
# command should be invoked from the top level directory of the Spark distribution. E.g.:
2222
# docker build -t kerberos-test:latest -f dockerfiles/kerberos-test/Dockerfile .
2323

24-
COPY examples /opt/spark/examples
2524
RUN apk add --no-cache --update krb5 krb5-libs
26-
COPY hconf/krb5.conf /etc/krb5.conf
27-
COPY test-scripts/test-env.sh /
28-
29-
CMD /opt/spark/bin/spark-submit \
30-
--deploy-mode cluster \
31-
--class ${CLASS_NAME} \
32-
--master k8s://${MASTER_URL} \
33-
--kubernetes-namespace ${NAMESPACE} \
34-
--conf spark.executor.instances=1 \
35-
--conf spark.app.name=spark-hdfs \
36-
--conf spark.kubernetes.driver.docker.image=spark-driver:latest \
37-
--conf spark.kubernetes.executor.docker.image=spark-executor:latest \
38-
--conf spark.kubernetes.initcontainer.docker.image=spark-init:latest \
39-
--conf spark.kubernetes.kerberos=true \
40-
--conf spark.kubernetes.kerberos.keytab=/var/keytabs/hdfs.keytab \
41-
--conf spark.kubernetes.kerberos.principal=hdfs/nn.${NAMESPACE}[email protected] \
42-
--conf spark.kubernetes.driver.labels=spark-app-locator=${APP_LOCATOR_LABEL} \
43-
--files local:///etc/hadoop/core-site.xml,local:///etc/hadoop/hdfs-site.xml,local:///etc/hadoop/yarn-site.xml \
44-
${SUBMIT_RESOURCE} \
45-
hdfs://nn.${NAMESPACE}.svc.cluster.local:9000/user/ifilonenko/wordcount.txt
25+
COPY examples /opt/spark/examples
26+
COPY test-scripts/test-env.sh /opt/spark/
27+
COPY hconf /opt/spark/hconf

resource-managers/kubernetes/integration-tests/kerberos-yml/data-populator-deployment.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ spec:
1111
labels:
1212
name: hdfs-data-populator
1313
kerberosService: data-populator
14+
job: kerberos-test
1415
spec:
1516
containers:
1617
- command:

resource-managers/kubernetes/integration-tests/kerberos-yml/data-populator-service.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ metadata:
55
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
66
labels:
77
kerberosService: data-populator
8+
job: kerberos-test
89
name: data-populator
910
spec:
1011
clusterIP: None

resource-managers/kubernetes/integration-tests/kerberos-yml/dn1-deployment.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ spec:
1111
labels:
1212
name: hdfs-dn1
1313
kerberosService: dn1
14+
job: kerberos-test
1415
spec:
1516
containers:
1617
- command:

resource-managers/kubernetes/integration-tests/kerberos-yml/dn1-service.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ metadata:
55
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
66
labels:
77
kerberosService: dn1
8+
job: kerberos-test
89
name: dn1
910
spec:
1011
clusterIP: None

resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-deployment.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ spec:
1111
labels:
1212
name: hdfs-kerberos
1313
kerberosService: kerberos
14+
job: kerberos-test
1415
spec:
1516
containers:
1617
- command:

resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-service.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ metadata:
55
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
66
labels:
77
kerberosService: kerberos
8+
job: kerberos-test
89
name: kerberos
910
spec:
1011
clusterIP: None

resource-managers/kubernetes/integration-tests/kerberos-yml/namenode-hadoop-pv.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ metadata:
77
job: kerberostest
88
spec:
99
capacity:
10-
storage: 10Gi
10+
storage: 1Gi
1111
accessModes:
1212
- ReadWriteOnce
1313
hostPath:

resource-managers/kubernetes/integration-tests/kerberos-yml/namenode-hadoop.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ apiVersion: v1
22
kind: PersistentVolumeClaim
33
metadata:
44
name: nn-hadoop
5+
labels:
6+
job: kerberostest
57
spec:
68
accessModes:
79
- ReadWriteOnce

0 commit comments

Comments
 (0)