Skip to content

Commit 62354eb

Browse files
committed
working Stage 2
1 parent 04eed68 commit 62354eb

23 files changed

+215
-89
lines changed

resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/hadoopsteps/HadoopKerberosKeytabResolverStep.scala

Lines changed: 30 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
package org.apache.spark.deploy.kubernetes.submit.submitsteps.hadoopsteps
1818

1919
import java.io._
20+
import java.security.PrivilegedExceptionAction
2021

2122
import scala.collection.JavaConverters._
2223
import scala.util.Try
@@ -30,6 +31,7 @@ import org.apache.hadoop.security.token.{Token, TokenIdentifier}
3031
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier
3132

3233
import org.apache.spark.SparkConf
34+
3335
import org.apache.spark.deploy.SparkHadoopUtil
3436
import org.apache.spark.deploy.kubernetes.{KerberosConfBootstrapImpl, PodWithMainContainer}
3537
import org.apache.spark.deploy.kubernetes.constants._
@@ -44,9 +46,12 @@ private[spark] class HadoopKerberosKeytabResolverStep(
4446
submissionSparkConf: SparkConf,
4547
maybePrincipal: Option[String],
4648
maybeKeytab: Option[File]) extends HadoopConfigurationStep with Logging{
47-
48-
override def configureContainers(hadoopConfigSpec: HadoopConfigSpec): HadoopConfigSpec = {
49-
// FIXME: Pass down hadoopConf so you can call sc.hadoopConfiguration
49+
private var originalCredentials: Credentials = _
50+
private var dfs : FileSystem = _
51+
private var renewer: String = _
52+
private var renewedCredentials: Credentials = _
53+
private var renewedTokens: Iterable[Token[_ <: TokenIdentifier]] = _
54+
override def configureContainers(hadoopConfigSpec: HadoopConfigSpec): HadoopConfigSpec = {
5055
val hadoopConf = SparkHadoopUtil.get.newConfiguration(submissionSparkConf)
5156
logInfo(s"Hadoop Configuration: ${hadoopConf.toString}")
5257
if (!UserGroupInformation.isSecurityEnabled) logError("Hadoop not configuration with Kerberos")
@@ -66,26 +71,30 @@ private[spark] class HadoopKerberosKeytabResolverStep(
6671
}
6772
// In the case that keytab is not specified we will read from Local Ticket Cache
6873
val jobUserUGI = maybeJobUserUGI.getOrElse(UserGroupInformation.getCurrentUser)
69-
logInfo(s"Retrieved Job User UGI: $jobUserUGI")
70-
val originalCredentials: Credentials = jobUserUGI.getCredentials
71-
logInfo(s"Original tokens: ${originalCredentials.toString}")
72-
logInfo(s"All tokens: ${originalCredentials.getAllTokens}")
73-
logInfo(s"All secret keys: ${originalCredentials.getAllSecretKeys}")
74-
val dfs: FileSystem = FileSystem.get(hadoopConf)
75-
// This is not necessary with [Spark-20328] since we would be using
76-
// Spark core providers to handle delegation token renewal
77-
val renewer: String = jobUserUGI.getShortUserName
78-
logInfo(s"Renewer is: $renewer")
79-
val renewedCredentials: Credentials = new Credentials(originalCredentials)
80-
dfs.addDelegationTokens(renewer, renewedCredentials)
81-
val renewedTokens = renewedCredentials.getAllTokens.asScala
82-
logInfo(s"Renewed tokens: ${renewedCredentials.toString}")
83-
logInfo(s"All renewed tokens: ${renewedTokens}")
84-
logInfo(s"All renewed secret keys: ${renewedCredentials.getAllSecretKeys}")
74+
// It is necessary to run as jobUserUGI because logged in user != Current User
75+
jobUserUGI.doAs(new PrivilegedExceptionAction[Void] {
76+
override def run(): Void = {
77+
logInfo(s"Retrieved Job User UGI: $jobUserUGI")
78+
originalCredentials = jobUserUGI.getCredentials
79+
logInfo(s"Original tokens: ${originalCredentials.toString}")
80+
logInfo(s"All tokens: ${originalCredentials.getAllTokens}")
81+
logInfo(s"All secret keys: ${originalCredentials.getAllSecretKeys}")
82+
dfs = FileSystem.get(hadoopConf)
83+
// This is not necessary with [Spark-20328] since we would be using
84+
// Spark core providers to handle delegation token renewal
85+
renewer = jobUserUGI.getShortUserName
86+
logInfo(s"Renewer is: $renewer")
87+
renewedCredentials = new Credentials(originalCredentials)
88+
dfs.addDelegationTokens(renewer, renewedCredentials)
89+
renewedTokens = renewedCredentials.getAllTokens.asScala
90+
logInfo(s"Renewed tokens: ${renewedCredentials.toString}")
91+
logInfo(s"All renewed tokens: ${renewedTokens.mkString(",")}")
92+
logInfo(s"All renewed secret keys: ${renewedCredentials.getAllSecretKeys}")
93+
null
94+
}})
8595
if (renewedTokens.isEmpty) logError("Did not obtain any Delegation Tokens")
8696
val data = serialize(renewedCredentials)
87-
val renewalTime = getTokenRenewalInterval(renewedTokens, hadoopConf)
88-
.getOrElse(Long.MaxValue)
97+
val renewalTime = getTokenRenewalInterval(renewedTokens, hadoopConf).getOrElse(Long.MaxValue)
8998
val delegationToken = HDFSDelegationToken(data, renewalTime)
9099
val initialTokenLabelName = s"$KERBEROS_SECRET_LABEL_PREFIX-1-$renewalTime"
91100
logInfo(s"Storing dt in $initialTokenLabelName")

resource-managers/kubernetes/integration-tests/kerberos-yml/data-populator-deployment.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ spec:
1111
labels:
1212
name: hdfs-data-populator
1313
kerberosService: data-populator
14-
job: kerberos-test
14+
job: kerberostest
1515
spec:
1616
containers:
1717
- command:

resource-managers/kubernetes/integration-tests/kerberos-yml/data-populator-service.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ metadata:
55
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
66
labels:
77
kerberosService: data-populator
8-
job: kerberos-test
8+
job: kerberostest
99
name: data-populator
1010
spec:
1111
clusterIP: None

resource-managers/kubernetes/integration-tests/kerberos-yml/dn1-deployment.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ spec:
1111
labels:
1212
name: hdfs-dn1
1313
kerberosService: dn1
14-
job: kerberos-test
14+
job: kerberostest
1515
spec:
1616
containers:
1717
- command:

resource-managers/kubernetes/integration-tests/kerberos-yml/dn1-service.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ metadata:
55
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
66
labels:
77
kerberosService: dn1
8-
job: kerberos-test
8+
job: kerberostest
99
name: dn1
1010
spec:
1111
clusterIP: None

resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-deployment.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ spec:
1111
labels:
1212
name: hdfs-kerberos
1313
kerberosService: kerberos
14-
job: kerberos-test
14+
job: kerberostest
1515
spec:
1616
containers:
1717
- command:

resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-service.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ metadata:
55
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
66
labels:
77
kerberosService: kerberos
8-
job: kerberos-test
8+
job: kerberostest
99
name: kerberos
1010
spec:
1111
clusterIP: None

resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-test.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,9 @@ spec:
1010
name: kerberos-test
1111
spec:
1212
containers:
13-
- name: kerberos-test
13+
- command: ["/bin/bash"]
14+
args: ["/opt/spark/test-env.sh"]
15+
name: kerberos-test
1416
image: kerberos-test:latest
1517
imagePullPolicy: IfNotPresent
1618
volumeMounts:

resource-managers/kubernetes/integration-tests/kerberos-yml/nn-deployment.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ spec:
1111
labels:
1212
name: hdfs-nn
1313
kerberosService: nn
14-
job: kerberos-test
14+
job: kerberostest
1515
spec:
1616
containers:
1717
- command:

resource-managers/kubernetes/integration-tests/kerberos-yml/nn-service.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ metadata:
55
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
66
labels:
77
kerberosService: nn
8-
job: kerberos-test
8+
job: kerberostest
99
name: nn
1010
spec:
1111
clusterIP: None

0 commit comments

Comments
 (0)