working Stage 2

ifilonenko · ifilonenko · commit 62354eb2c3fb · 2017-08-01T16:28:03.000-07:00
diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/hadoopsteps/HadoopKerberosKeytabResolverStep.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/submit/submitsteps/hadoopsteps/HadoopKerberosKeytabResolverStep.scala
@@ -17,6 +17,7 @@
 package org.apache.spark.deploy.kubernetes.submit.submitsteps.hadoopsteps
 
 import java.io._
+import java.security.PrivilegedExceptionAction
 
 import scala.collection.JavaConverters._
 import scala.util.Try
@@ -30,6 +31,7 @@ import org.apache.hadoop.security.token.{Token, TokenIdentifier}
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier
 
 import org.apache.spark.SparkConf
+
 import org.apache.spark.deploy.SparkHadoopUtil
 import org.apache.spark.deploy.kubernetes.{KerberosConfBootstrapImpl, PodWithMainContainer}
 import org.apache.spark.deploy.kubernetes.constants._
@@ -44,9 +46,12 @@ private[spark] class HadoopKerberosKeytabResolverStep(
   submissionSparkConf: SparkConf,
   maybePrincipal: Option[String],
   maybeKeytab: Option[File]) extends HadoopConfigurationStep with Logging{
-
-  override def configureContainers(hadoopConfigSpec: HadoopConfigSpec): HadoopConfigSpec = {
-    // FIXME: Pass down hadoopConf so you can call sc.hadoopConfiguration
+   private var originalCredentials: Credentials = _
+   private var dfs : FileSystem = _
+   private var renewer: String = _
+   private var renewedCredentials: Credentials = _
+   private var renewedTokens: Iterable[Token[_ <: TokenIdentifier]] = _
+   override def configureContainers(hadoopConfigSpec: HadoopConfigSpec): HadoopConfigSpec = {
     val hadoopConf = SparkHadoopUtil.get.newConfiguration(submissionSparkConf)
     logInfo(s"Hadoop Configuration: ${hadoopConf.toString}")
     if (!UserGroupInformation.isSecurityEnabled) logError("Hadoop not configuration with Kerberos")
@@ -66,26 +71,30 @@ private[spark] class HadoopKerberosKeytabResolverStep(
       }
     // In the case that keytab is not specified we will read from Local Ticket Cache
     val jobUserUGI = maybeJobUserUGI.getOrElse(UserGroupInformation.getCurrentUser)
-    logInfo(s"Retrieved Job User UGI: $jobUserUGI")
-    val originalCredentials: Credentials = jobUserUGI.getCredentials
-    logInfo(s"Original tokens: ${originalCredentials.toString}")
-    logInfo(s"All tokens: ${originalCredentials.getAllTokens}")
-    logInfo(s"All secret keys: ${originalCredentials.getAllSecretKeys}")
-    val dfs: FileSystem = FileSystem.get(hadoopConf)
-    // This is not necessary with [Spark-20328] since we would be using
-    // Spark core providers to handle delegation token renewal
-    val renewer: String = jobUserUGI.getShortUserName
-    logInfo(s"Renewer is: $renewer")
-    val renewedCredentials: Credentials = new Credentials(originalCredentials)
-    dfs.addDelegationTokens(renewer, renewedCredentials)
-    val renewedTokens = renewedCredentials.getAllTokens.asScala
-    logInfo(s"Renewed tokens: ${renewedCredentials.toString}")
-    logInfo(s"All renewed tokens: ${renewedTokens}")
-    logInfo(s"All renewed secret keys: ${renewedCredentials.getAllSecretKeys}")
+    // It is necessary to run as jobUserUGI because logged in user != Current User
+    jobUserUGI.doAs(new PrivilegedExceptionAction[Void] {
+      override def run(): Void = {
+        logInfo(s"Retrieved Job User UGI: $jobUserUGI")
+        originalCredentials = jobUserUGI.getCredentials
+        logInfo(s"Original tokens: ${originalCredentials.toString}")
+        logInfo(s"All tokens: ${originalCredentials.getAllTokens}")
+        logInfo(s"All secret keys: ${originalCredentials.getAllSecretKeys}")
+        dfs = FileSystem.get(hadoopConf)
+        // This is not necessary with [Spark-20328] since we would be using
+        // Spark core providers to handle delegation token renewal
+        renewer = jobUserUGI.getShortUserName
+        logInfo(s"Renewer is: $renewer")
+        renewedCredentials = new Credentials(originalCredentials)
+        dfs.addDelegationTokens(renewer, renewedCredentials)
+        renewedTokens = renewedCredentials.getAllTokens.asScala
+        logInfo(s"Renewed tokens: ${renewedCredentials.toString}")
+        logInfo(s"All renewed tokens: ${renewedTokens.mkString(",")}")
+        logInfo(s"All renewed secret keys: ${renewedCredentials.getAllSecretKeys}")
+        null
+      }})
     if (renewedTokens.isEmpty) logError("Did not obtain any Delegation Tokens")
     val data = serialize(renewedCredentials)
-    val renewalTime = getTokenRenewalInterval(renewedTokens, hadoopConf)
-      .getOrElse(Long.MaxValue)
+    val renewalTime = getTokenRenewalInterval(renewedTokens, hadoopConf).getOrElse(Long.MaxValue)
     val delegationToken = HDFSDelegationToken(data, renewalTime)
     val initialTokenLabelName = s"$KERBEROS_SECRET_LABEL_PREFIX-1-$renewalTime"
     logInfo(s"Storing dt in $initialTokenLabelName")
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/data-populator-deployment.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/data-populator-deployment.yml
@@ -11,7 +11,7 @@ spec:
       labels:
         name: hdfs-data-populator
         kerberosService: data-populator
-        job: kerberos-test
+        job: kerberostest
     spec:
       containers:
       - command:
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/data-populator-service.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/data-populator-service.yml
@@ -5,7 +5,7 @@ metadata:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     kerberosService: data-populator
-    job: kerberos-test
+    job: kerberostest
   name: data-populator
 spec:
   clusterIP: None
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/dn1-deployment.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/dn1-deployment.yml
@@ -11,7 +11,7 @@ spec:
       labels:
         name: hdfs-dn1
         kerberosService: dn1
-        job: kerberos-test
+        job: kerberostest
     spec:
       containers:
       - command:
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/dn1-service.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/dn1-service.yml
@@ -5,7 +5,7 @@ metadata:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     kerberosService: dn1
-    job: kerberos-test
+    job: kerberostest
   name: dn1
 spec:
   clusterIP: None
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-deployment.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-deployment.yml
@@ -11,7 +11,7 @@ spec:
       labels:
         name: hdfs-kerberos
         kerberosService: kerberos
-        job: kerberos-test
+        job: kerberostest
     spec:
       containers:
       - command:
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-service.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-service.yml
@@ -5,7 +5,7 @@ metadata:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     kerberosService: kerberos
-    job: kerberos-test
+    job: kerberostest
   name: kerberos
 spec:
   clusterIP: None
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-test.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/kerberos-test.yml
@@ -10,7 +10,9 @@ spec:
         name: kerberos-test
     spec:
       containers:
-      - name: kerberos-test
+      - command: ["/bin/bash"]
+        args: ["/opt/spark/test-env.sh"]
+        name: kerberos-test
         image: kerberos-test:latest
         imagePullPolicy: IfNotPresent
         volumeMounts:
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/nn-deployment.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/nn-deployment.yml
@@ -11,7 +11,7 @@ spec:
       labels:
         name: hdfs-nn
         kerberosService: nn
-        job: kerberos-test
+        job: kerberostest
     spec:
       containers:
       - command:
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/nn-service.yml b/resource-managers/kubernetes/integration-tests/kerberos-yml/nn-service.yml
@@ -5,7 +5,7 @@ metadata:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     kerberosService: nn
-    job: kerberos-test
+    job: kerberostest
   name: nn
 spec:
   clusterIP: None
diff --git a/resource-managers/kubernetes/integration-tests/kerberos-yml/test-env.sh b/resource-managers/kubernetes/integration-tests/kerberos-yml/test-env.sh
@@ -1,11 +1,13 @@
 #!/usr/bin/env bash
 sed -i -e 's/#//' -e 's/default_ccache_name/# default_ccache_name/' /etc/krb5.conf
+export HADOOP_OPTS="-Djava.net.preferIPv4Stack=true -Dsun.security.krb5.debug=true"
+export HADOOP_JAAS_DEBUG=true
+export HADOOP_ROOT_LOGGER=DEBUG,console
 cp ${TMP_KRB_LOC} /etc/krb5.conf
 cp ${TMP_CORE_LOC} /opt/spark/hconf/core-site.xml
 cp ${TMP_HDFS_LOC} /opt/spark/hconf/hdfs-site.xml
 mkdir -p /etc/krb5.conf.d
-/usr/bin/kinit -kt /var/keytabs/hdfs.keytab hdfs/nn.${NAMESPACE}.svc.cluster.local
-
+until /usr/bin/kinit -kt /var/keytabs/hdfs.keytab hdfs/nn.${NAMESPACE}.svc.cluster.local; do sleep 15; done
 /opt/spark/bin/spark-submit \
       --deploy-mode cluster \
       --class ${CLASS_NAME} \
@@ -20,6 +22,6 @@ mkdir -p /etc/krb5.conf.d
       --conf spark.kubernetes.kerberos=true \
       --conf spark.kubernetes.kerberos.keytab=/var/keytabs/hdfs.keytab \
       --conf spark.kubernetes.kerberos.principal=hdfs/nn.${NAMESPACE}.svc.cluster.local@CLUSTER.LOCAL \
-      --conf spark.kubernetes.driver.labels=spark-app-locator=${APP_LOCATOR_LABEL} \
+      --conf spark.kubernetes.driver.label.spark-app-locator=${APP_LOCATOR_LABEL} \
       ${SUBMIT_RESOURCE} \
       hdfs://nn.${NAMESPACE}.svc.cluster.local:9000/user/ifilonenko/wordcount.txt
diff --git a/resource-managers/kubernetes/integration-tests/src/test/resources/hdfs-site.xml b/resource-managers/kubernetes/integration-tests/src/test/resources/hdfs-site.xml
@@ -55,11 +55,11 @@
   <!-- For testing, we want tokens to expire FAST -->
   <property>
     <name>dfs.namenode.delegation.token.max-lifetime</name>
-    <value>18000000</value> <!-- 300 minutes -->
+    <value>3600000</value><!-- 1 hour -->
   </property>
   <property>
     <name>dfs.namenode.delegation.token.renew-interval</name>
-    <value>1800000</value> <!-- 30 minutes -->
+    <value>3600000</value><!-- 1 hour -->
   </property>
 
 
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/KerberizedHadoopClusterLauncher.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/KerberizedHadoopClusterLauncher.scala
@@ -18,6 +18,8 @@ package org.apache.spark.deploy.kubernetes.integrationtest
 
 import io.fabric8.kubernetes.client.KubernetesClient
 
+import org.apache.spark.deploy.kubernetes.integrationtest.kerberos._
+
  /**
   * Stuff
   */
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/KerberosTestPodLauncher.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/KerberosTestPodLauncher.scala
@@ -26,8 +26,6 @@ import io.fabric8.kubernetes.client.KubernetesClient
 
 import org.apache.spark.deploy.kubernetes.submit.ContainerNameEqualityPredicate
 
-
-
  /**
   * Stuff
   */
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/KubernetesSuite.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/KubernetesSuite.scala
@@ -20,16 +20,13 @@ import java.nio.file.Paths
 import java.util.UUID
 
 import io.fabric8.kubernetes.client.internal.readiness.Readiness
-
-import org.apache.spark.{SparkConf, SSLOptions, SparkFunSuite}
-
+import org.apache.spark.{SSLOptions, SparkConf, SparkFunSuite}
 import org.apache.spark.deploy.kubernetes.config._
-
 import org.apache.spark.deploy.kubernetes.integrationtest.backend.IntegrationTestBackendFactory
 import org.apache.spark.deploy.kubernetes.integrationtest.backend.minikube.Minikube
 import org.apache.spark.deploy.kubernetes.integrationtest.constants.MINIKUBE_TEST_BACKEND
+import org.apache.spark.deploy.kubernetes.integrationtest.kerberos.KerberosDriverWatcherCache
 import org.apache.spark.deploy.kubernetes.submit._
-
 import org.scalatest.BeforeAndAfter
 import org.scalatest.concurrent.{Eventually, PatienceConfiguration}
 import org.scalatest.time.{Minutes, Seconds, Span}
@@ -96,22 +93,28 @@ private[spark] class KubernetesSuite extends SparkFunSuite with BeforeAndAfter {
     assume(testBackend.name == MINIKUBE_TEST_BACKEND)
     launchKerberizedCluster()
     createKerberosTestPod(CONTAINER_LOCAL_MAIN_APP_RESOURCE, HDFS_TEST_CLASS, APP_LOCATOR_LABEL)
+    val kubernetesClient = kubernetesTestComponents.kubernetesClient
+    val driverWatcherCache = new KerberosDriverWatcherCache(
+      kubernetesClient,
+      Map("spark-app-locator" -> APP_LOCATOR_LABEL))
+    driverWatcherCache.start()
+    driverWatcherCache.stop()
     val expectedLogOnCompletion = Seq("Something something something")
-//    val driverPod = kubernetesTestComponents.kubernetesClient
-//      .pods()
-//      .withLabel("spark-app-locator", APP_LOCATOR_LABEL)
-//      .list()
-//      .getItems
-//      .get(0)
-//    Eventually.eventually(TIMEOUT, INTERVAL) {
-//      expectedLogOnCompletion.foreach { e =>
-//        assert(kubernetesTestComponents.kubernetesClient
-//          .pods()
-//          .withName(driverPod.getMetadata.getName)
-//          .getLog
-//          .contains(e), "The application did not complete.")
-//      }
-//    }
+    val driverPod = kubernetesClient
+      .pods()
+      .withLabel("spark-app-locator", APP_LOCATOR_LABEL)
+      .list()
+      .getItems
+      .get(0)
+    Eventually.eventually(TIMEOUT, INTERVAL) {
+      expectedLogOnCompletion.foreach { e =>
+        assert(kubernetesClient
+          .pods()
+          .withName(driverPod.getMetadata.getName)
+          .getLog
+          .contains(e), "The application did not complete.")
+      }
+    }
   }
 
 //  test("Run PySpark Job on file from SUBMITTER with --py-files") {
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/backend/minikube/MinikubeTestBackend.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/backend/minikube/MinikubeTestBackend.scala
@@ -27,7 +27,7 @@ private[spark] class MinikubeTestBackend extends IntegrationTestBackend {
 
   override def initialize(): Unit = {
     Minikube.startMinikube()
-    // new SparkDockerImageBuilder(Minikube.getDockerEnv).buildSparkDockerImages()
+    new SparkDockerImageBuilder(Minikube.getDockerEnv).buildSparkDockerImages()
     defaultClient = Minikube.getKubernetesClient
   }
 
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosCMWatcherCache.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosCMWatcherCache.scala
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-package org.apache.spark.deploy.kubernetes.integrationtest
+package org.apache.spark.deploy.kubernetes.integrationtest.kerberos
 
 import java.util.concurrent.locks.{Condition, Lock, ReentrantLock}
 
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosDeployment.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosDeployment.scala
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.spark.deploy.kubernetes.integrationtest
+package org.apache.spark.deploy.kubernetes.integrationtest.kerberos
 
 import io.fabric8.kubernetes.api.model.Service
 import io.fabric8.kubernetes.api.model.extensions.Deployment
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosDriverWatcherCache.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosDriverWatcherCache.scala
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosPVWatcherCache.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosPVWatcherCache.scala
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosPodWatcherCache.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosPodWatcherCache.scala
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosStorage.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosStorage.scala
diff --git a/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosUtils.scala b/resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/kubernetes/integrationtest/kerberos/KerberosUtils.scala
