Merge pull request #83 from JiHyunSong/using-delegation-token

ashie · web-flow · commit 9e01b9f6f6eb · 2021-08-04T12:04:21.000+09:00
when using kerberos, add option for reusing delegation token
diff --git a/README.md b/README.md
@@ -146,6 +146,7 @@ With kerberos authentication:
       path /path/on/hdfs/access.log.%Y%m%d_%H.log
       kerberos true
       kerberos_keytab /path/to/keytab # if needed
+      renew_kerberos_delegation_token true # if needed
     </match>
 
 NOTE: You need to install `gssapi` gem for kerberos. See https://github.com/kzk/webhdfs#for-kerberos-authentication
diff --git a/fluent-plugin-webhdfs.gemspec b/fluent-plugin-webhdfs.gemspec
@@ -23,5 +23,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency "bzip2-ffi"
   gem.add_development_dependency "zstandard"
   gem.add_runtime_dependency "fluentd", '>= 0.14.22'
-  gem.add_runtime_dependency "webhdfs", '>= 0.6.0'
+  gem.add_runtime_dependency "webhdfs", '>= 0.10.0'
 end
diff --git a/lib/fluent/plugin/out_webhdfs.rb b/lib/fluent/plugin/out_webhdfs.rb
@@ -66,6 +66,10 @@ class Fluent::Plugin::WebHDFSOutput < Fluent::Plugin::Output
   config_param :kerberos, :bool, default: false
   desc 'kerberos keytab file'
   config_param :kerberos_keytab, :string, default: nil
+  desc 'Use delegation token while upload webhdfs or not'
+  config_param :renew_kerberos_delegation_token, :bool, default: false
+  desc 'delegation token reuse timer (default 8h)'
+  config_param :renew_kerberos_delegation_token_interval, :time, default: 8 * 60 * 60
 
   SUPPORTED_COMPRESS = [:gzip, :bzip2, :snappy, :hadoop_snappy, :lzo_command, :zstd, :text]
   desc "Compression method (#{SUPPORTED_COMPRESS.join(',')})"
@@ -184,6 +188,14 @@ def configure(conf)
       raise Fluent::ConfigError, "Path on hdfs MUST starts with '/', but '#{@path}'"
     end
 
+    @renew_kerberos_delegation_token_interval_hour = nil
+    if @renew_kerberos_delegation_token
+      unless @username
+        raise Fluent::ConfigError, "username is missing. If you want to reuse delegation token, follow with kerberos accounts"
+      end
+      @renew_kerberos_delegation_token_interval_hour = @renew_kerberos_delegation_token_interval / 60 / 60
+    end
+
     @client = prepare_client(@namenode_host, @namenode_port, @username)
     if @standby_namenode_host
       @client_standby = prepare_client(@standby_namenode_host, @standby_namenode_port, @username)
@@ -203,7 +215,7 @@ def multi_workers_ready?
   end
 
   def prepare_client(host, port, username)
-    client = WebHDFS::Client.new(host, port, username)
+    client = WebHDFS::Client.new(host, port, username, nil, nil, nil, {}, @renew_kerberos_delegation_token_interval_hour)
     if @httpfs
       client.httpfs_mode = true
     end
diff --git a/test/plugin/test_out_webhdfs.rb b/test/plugin/test_out_webhdfs.rb
@@ -316,4 +316,99 @@ def test_time_key_without_buffer_section
       assert_equal "2017-01-24T20:10:30Z\ttest.now\t{\"message\":\"yay\",\"name\":\"tagomoris\"}\n", line
     end
   end
+
+  sub_test_case "kerberos config" do
+    CONFIG_KERBEROS = config_element(
+      "ROOT", "", {
+        "namenode" => "server.local:14000",
+        "path" => "/hdfs/path/file.%Y%m%d.%H%M.log",
+        "username" => "hdfs_user",
+        "kerberos" => true,
+        "kerberos_keytab" => "/path/to/kerberos.keytab",
+      })
+
+    test "renew_kerberos_delegation_token default" do
+      mock.proxy(WebHDFS::Client).new("server.local", 14000, "hdfs_user", nil, nil, nil, {}, nil).once
+
+      d = create_driver(CONFIG_KERBEROS)
+
+      assert_equal(
+        {
+          kerberos: true,
+          renew_kerberos_delegation_token: false,
+          renew_kerberos_delegation_token_interval_hour: nil,
+        },
+        {
+          kerberos: d.instance.kerberos,
+          renew_kerberos_delegation_token: d.instance.instance_eval("@renew_kerberos_delegation_token"),
+          renew_kerberos_delegation_token_interval_hour: d.instance.instance_eval("@renew_kerberos_delegation_token_interval_hour"),
+        })
+    end
+
+    test "default renew_kerberos_delegation_token_interval" do
+      expected_hour = 8
+
+      mock.proxy(WebHDFS::Client).new("server.local", 14000, "hdfs_user", nil, nil, nil, {}, expected_hour).once
+
+      d = create_driver(CONFIG_KERBEROS +
+                        config_element("", "", { "renew_kerberos_delegation_token" => true }))
+
+      assert_equal(
+        {
+          kerberos: true,
+          renew_kerberos_delegation_token: true,
+          renew_kerberos_delegation_token_interval: expected_hour * 60 * 60,
+          renew_kerberos_delegation_token_interval_hour: expected_hour,
+        },
+        {
+          kerberos: d.instance.kerberos,
+          renew_kerberos_delegation_token: d.instance.instance_eval("@renew_kerberos_delegation_token"),
+          renew_kerberos_delegation_token_interval: d.instance.instance_eval("@renew_kerberos_delegation_token_interval"),
+          renew_kerberos_delegation_token_interval_hour: d.instance.instance_eval("@renew_kerberos_delegation_token_interval_hour"),
+        })
+    end
+
+    test "renew_kerberos_delegation_token_interval" do
+      expected_hour = 10
+
+      mock.proxy(WebHDFS::Client).new("server.local", 14000, "hdfs_user", nil, nil, nil, {}, expected_hour).once
+
+      d = create_driver(
+        CONFIG_KERBEROS +
+        config_element(
+          "", "",
+          {
+            "renew_kerberos_delegation_token" => true,
+            "renew_kerberos_delegation_token_interval" => "#{expected_hour}h",
+          }))
+
+      assert_equal(
+        {
+          kerberos: true,
+          renew_kerberos_delegation_token: true,
+          renew_kerberos_delegation_token_interval: expected_hour * 60 * 60,
+          renew_kerberos_delegation_token_interval_hour: expected_hour,
+        },
+        {
+          kerberos: d.instance.kerberos,
+          renew_kerberos_delegation_token: d.instance.instance_eval("@renew_kerberos_delegation_token"),
+          renew_kerberos_delegation_token_interval: d.instance.instance_eval("@renew_kerberos_delegation_token_interval"),
+          renew_kerberos_delegation_token_interval_hour: d.instance.instance_eval("@renew_kerberos_delegation_token_interval_hour"),
+        })
+    end
+
+    test "username is required for renew_kerberos_delegation_token" do
+      conf = config_element(
+      "ROOT", "", {
+        "namenode" => "server.local:14000",
+        "path" => "/hdfs/path/file.%Y%m%d.%H%M.log",
+        "kerberos" => true,
+        "renew_kerberos_delegation_token" => true,
+      })
+
+      assert_raise(Fluent::ConfigError) do
+        create_driver(conf)
+      end
+    end
+  end
 end
