feat: Add options to mutual authentication (#1320)

s4mukka · pre-commit-ci[bot] · web-flow · commit 95706947753b · 2023-09-14T08:10:45.000-07:00
Co-authored-by: pre-commit-ci[bot] &lt;66853113+pre-commit-ci[bot]@users.noreply.github.com&gt;
diff --git a/enterprise_gateway/services/processproxies/yarn.py b/enterprise_gateway/services/processproxies/yarn.py
@@ -35,6 +35,7 @@
 #            whether we verify the server's TLS certificate in yarn-api-client.
 #            Or a string, in which case it must be a path to a CA bundle(.pem file) to use.
 cert_path = os.getenv("EG_YARN_CERT_BUNDLE", True)
+mutual_authentication = os.getenv("EG_YARN_MUTUAL_AUTHENTICATION", "REQUIRED")
 
 
 class YarnClusterProcessProxy(RemoteProcessProxy):
@@ -91,9 +92,15 @@ def _initialize_resource_manager(self, **kwargs: dict[str, Any] | None) -> None:
                 endpoints.append(self.alt_yarn_endpoint)
 
         if self.yarn_endpoint_security_enabled:
-            from requests_kerberos import HTTPKerberosAuth
-
-            auth = HTTPKerberosAuth()
+            from requests_kerberos import DISABLED, OPTIONAL, REQUIRED, HTTPKerberosAuth
+
+            auth = HTTPKerberosAuth(
+                mutual_authentication={
+                    "REQUIRED": REQUIRED,
+                    "OPTIONAL": OPTIONAL,
+                    "DISABLED": DISABLED,
+                }.get(mutual_authentication.upper())
+            )
         else:
             # If we have the appropriate version of yarn-api-client, use its SimpleAuth class.
             # This allows EG to continue to issue requests against the YARN api when anonymous
