Skip to content

[GLUTEN-10113][VL] Pass hadoop fs related session level configurations to native#12367

Draft
zhouyuan wants to merge 7 commits into
apache:mainfrom
zhouyuan:wip_pass_fs_options
Draft

[GLUTEN-10113][VL] Pass hadoop fs related session level configurations to native#12367
zhouyuan wants to merge 7 commits into
apache:mainfrom
zhouyuan:wip_pass_fs_options

Conversation

@zhouyuan

@zhouyuan zhouyuan commented Jun 25, 2026

Copy link
Copy Markdown
Member

What changes are proposed in this pull request?

This patch adds the runtime hadoop related configurations to native.

How was this patch tested?

new UT

Was this patch authored or co-authored using generative AI tooling?

IBM BoB

Related issue: #10113

Signed-off-by: Yuan <yuanzhou@apache.org>
Copilot AI review requested due to automatic review settings June 25, 2026 13:14
@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

Signed-off-by: Yuan <yuanzhou@apache.org>
@zhouyuan zhouyuan force-pushed the wip_pass_fs_options branch from e37d128 to 1d6f087 Compare June 25, 2026 13:19

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the Velox backend’s partition serialization so that Hadoop filesystem-related session configuration (notably fs.azure.*, fs.s3a.*, fs.gs.*) is captured on the driver and carried across the RDD partition boundary to executors, then forwarded into the native runtime via extraConf.

Changes:

  • Added an fsConf: Map[String, String] field to GlutenPartition to carry selected Hadoop FS config across to executors.
  • Updated VeloxIteratorApi.genPartitions to collect fs.* keys from the driver-side Hadoop configuration and embed them into each GlutenPartition.
  • Updated VeloxIteratorApi.genFirstStageIterator to merge GlutenPartition.fsConf into the native extraConf, and added a new Velox UT suite to validate propagation behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File Description
gluten-substrait/src/main/scala/org/apache/gluten/execution/GlutenWholeStageColumnarRDD.scala Adds GlutenPartition.fsConf to transport FS-related Hadoop config across partition boundaries.
backends-velox/src/main/scala/org/apache/gluten/backendsapi/velox/VeloxIteratorApi.scala Captures driver-side FS Hadoop config into partitions and forwards it into native extraConf.
backends-velox/src/test/scala/org/apache/gluten/backendsapi/velox/VeloxIteratorApiFsConfSuite.scala Adds unit tests verifying that selected fs.* keys are embedded into GlutenPartition.fsConf.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

Signed-off-by: Yuan <yuanzhou@apache.org>
Copilot AI review requested due to automatic review settings June 25, 2026 15:16
@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

Comments suppressed due to low confidence (1)

gluten-substrait/src/main/scala/org/apache/gluten/execution/GlutenWholeStageColumnarRDD.scala:51

  • GlutenPartition now contains fsConf, which can include filesystem credentials (e.g., S3/ABFS secrets). Because this is a case class, the default toString will include the full fsConf map and may leak secrets into Spark logs / exception messages / UI when partitions are stringified. Override toString to avoid printing values (e.g., print only keys).
  override def preferredLocations(): Array[String] =
    splitInfos.flatMap(_.preferredLocations().asScala)
}

@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

Signed-off-by: Yuan <yuanzhou@apache.org>
@zhouyuan zhouyuan force-pushed the wip_pass_fs_options branch from 2220efc to 9b41c7f Compare June 25, 2026 17:21
Copilot AI review requested due to automatic review settings June 25, 2026 17:21
@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

Comment on lines +238 to 241
val partitionFsConf = inputPartition.asInstanceOf[GlutenPartition].fsConf
val extraConf = (partitionFsConf +
(GlutenConfig.COLUMNAR_CUDF_ENABLED.key -> enableCudf.toString)).asJava
val transKernel = NativePlanEvaluator.create(BackendsApiManager.getBackendName, extraConf)
"fs.azure.account.auth.type.myaccount.dfs.core.windows.net" -> "OAuth",
"fs.azure.account.oauth.provider.type" -> "ClientCredentials"
) {
val partitions = api.genPartitions(emptyWsCtx, Seq(Seq.empty), Seq.empty)
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 26, 2026 14:17
@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

gluten-substrait/src/main/scala/org/apache/gluten/execution/GlutenWholeStageColumnarRDD.scala:51

  • GlutenPartition is a case class, so its generated toString will include the full fsConf map (including credential values). This can leak secrets via exceptions/logging (e.g., $split string interpolation) or Spark UI/debug output. Consider overriding toString to avoid printing values (e.g., only print the keys).
  override def preferredLocations(): Array[String] =
    splitInfos.flatMap(_.preferredLocations().asScala)
}

Comment on lines +145 to +148
val fsPrefixes = Seq("fs.azure.", "fs.s3a.", "fs.gs.")
val hadoopConf = leaves.headOption
.map(_ => org.apache.spark.sql.SparkSession.active.sessionState.newHadoopConf())
.getOrElse(org.apache.spark.SparkContext.getOrCreate().hadoopConfiguration)
Comment on lines +238 to 242
val partitionFsConf = inputPartition.asInstanceOf[GlutenPartition].fsConf
val extraConf = (partitionFsConf +
(GlutenConfig.COLUMNAR_CUDF_ENABLED.key -> enableCudf.toString)).asJava
val transKernel = NativePlanEvaluator.create(BackendsApiManager.getBackendName, extraConf)

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed by adding a digest on the key/password

Comment on lines +84 to +99
test("genPartitions embeds fs.s3a.* keys from Hadoop conf into GlutenPartition.fsConf") {
withHadoopConf(
"fs.s3a.access.key" -> "AKIAIOSFODNN7EXAMPLE",
"fs.s3a.secret.key" -> "wJalrXUtnFEMI"
) {
val partitions = api.genPartitions(emptyWsCtx, Seq(Seq.empty), Seq.empty)
assert(partitions.size == 1)
val fsConf = partitions.head.asInstanceOf[GlutenPartition].fsConf
assert(
fsConf.contains("fs.s3a.access.key"),
s"Expected fs.s3a.access.key not found; got: ${fsConf.keys.mkString(", ")}")
assert(fsConf("fs.s3a.access.key") == "AKIAIOSFODNN7EXAMPLE")
assert(fsConf.contains("fs.s3a.secret.key"))
assert(fsConf("fs.s3a.secret.key") == "wJalrXUtnFEMI")
}
}
Comment on lines +65 to +70
test("genPartitions embeds fs.azure.* keys from Hadoop conf into GlutenPartition.fsConf") {
withHadoopConf(
"fs.azure.account.auth.type.myaccount.dfs.core.windows.net" -> "OAuth",
"fs.azure.account.oauth.provider.type" -> "ClientCredentials"
) {
val partitions = api.genPartitions(emptyWsCtx, Seq(Seq.empty), Seq.empty)
@zhouyuan zhouyuan requested a review from marin-ma June 26, 2026 15:07
@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

Signed-off-by: Yuan <yuanzhou@apache.org>
Copilot AI review requested due to automatic review settings June 29, 2026 09:37
@zhouyuan zhouyuan force-pushed the wip_pass_fs_options branch from 195d39b to 05661be Compare June 29, 2026 09:37
@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

Comment on lines +43 to +61
private def stableKey(
backendName: String,
name: String,
extraConf: util.Map[String, String]): String = {
val digest = MessageDigest.getInstance("SHA-256")
digest.update(backendName.getBytes("UTF-8"))
digest.update(0.toByte) // field separator
digest.update(name.getBytes("UTF-8"))
digest.update(0.toByte)
// Sort keys for determinism; hash only keys, not values, to avoid leaking secrets.
val sortedKeys = new java.util.ArrayList(extraConf.keySet)
java.util.Collections.sort(sortedKeys)
sortedKeys.forEach {
k =>
digest.update(k.getBytes("UTF-8"))
digest.update(0.toByte)
}
digest.digest().map("%02x".format(_)).mkString
}
Comment on lines +41 to +45
// fs.azure.* / fs.s3a.* / fs.gs.* keys captured on the driver from
// sessionState.newHadoopConf() and serialised here so they survive the
// RDD partition boundary. Spark's withSQLConfPropagated only propagates
// keys that start with "spark", so these keys are otherwise invisible on
// the executor side (the executor's SQLConf never sees them).
Comment on lines +146 to +148
val hadoopConf = leaves.headOption
.map(_ => org.apache.spark.sql.SparkSession.active.sessionState.newHadoopConf())
.getOrElse(org.apache.spark.SparkContext.getOrCreate().hadoopConfiguration)
Comment on lines +129 to +132
// Hadoop configuration NOW, while we are still on the driver, and embed
// them in every GlutenPartition. These keys are set by the user via
// spark.conf.set("fs.azure.account.auth.type", ...) or
// sparkContext.hadoopConfiguration.set(...)
Comment on lines +85 to +88
withHadoopConf(
"fs.s3a.access.key" -> "AKIAIOSFODNN7EXAMPLE",
"fs.s3a.secret.key" -> "wJalrXUtnFEMI"
) {
.map(_ => org.apache.spark.sql.SparkSession.active.sessionState.newHadoopConf())
.getOrElse(org.apache.spark.SparkContext.getOrCreate().hadoopConfiguration)
val fsConf = {
hadoopConf.iterator().asScala

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR — this is a problem we've hit before. Internally we addressed it by injecting a known Hadoop key list at a specific injection point.
The hadoopConf.iterator() would return the full configuration set, which has a noticeable performance cost. Besides, some of the configu entries are also unresolved — values like .key=${...} aren't decoded, so the velox backend fails to parse them. I haven't come across a cleaner solution yet.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Hadoop Configuration has getPropsWithPrefix in the Hadoop versions Gluten supports, so I’ll replace the full iterator() scan with prefix lookups for fs.azure., fs.s3a., and fs.gs.. This keeps the same propagation behavior but avoids iterating the entire configuration set.

Signed-off-by: Yuan <yuanzhou@apache.org>
@github-actions

Copy link
Copy Markdown

Run Gluten Clickhouse CI on x86

// Spark's withSQLConfPropagated (it only forwards keys starting with
// "spark"), so embedding them in the serialised GlutenPartition is the
// only reliable transport mechanism.
val fsPrefixes = Seq("fs.azure.", "fs.s3a.", "fs.gs.")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: We can define this part as a constant and allow users to extend it (via configuration or by adding a constant prefix), which would make the user experience more friendly.

@jackylee-ch jackylee-ch left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

// RDD partition boundary. Spark's withSQLConfPropagated only propagates
// keys that start with "spark", so these keys are otherwise invisible on
// the executor side (the executor's SQLConf never sees them).
fsConf: Map[String, String] = Map.empty

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CWE‑532 / CWE‑200:Case‑class auto‑toString prints every field, so any log line or exception that stringifies a partition (or the wrapping FirstZippedPartitionsPartition) will dump fs.s3a.secret.key=… verbatim. Please override toString to print fsConf keys only — or redact values on the driver side at capture time using SECRET_REDACTION_PATTERN (spark.redaction.regex). Note SQLConf.get.stringRedactionPattern is a different config (default None) and won't help here, and SQLConf.get itself isn't safe to call off‑task. Please also add a regression test that asserts toString does not contain a seeded secret value.

I notice Copilot already flagged this security‑related risk earlier. However, the latest commit still hasn’t addressed the issue.

digest.update(k.getBytes("UTF-8"))
digest.update(0.toByte)
}
digest.digest().map("%02x".format(_)).mkString

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CWE‑694stableKey hashes only the keys. Two Runtimes.contextInstance calls inside the same task that share a keyset but differ in values (e.g. IcebergWrite#write with different icebergProperties) will collide on the same TaskResources registration, and the second caller silently gets the runtime built from the first. Please hash sorted (key, value) pairs — values are still hidden from logs because only the digest escapes, and the existing key‑sort already makes the digest deterministic.

// Capture fs.azure.* / fs.s3a.* / fs.gs.* keys from the driver-side
// Hadoop configuration NOW, while we are still on the driver, and embed
// them in every GlutenPartition. These keys are set by the user via
// spark.conf.set("fs.azure.account.auth.type", ...) or

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two things:

  1. The comment block at lines 128–144 still advertises spark.conf.set(...), DataFrameReader.option(...), and sessionState.newHadoopConf() as user surfaces — none of those reach the new code path, which only reads SparkContext.getOrCreate().hadoopConfiguration. The actual recipes that work are submit‑time --conf spark.hadoop.fs.*=… (which Spark copies into SparkContext.hadoopConfiguration at boot) or runtime sparkContext.hadoopConfiguration.set("fs.*", ...). spark.conf.set("spark.hadoop.fs.*", ...) set at runtime writes to SQLConf only and is invisible to the new code.
  2. The paragraph starting "Capture fs.azure.* …" is duplicated at line 137 — looks like a merge artefact. Please collapse into one paragraph and rewrite the recipe.


test("genPartitions embeds fs.s3a.* keys from Hadoop conf into GlutenPartition.fsConf") {
withHadoopConf(
"fs.s3a.access.key" -> "AKIAIOSFODNN7EXAMPLE",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AKIAIOSFODNN7EXAMPLE is AWS's documentation example and matches the AKIA/ASIA pattern used by GitHub secret scanning, gitleaks, and most fork‑level scanners. Even as a test fixture, this routinely fails CI in downstream forks and surfaces as false‑positive credential alerts. Use clearly synthetic placeholders, e.g. "dummy-access-key" / "dummy-secret-value".

// only reliable transport mechanism.
val fsPrefixes = Seq("fs.azure.", "fs.s3a.", "fs.gs.")
// scalastyle:off hadoopconfiguration
val baseHadoopConf = org.apache.spark.SparkContext.getOrCreate().hadoopConfiguration

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

org.apache.spark.SparkContext.getOrCreate() is spelled out with full FQN; SparkContext is already imported and used by short name elsewhere in this file. Move the short name in and drop the inline FQN.

On the other hand, The simplified capture reads SparkContext.getOrCreate().hadoopConfiguration directly, which only contains keys present at SparkContext construction (from SparkConf spark.hadoop.*) plus anything mutated via sparkContext.hadoopConfiguration.set(...). It does not see per‑session overrides made via spark.conf.set("spark.hadoop.fs.*", ...) at runtime, nor session‑scoped DataFrameReader.option(...) keys — both of which live on SparkSession.sessionState.newHadoopConf(). If the original use case in issue #10113 includes runtime session‑level credential injection, the current code path won't satisfy it. Either document the supported recipes explicitly (boot‑time --conf spark.hadoop.fs.* or runtime sparkContext.hadoopConfiguration.set) or read from leaves.head.sqlContext.sessionState.newHadoopConf() when leaves are available, falling back to SparkContext.hadoopConfiguration only when they aren't.

* purpose of this test.
*/
private def emptyWsCtx: WholeStageTransformContext =
WholeStageTransformContext(PlanBuilder.empty())

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

emptyWsCtx only works because genPartitions happens to touch only wsCtx.root.toProtobuf.toByteArray, but WholeStageTransformContext has other fields — a future shape change silently breaks the helper. Either refactor genPartitions to take Array[Byte] directly (cleanest), or add a one‑line comment recording the implicit dependency. Non‑blocking.

planByteArray,
splitInfos.toArray
splitInfos.toArray,
fsConf = fsConf

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assigning fsConf = fsConf puts an independent serialised copy of the map on every GlutenPartition — reference sharing is driver‑side only, the wire cost scales with partition count.

// task local properties), this is the only path these credentials can take to
// reach the native session config and ultimately the Velox ABFS connector.
val partitionFsConf = inputPartition.asInstanceOf[GlutenPartition].fsConf
val extraConf = (partitionFsConf +

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CWE‑532: This line is where fsConf reaches extraConf and ultimately flows into the native session config printed by printConfig (cpp side). printConfig redacts on key match against spark.redaction.regex, default (?i)secret|password|token|access[.]?key. That default misses fs.azure.account.key.* (the Azure storage account key — the primary credential), fs.s3a.encryption.key and the deprecated alias fs.s3a.server-side-encryption.key, fs.gs.auth.service.account.private.key, and fs.gs.auth.service.account.json.keyfile. With spark.gluten.sql.debug=true these reach executor stdout in cleartext. The fix is on the C++ side: please hard‑redact the credential‑bearing prefixes inside printConfig in addition to applying the operator regex — minimum list: fs.azure.account.key., fs.azure.sas., fs.azure.account.oauth2., fs.s3a.access.key, fs.s3a.secret.key, fs.s3a.session.token, fs.s3a.encryption.key, fs.s3a.server-side-encryption.key, fs.gs.auth.service.account.private.key, fs.gs.auth.service.account.json.keyfile. Consider also extending Gluten's default spark.redaction.regex to cover them.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, it seems pass these configurations as a parameter will introduce the credential leakage. Let me try to use the other more secure approach

@zhouyuan zhouyuan marked this pull request as draft July 3, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CORE works for Gluten Core VELOX

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants