NIFI-5041 Adds SPNEGO authentication to LivySessionController#2630
NIFI-5041 Adds SPNEGO authentication to LivySessionController#2630peter-toth wants to merge 7 commits intoapache:masterfrom
Conversation
|
This improvement of LivySessionController uses the KerberosCredentialsService to fetch a principal and a keytab and provide SPNEGO authentication towards a Livy server. In the implementation I switched from HttpURLConnections to HttpClient, which can be configured to do an SPNEGO handshake. |
|
Some of the travis builds failed, but I don't see any issue in the logs except that the size of log exceeded 4MB. Could someone help me with this please? |
|
It looks like the downloads are taking so long in travis that it is filling the log and causing the build to be terminated. |
|
@ottobackwards yes, I agree and since the build passing is the one in France, I assume we are downloading from an European mirror. Can we change this according to the place of build? |
pom.xml
Outdated
| <org.slf4j.version>1.7.25</org.slf4j.version> | ||
| <ranger.version>0.7.1</ranger.version> | ||
| <jetty.version>9.4.3.v20170317</jetty.version> | ||
| <httpclient.version>4.5.5</httpclient.version> |
There was a problem hiding this comment.
Per NIFI-4936, this needs to be pushed down to each NAR/bundle. In your case since you are using it in nifi-hadoop-utils, each NAR that has this as a dependency should declare it. If they already bring in httpclient, you'd likely need to reuse that version rather than setting it to 4.5.5, to avoid eviction.
There was a problem hiding this comment.
I'm not sure I got this issue right. I removed this property and replaced it to a direct version specification where it was used. Is that enough?
There was a problem hiding this comment.
I think I see the issue now. I changed the httpclient and hadoop-auth dependency to "provided" in nifi-hadoop-util so they won't be included into all NARs depending on nifi-hadoop-util.
There was a problem hiding this comment.
@mattyb149, could you please review my change and let me know if I did the right thing? Any suggestions are welcome.
I changed the httpclient dependency to provided so it won't get into all NARs depending on nifi-hadoop-utils. Unfortunately httpclient seems to change a lot from version to version and the minimum required version that my changes can work with is 4.4.1.
All my additions to hadoop-utils are in new classes, so I believe even a hadoop-utils dependent NAR that specifies a lower version of httpclient will be fine as long as it doesn't start to use my classes directly.
Change-Id: I1b87ec4752ff6e1603025883a72113919aba5dd4
Change-Id: I868fdf3ea7cfd28cf415164e420f23bf3f6eefeb
| * Modified Kerberos configuration class from {@link org.apache.hadoop.security.authentication.client.KerberosAuthenticator.KerberosConfiguration} | ||
| * that requires authentication from a keytab. | ||
| */ | ||
| public class KerberosConfiguration extends javax.security.auth.login.Configuration { |
There was a problem hiding this comment.
@mattyb149, @joewitt can you please help me and review this PR and let me know if I need to change anything.
|
The changes LGTM, and I tested on a secure cluster, verifying that I could connect, get a session, and execute some simple Scala/Spark code. However, when I tested with various unhappy paths including no Kerberos Credentials Service and a bad keytab, it seems we could be handling these situations better. In the first case (no credentials), the /sessions endpoint will return HTML not JSON. This causes a bulletin to be issued, but the flow file is not penalized and/or the processor is not yielded, and the LivyControllerService thread to manage the sessions exits, meaning the flow will never proceed until the CS is restarted with the correct credentials. This could be considered a Livy bug (I didn't see an existing Jira), but we need to handle it for now. I believe something similar happens for a bad keytab, but I didn't trace it back to the manageSessions thread or anything. I think we need to ensure that the manageSessions() thread is always running while the CS is enabled, we can pass any exceptions back to the CS so when the processor makes a call to the CS, we can throw the appropriate exception, etc. |
…andling in session manager thread, fixes error returned in KerberosKeytabSPNegoScheme on authentication failure Change-Id: I443e063ae21c446980087e5464a4b70373d730f6
|
Hi @mattyb149,
|
| try { | ||
| manageSessions(); | ||
| } catch (Exception e) { | ||
| getLogger().error("Livy Session Manager Thread run into an error, but continues to run", e); |
There was a problem hiding this comment.
This keeps the manageSessions() thread alive, but will there be an indication on the UI that the error is not recoverable? I'm thinking specifically about the 401 Authorization Required error where the Livy API returns HTML rather than JSON when you try to log in without Kerberos when the server has been Kerberized. Should we set an AtomicReference<Exception> or something on the LivySessionController and throw a checked exception when any API call is made (such as isEmpty() which is called from ExecuteSparkInteractive)? I think we need to make it obvious (at least in that case) that the processor and/or CS is suffering from a non-recoverable error and needs manual intervention.
There was a problem hiding this comment.
I agree, changed to what you suggested.
… users Change-Id: I33fde5df6933cec2a87a4d82e681d4464f21b459
| private void checkSessionManagerError() throws IOException { | ||
| Exception exception = sessionManagerError; | ||
| if (exception != null) { | ||
| throw new IOException(exception); |
There was a problem hiding this comment.
I'm thinking this should be a custom exception type, probably thrown from the manageSession() thread itself and just propagated to the client via this method, in order to be able to tell the difference between an IOException that occurred from the mgmt thread vs an IOException that occurred from the operation the client is trying to perform. Thoughts?
There was a problem hiding this comment.
good idea @mattyb149, added a new SessionManagerException
…urred on session manager thread Change-Id: I25a52c025376a0cd238f14bda533d6f5f3e5fb4a
|
+1 LGTM, ran full build with contrib-check, also tested on HDP 2.6.4 and HDP 3.0 with and without Kerberos enabled, verified all behaviors are as expected. Thanks for this improvement! Merging to master |
NIFI-5041: fixes http client version issue Change-Id: I1b87ec4752ff6e1603025883a72113919aba5dd4 NIFI-5041: fixes Kerberos configuration Change-Id: I868fdf3ea7cfd28cf415164e420f23bf3f6eefeb NIFI-5041: adds new NOTICE entries NIFI-5041: yields processor if no session is available, fixes error handling in session manager thread, fixes error returned in KerberosKeytabSPNegoScheme on authentication failure Change-Id: I443e063ae21c446980087e5464a4b70373d730f6 NIFI-5041: makes the session manager thread exceptions visible to the users Change-Id: I33fde5df6933cec2a87a4d82e681d4464f21b459 NIFI-5041: adds special SessionManagerException to identify error occurred on session manager thread Change-Id: I25a52c025376a0cd238f14bda533d6f5f3e5fb4a This closes apache#2630 Signed-off-by: Matthew Burgess <mattyb149@apache.org>
4 participants
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically master)?
Is your initial contribution a single, squashed commit?
For code changes:
For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.