-
Notifications
You must be signed in to change notification settings - Fork 28.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SPARK-31272][SQL] Support DB2 Kerberos login in JDBC connector
### What changes were proposed in this pull request? When loading DataFrames from JDBC datasource with Kerberos authentication, remote executors (yarn-client/cluster etc. modes) fail to establish a connection due to lack of Kerberos ticket or ability to generate it. This is a real issue when trying to ingest data from kerberized data sources (SQL Server, Oracle) in enterprise environment where exposing simple authentication access is not an option due to IT policy issues. In this PR I've added DB2 support (other supported databases will come in later PRs). What this PR contains: * Added `DB2ConnectionProvider` * Added `DB2ConnectionProviderSuite` * Added `DB2KrbIntegrationSuite` docker integration test * Changed DB2 JDBC driver to use the latest (test scope only) * Changed test table data type to a type which is supported by all the databases * Removed double connection creation on test side * Increased connection timeout in docker tests because DB2 docker takes quite a time to start ### Why are the changes needed? Missing JDBC kerberos support. ### Does this PR introduce any user-facing change? Yes, now user is able to connect to DB2 using kerberos. ### How was this patch tested? * Additional + existing unit tests * Additional + existing integration tests * Test on cluster manually Closes #28215 from gaborgsomogyi/SPARK-31272. Authored-by: Gabor Somogyi <gabor.g.somogyi@gmail.com> Signed-off-by: Marcelo Vanzin <vanzin@apache.org>
- Loading branch information
1 parent
54b97b2
commit c619990
Showing
17 changed files
with
281 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 28 additions & 0 deletions
28
external/docker-integration-tests/src/test/resources/db2_krb_setup.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Licensed to the Apache Software Foundation (ASF) under one or more | ||
# contributor license agreements. See the NOTICE file distributed with | ||
# this work for additional information regarding copyright ownership. | ||
# The ASF licenses this file to You under the Apache License, Version 2.0 | ||
# (the "License"); you may not use this file except in compliance with | ||
# the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
|
||
USERPROFILE=/database/config/db2inst1/sqllib/userprofile | ||
echo "export DB2_KRB5_PRINCIPAL=db2/__IP_ADDRESS_REPLACE_ME__@EXAMPLE.COM" >> $USERPROFILE | ||
echo "export KRB5_KTNAME=/var/custom/db2.keytab" >> $USERPROFILE | ||
# This trick is needed because DB2 forwards environment variables automatically only if it's starting with DB2. | ||
su - db2inst1 -c "db2set DB2ENVLIST=KRB5_KTNAME" | ||
|
||
su - db2inst1 -c "db2 UPDATE DBM CFG USING SRVCON_GSSPLUGIN_LIST IBMkrb5 IMMEDIATE" | ||
su - db2inst1 -c "db2 UPDATE DBM CFG USING SRVCON_AUTH KERBEROS IMMEDIATE" | ||
|
||
su - db2inst1 -c "db2stop force; db2start" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
89 changes: 89 additions & 0 deletions
89
...r-integration-tests/src/test/scala/org/apache/spark/sql/jdbc/DB2KrbIntegrationSuite.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one or more | ||
* contributor license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright ownership. | ||
* The ASF licenses this file to You under the Apache License, Version 2.0 | ||
* (the "License"); you may not use this file except in compliance with | ||
* the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.apache.spark.sql.jdbc | ||
|
||
import java.security.PrivilegedExceptionAction | ||
import java.sql.Connection | ||
import javax.security.auth.login.Configuration | ||
|
||
import com.spotify.docker.client.messages.{ContainerConfig, HostConfig} | ||
import org.apache.hadoop.security.{SecurityUtil, UserGroupInformation} | ||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.KERBEROS | ||
|
||
import org.apache.spark.sql.execution.datasources.jdbc.JDBCOptions | ||
import org.apache.spark.sql.execution.datasources.jdbc.connection.{DB2ConnectionProvider, SecureConnectionProvider} | ||
import org.apache.spark.tags.DockerTest | ||
|
||
@DockerTest | ||
class DB2KrbIntegrationSuite extends DockerKrbJDBCIntegrationSuite { | ||
override protected val userName = s"db2/$dockerIp" | ||
override protected val keytabFileName = "db2.keytab" | ||
|
||
override val db = new DatabaseOnDocker { | ||
override val imageName = "ibmcom/db2:11.5.0.0a" | ||
override val env = Map( | ||
"DB2INST1_PASSWORD" -> "rootpass", | ||
"LICENSE" -> "accept", | ||
"DBNAME" -> "db2" | ||
) | ||
override val usesIpc = false | ||
override val jdbcPort = 50000 | ||
override val privileged = true | ||
override def getJdbcUrl(ip: String, port: Int): String = s"jdbc:db2://$ip:$port/db2" | ||
override def getJdbcProperties() = { | ||
val options = new JDBCOptions(Map[String, String]( | ||
JDBCOptions.JDBC_URL -> getJdbcUrl(dockerIp, externalPort), | ||
JDBCOptions.JDBC_TABLE_NAME -> "bar", | ||
JDBCOptions.JDBC_KEYTAB -> keytabFileName, | ||
JDBCOptions.JDBC_PRINCIPAL -> principal | ||
)) | ||
new DB2ConnectionProvider(null, options).getAdditionalProperties() | ||
} | ||
|
||
override def beforeContainerStart( | ||
hostConfigBuilder: HostConfig.Builder, | ||
containerConfigBuilder: ContainerConfig.Builder): Unit = { | ||
copyExecutableResource("db2_krb_setup.sh", initDbDir, replaceIp) | ||
|
||
hostConfigBuilder.appendBinds( | ||
HostConfig.Bind.from(initDbDir.getAbsolutePath) | ||
.to("/var/custom").readOnly(true).build() | ||
) | ||
} | ||
} | ||
|
||
override protected def setAuthentication(keytabFile: String, principal: String): Unit = { | ||
val config = new SecureConnectionProvider.JDBCConfiguration( | ||
Configuration.getConfiguration, "JaasClient", keytabFile, principal) | ||
Configuration.setConfiguration(config) | ||
} | ||
|
||
override def getConnection(): Connection = { | ||
val config = new org.apache.hadoop.conf.Configuration | ||
SecurityUtil.setAuthenticationMethod(KERBEROS, config) | ||
UserGroupInformation.setConfiguration(config) | ||
|
||
UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytabFullPath).doAs( | ||
new PrivilegedExceptionAction[Connection]() { | ||
override def run(): Connection = { | ||
DB2KrbIntegrationSuite.super.getConnection() | ||
} | ||
} | ||
) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
61 changes: 61 additions & 0 deletions
61
...la/org/apache/spark/sql/execution/datasources/jdbc/connection/DB2ConnectionProvider.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one or more | ||
* contributor license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright ownership. | ||
* The ASF licenses this file to You under the Apache License, Version 2.0 | ||
* (the "License"); you may not use this file except in compliance with | ||
* the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.apache.spark.sql.execution.datasources.jdbc.connection | ||
|
||
import java.security.PrivilegedExceptionAction | ||
import java.sql.{Connection, Driver} | ||
import java.util.Properties | ||
|
||
import org.apache.hadoop.security.UserGroupInformation | ||
|
||
import org.apache.spark.sql.execution.datasources.jdbc.JDBCOptions | ||
|
||
private[sql] class DB2ConnectionProvider(driver: Driver, options: JDBCOptions) | ||
extends SecureConnectionProvider(driver, options) { | ||
override val appEntry: String = "JaasClient" | ||
|
||
override def getConnection(): Connection = { | ||
setAuthenticationConfigIfNeeded() | ||
UserGroupInformation.loginUserFromKeytabAndReturnUGI(options.principal, options.keytab).doAs( | ||
new PrivilegedExceptionAction[Connection]() { | ||
override def run(): Connection = { | ||
DB2ConnectionProvider.super.getConnection() | ||
} | ||
} | ||
) | ||
} | ||
|
||
override def getAdditionalProperties(): Properties = { | ||
val result = new Properties() | ||
// 11 is the integer value for kerberos | ||
result.put("securityMechanism", new String("11")) | ||
result.put("KerberosServerPrincipal", options.principal) | ||
result | ||
} | ||
|
||
override def setAuthenticationConfigIfNeeded(): Unit = { | ||
val (parent, configEntry) = getConfigWithAppEntry() | ||
if (configEntry == null || configEntry.isEmpty) { | ||
setAuthenticationConfig(parent) | ||
} | ||
} | ||
} | ||
|
||
private[sql] object DB2ConnectionProvider { | ||
val driverClass = "com.ibm.db2.jcc.DB2Driver" | ||
} |
Oops, something went wrong.