[SPARK-20434][YARN][CORE] Move Hadoop delegation token code from yarn to core #17723
Conversation
…e generic SparkHadoopUtil class
…r for backwards compatibility
…eCredentialProvider from core
|
Test build #76044 has finished for PR 17723 at commit
|
|
Test build #76045 has finished for PR 17723 at commit
|
|
Test build #76046 has finished for PR 17723 at commit
|
core/pom.xml
Outdated
| --> | ||
| <dependency> | ||
| <groupId>${hive.group}</groupId> | ||
| <artifactId>hive-exec</artifactId> |
There was a problem hiding this comment.
I still don't know how to place these in the test scope, which is where they belong. See my comment here: https://github.com/apache/spark/pull/17665/files#r112337820
There was a problem hiding this comment.
So I tried a few things, and the one that got me further was just having this:
<dependency>
<groupId>${hive.group}</groupId>
<artifactId>hive-metastore</artifactId>
<scope>test</scope>
</dependency>
And nix the others. Adding the others in test scope caused some weird error in sbt, even with all dependencies (we have the dependencies you had problems with cached locally).
My comment was going to be to add that, then rewrite the code to use the metastore API instead of the Hive class from hive-exec... but then I noticed that test is not doing much, because there are no metastore servers to talk to. It's even there, hardcoded in the test:
test("obtain tokens For HiveMetastore") {
...
credentials.getAllTokens.size() should be (0)
All it seems to be doing is making sure the reflection-based code is not completely broken. That is something already, though.
So I have two suggestions, in order of preference:
-
add the dependencies in "provided" scope, and change the code to use actual types and not reflection. Because the classes may not exist at runtime, that means having to handle
NoClassDefFoundErrorin creative ways. -
keep the reflection code, and remove this test. Or maybe move it to a separate module as others have suggested.
I kinda like the first because it's always good to avoid reflection, and this is a particularly ugly use of it.
There was a problem hiding this comment.
Thanks for looking into it.
Do you know why reflection was used in the first place? Why not just add the Hive dependencies to compile scope? I'm thinking that's what we should do now, and drop reflection.
So I'm agreeing with your first bullet point, but proposing that we add the hive deps to compile rather than provided.
There was a problem hiding this comment.
Why not just add the Hive dependencies to compile scope?
Because technically Hive is an optional dependency for Spark, and moving it to compile scope would break that.
(Whether that should change or not is a separate discussion, but probably better not to have it as part of this change.)
There was a problem hiding this comment.
Alright I added hive-exec to provided scope, and removed the reflection.
|
Test build #76047 has finished for PR 17723 at commit
|
|
BTW @vanzin, I decided to parameterize |
|
Test build #77820 has finished for PR 17723 at commit
|
|
Test build #77822 has finished for PR 17723 at commit
|
|
Thanks! Will review it tomorrow. |
core/pom.xml
Outdated
| @@ -357,6 +357,34 @@ | |||
| <groupId>org.apache.commons</groupId> | |||
| <artifactId>commons-crypto</artifactId> | |||
| </dependency> | |||
|
|
|||
| <!-- | |||
| Testing Hive reflection needs hive on the test classpath only, however, while adding hive-exec to the test | |||
There was a problem hiding this comment.
Minor, but this comment is a little stale now after all the changes. There's no reflection anymore, so the "provided" scope is just so we can still package Spark without Hive.
| } | ||
|
|
||
| private def fetchDelegationTokens( | ||
| renewer: String, |
| } | ||
|
|
||
| private def getTokenRenewalInterval( | ||
| hadoopConf: Configuration, |
| creds.addToken(new Text("hive.server2.delegation.token"), hive2Token) | ||
| } | ||
| } catch { | ||
| case NonFatal(e) => |
There was a problem hiding this comment.
Move this catch block to the end of the method?
There was a problem hiding this comment.
good catch. fixed.
| // public for testing | ||
| val credentialProviders = getCredentialProviders | ||
|
|
||
| def obtainCredentials( |
| hadoopConf: Configuration, | ||
| creds: Credentials): Long = { | ||
|
|
||
| val superInterval = configurableCredentialManager.obtainCredentials( |
| } | ||
|
|
||
| private def loadCredentialProviders: List[ServiceCredentialProvider] = { | ||
| ServiceLoader.load( |
There was a problem hiding this comment.
nit: the load(...) call fits in one line.
There was a problem hiding this comment.
fixed. would be nice if scalastyle caught all of these spacing issues.
There was a problem hiding this comment.
In the PR description, we need an update. Although this PR does not have a design doc, we still need to clearly describe all the major changes and the relation between these new classes and the existing/new traits.
For example, the relation between ServiceCredentialProvider and HadoopDelegationTokenProvider. Another example, [[HadoopFSCredentialProvider]], [[HiveCredentialProvider]] and [[HBaseCredentialProvider]] needs to be explained too.
If possible, draw a class hierarchy for them. It will help the future code readers to understand the impact of this PR, after we merge it.
| } | ||
| } | ||
|
|
||
| val isEnabledDeprecated = deprecatedProviderEnabledConfigs.forall { pattern => |
There was a problem hiding this comment.
Why? It would be a pure, 0-ary function, which is better represented as a val.
There was a problem hiding this comment.
This will be used only when key is not defined in SparkConf.
| import org.apache.spark.internal.Logging | ||
| import org.apache.spark.util.Utils | ||
|
|
||
| private[security] class HBaseCredentialProvider extends ServiceCredentialProvider with Logging { | ||
| private[security] class HBaseCredentialProvider | ||
| extends HadoopDelegationTokenProvider with Logging { |
There was a problem hiding this comment.
It's too long now with the rename.
| private[spark] trait HadoopDelegationTokenProvider { | ||
|
|
||
| /** | ||
| * Name of the service to provide credentials. This name should be unique, Spark internally will |
|
|
||
| private[deploy] class HadoopFSCredentialProvider(fileSystems: Set[FileSystem]) | ||
| extends HadoopDelegationTokenProvider with Logging { | ||
| // Token renewal interval, this value will be set in the first call, |
There was a problem hiding this comment.
How about?
The token renewal interval will be set in the first call.
|
|
||
| override def serviceName: String = "hive" | ||
|
|
||
| private val classNotFoundErrorStr = "You are attempting to use the HiveCredentialProvider," + |
| @@ -368,7 +371,9 @@ private[spark] class Client( | |||
| val fs = destDir.getFileSystem(hadoopConf) | |||
|
|
|||
| // Merge credentials obtained from registered providers | |||
| val nearestTimeOfNextRenewal = credentialManager.obtainCredentials(hadoopConf, credentials) | |||
| val nearestTimeOfNextRenewal = credentialManager.obtainCredentials( | |||
| // public for testing | ||
| val credentialProviders = getCredentialProviders | ||
|
|
||
| def obtainCredentials( |
There was a problem hiding this comment.
YARNConfigurableCredentialManager is not extending ConfigurableCredentialManager . Please add the function description for this function too.
| hadoopConf: Configuration, | ||
| fileSystems: Set[FileSystem]) extends Logging { | ||
|
|
||
| private val configurableCredentialManager = |
There was a problem hiding this comment.
Add the comment above this line to explain why YARNConfigurableCredentialManager does not extend ConfigurableCredentialManager
There was a problem hiding this comment.
I'm not sure what you mean. Is composition vs. inheritance something that needs to be justified?
| /** | ||
| * Get credential provider for the specified service. | ||
| */ | ||
| def getServiceCredentialProvider(service: String): Option[HadoopDelegationTokenProvider] = { |
There was a problem hiding this comment.
In this ConfigurableCredentialManager , we are using the terminology ServiceCredentialProvider. However, ServiceCredentialProvider is a Yarn-specific trait. It is confusing when reading the codes.
If possible, we need to change the names and terms used in the class ConfigurableCredentialManager
There was a problem hiding this comment.
You're right. I made a few changes to naming:
*CredentialProvider -> *DelegationTokenProvider
ConfigurableCredentialManager -> HadoopDelegationTokenManager
YARNConfigurableCredentialManager -> YARNHadoopDelegationTokenManager
and updated a bunch of comments.
cc @vanzin. you might be interested in this since these renames are non-trivial
| * Writes delegation tokens to creds. Delegation tokens are fetched from all registered | ||
| * providers. | ||
| * | ||
| * @return Time after which the fetched delegation tokens should be renewed. |
There was a problem hiding this comment.
This needs to be more accurate to explain the first service provider that needs to renew.
There was a problem hiding this comment.
I think this is the most accurate and succinct explanation of the contract. Since we aren't returning the renewal time of all tokens, it is true that after the returned timeout, all tokens must be renewed. I could say "Time after which one of the returned tokens must be renewed", but this is a circuitous instruction to the user, since they actually must renew all.
mgummelt
changed the title
|
@gatorsmile I've expanded the description, and included a before/after class hierarchy. |
|
Test build #77941 has finished for PR 17723 at commit
|
|
retest this please |
|
Test build #77946 has finished for PR 17723 at commit
|
|
retest this please |
|
Test build #77953 has finished for PR 17723 at commit
|
|
@gatorsmile All comments addressed. Ready for re-review. Unit tests are failing on master, so I'm waiting for those to be resolved to get a passing build. |
|
retest this please |
docs/running-on-yarn.md
Outdated
| @@ -504,10 +504,10 @@ spark.yarn.access.hadoopFileSystems hdfs://ireland.example.org:8020/,webhdfs://f | |||
| ``` | |||
|
|
|||
| Spark supports integrating with other security-aware services through Java Services mechanism (see | |||
| `java.util.ServiceLoader`). To do that, implementations of `org.apache.spark.deploy.yarn.security.ServiceCredentialProvider` | |||
| `java.util.ServiceLoader`). To do that, implementations of `org.apache.spark.deploy.security.ServiceCredentialProvider` | |||
|
LGTM except one comment. |
|
Test build #78062 has finished for PR 17723 at commit
|
|
Test build #78072 has finished for PR 17723 at commit
|
|
LGTM, merging to master. |
|
w00t Thanks everyone. |
… to core ## What changes were proposed in this pull request? Move Hadoop delegation token code from `spark-yarn` to `spark-core`, so that other schedulers (such as Mesos), may use it. In order to avoid exposing Hadoop interfaces in spark-core, the new Hadoop delegation token classes are kept private. In order to provider backward compatiblity, and to allow YARN users to continue to load their own delegation token providers via Java service loading, the old YARN interfaces, as well as the client code that uses them, have been retained. Summary: - Move registered `yarn.security.ServiceCredentialProvider` classes from `spark-yarn` to `spark-core`. Moved them into a new, private hierarchy under `HadoopDelegationTokenProvider`. Client code in `HadoopDelegationTokenManager` now loads credentials from a whitelist of three providers (`HadoopFSDelegationTokenProvider`, `HiveDelegationTokenProvider`, `HBaseDelegationTokenProvider`), instead of service loading, which means that users are not able to implement their own delegation token providers, as they are in the `spark-yarn` module. - The `yarn.security.ServiceCredentialProvider` interface has been kept for backwards compatibility, and to continue to allow YARN users to implement their own delegation token provider implementations. Client code in YARN now fetches tokens via the new `YARNHadoopDelegationTokenManager` class, which fetches tokens from the core providers through `HadoopDelegationTokenManager`, as well as service loads them from `yarn.security.ServiceCredentialProvider`. Old Hierarchy: ``` yarn.security.ServiceCredentialProvider (service loaded) HadoopFSCredentialProvider HiveCredentialProvider HBaseCredentialProvider yarn.security.ConfigurableCredentialManager ``` New Hierarchy: ``` HadoopDelegationTokenManager HadoopDelegationTokenProvider (not service loaded) HadoopFSDelegationTokenProvider HiveDelegationTokenProvider HBaseDelegationTokenProvider yarn.security.ServiceCredentialProvider (service loaded) yarn.security.YARNHadoopDelegationTokenManager ``` ## How was this patch tested? unit tests Author: Michael Gummelt <mgummelt@mesosphere.io> Author: Dr. Stefan Schimanski <sttts@mesosphere.io> Closes apache#17723 from mgummelt/SPARK-20434-refactor-kerberos.
… to core (Kerberos refactor) Move Hadoop delegation token code from `spark-yarn` to `spark-core`, so that other schedulers (such as Mesos), may use it. In order to avoid exposing Hadoop interfaces in spark-core, the new Hadoop delegation token classes are kept private. In order to provider backward compatiblity, and to allow YARN users to continue to load their own delegation token providers via Java service loading, the old YARN interfaces, as well as the client code that uses them, have been retained. Summary: - Move registered `yarn.security.ServiceCredentialProvider` classes from `spark-yarn` to `spark-core`. Moved them into a new, private hierarchy under `HadoopDelegationTokenProvider`. Client code in `HadoopDelegationTokenManager` now loads credentials from a whitelist of three providers (`HadoopFSDelegationTokenProvider`, `HiveDelegationTokenProvider`, `HBaseDelegationTokenProvider`), instead of service loading, which means that users are not able to implement their own delegation token providers, as they are in the `spark-yarn` module. - The `yarn.security.ServiceCredentialProvider` interface has been kept for backwards compatibility, and to continue to allow YARN users to implement their own delegation token provider implementations. Client code in YARN now fetches tokens via the new `YARNHadoopDelegationTokenManager` class, which fetches tokens from the core providers through `HadoopDelegationTokenManager`, as well as service loads them from `yarn.security.ServiceCredentialProvider`. Old Hierarchy: ``` yarn.security.ServiceCredentialProvider (service loaded) HadoopFSCredentialProvider HiveCredentialProvider HBaseCredentialProvider yarn.security.ConfigurableCredentialManager ``` New Hierarchy: ``` HadoopDelegationTokenManager HadoopDelegationTokenProvider (not service loaded) HadoopFSDelegationTokenProvider HiveDelegationTokenProvider HBaseDelegationTokenProvider yarn.security.ServiceCredentialProvider (service loaded) yarn.security.YARNHadoopDelegationTokenManager ``` unit tests Author: Michael Gummelt <mgummelt@mesosphere.io> Author: Dr. Stefan Schimanski <sttts@mesosphere.io> Closes apache#17723 from mgummelt/SPARK-20434-refactor-kerberos.
What changes were proposed in this pull request?
Move Hadoop delegation token code from
spark-yarntospark-core, so that other schedulers (such as Mesos), may use it. In order to avoid exposing Hadoop interfaces in spark-core, the new Hadoop delegation token classes are kept private. In order to provider backward compatiblity, and to allow YARN users to continue to load their own delegation token providers via Java service loading, the old YARN interfaces, as well as the client code that uses them, have been retained.Summary:
Move registered
yarn.security.ServiceCredentialProviderclasses fromspark-yarntospark-core. Moved them into a new, private hierarchy underHadoopDelegationTokenProvider. Client code inHadoopDelegationTokenManagernow loads credentials from a whitelist of three providers (HadoopFSDelegationTokenProvider,HiveDelegationTokenProvider,HBaseDelegationTokenProvider), instead of service loading, which means that users are not able to implement their own delegation token providers, as they are in thespark-yarnmodule.The
yarn.security.ServiceCredentialProviderinterface has been kept for backwards compatibility, and to continue to allow YARN users to implement their own delegation token provider implementations. Client code in YARN now fetches tokens via the newYARNHadoopDelegationTokenManagerclass, which fetches tokens from the core providers throughHadoopDelegationTokenManager, as well as service loads them fromyarn.security.ServiceCredentialProvider.Old Hierarchy:
New Hierarchy:
How was this patch tested?
unit tests