[SPARK-35226][SQL] Support refreshKrb5Config option in JDBC datasources #32344
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Kubernetes integration test unable to build dist. exiting with code: 1 |
|
Test build #137934 has finished for PR 32344 at commit
|
| Configuration.setConfiguration(null) | ||
| withTempDir { dir => | ||
| val dummyKrb5Conf = File.createTempFile("dummy", "krb5.conf", dir) | ||
| val origKrb5Conf = sys.props("java.security.krb5.conf") |
There was a problem hiding this comment.
Shall we use the pre-defined KRB5_CONF_PROP instead of java.security.krb5.conf?
There was a problem hiding this comment.
Thank you. I've updated.
dongjoon-hyun
changed the title
dongjoon-hyun
approved these changes
Apr 26, 2021
|
Thank you for update. |
|
cc @gaborgsomogyi FYI |
|
Kubernetes integration test starting |
|
Kubernetes integration test status failure |
|
Test build #137974 has finished for PR 32344 at commit
|
|
@HyukjinKwon thanks for pinging me. I've had a look at the change and I think it looks good but can introduce a race. Let me share the use-case:
This is just one example, the second one is when config update happens between security context modification and authentication. Such case JDBC authentication will fail temporarily. I'm not against to add this but I think it's a must to mention somewhere that setting this flag can cause severe issues on running workloads. Seems like the doc change is missing, right? |
|
@gaborgsomogyi Thanks for your suggestion. So, it seems better to note in the doc about the possibility of race condition. |
|
Kubernetes integration test starting |
|
Kubernetes integration test status failure |
|
Test build #138024 has finished for PR 32344 at commit
|
sarutak
added a commit
that referenced
this pull request
Apr 29, 2021
### What changes were proposed in this pull request? This PR proposes to introduce a new JDBC option `refreshKrb5Config` which allows to reflect the change of `krb5.conf`. ### Why are the changes needed? In the current master, JDBC datasources can't accept `refreshKrb5Config` which is defined in `Krb5LoginModule`. So even if we change the `krb5.conf` after establishing a connection, the change will not be reflected. The similar issue happens when we run multiple `*KrbIntegrationSuites` at the same time. `MiniKDC` starts and stops every KerberosIntegrationSuite and different port number is recorded to `krb5.conf`. Due to `SecureConnectionProvider.JDBCConfiguration` doesn't take `refreshKrb5Config`, KerberosIntegrationSuites except the first running one see the wrong port so those suites fail. You can easily confirm with the following command. ``` build/sbt -Phive Phive-thriftserver -Pdocker-integration-tests "testOnly org.apache.spark.sql.jdbc.*KrbIntegrationSuite" ``` ### Does this PR introduce _any_ user-facing change? Yes. Users can set `refreshKrb5Config` to refresh krb5 relevant configuration. ### How was this patch tested? New test. Closes #32344 from sarutak/kerberos-refresh-issue. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Kousuke Saruta <sarutak@oss.nttdata.com> (cherry picked from commit 529b875) Signed-off-by: Kousuke Saruta <sarutak@oss.nttdata.com>
|
Merged to |
dongjoon-hyun
pushed a commit
that referenced
this pull request
May 23, 2021
…IntegrationSuite ### What changes were proposed in this pull request? This PR fixes an test added in SPARK-35226 (#32344). ### Why are the changes needed? `SELECT 1` seems non-valid query for DB2. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? DB2KrbIntegrationSuite passes on my laptop. I also confirmed all the KrbIntegrationSuites pass with the following command. ``` build/sbt -Phive -Phive-thriftserver -Pdocker-integration-tests "testOnly org.apache.spark.sql.jdbc.*KrbIntegrationSuite" ``` Closes #32632 from sarutak/followup-SPARK-35226. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
dongjoon-hyun
pushed a commit
that referenced
this pull request
May 23, 2021
…IntegrationSuite ### What changes were proposed in this pull request? This PR fixes an test added in SPARK-35226 (#32344). ### Why are the changes needed? `SELECT 1` seems non-valid query for DB2. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? DB2KrbIntegrationSuite passes on my laptop. I also confirmed all the KrbIntegrationSuites pass with the following command. ``` build/sbt -Phive -Phive-thriftserver -Pdocker-integration-tests "testOnly org.apache.spark.sql.jdbc.*KrbIntegrationSuite" ``` Closes #32632 from sarutak/followup-SPARK-35226. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Dongjoon Hyun <dhyun@apple.com> (cherry picked from commit 1a43415) Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
flyrain
pushed a commit
to flyrain/spark
that referenced
this pull request
Sep 21, 2021
### What changes were proposed in this pull request? This PR proposes to introduce a new JDBC option `refreshKrb5Config` which allows to reflect the change of `krb5.conf`. ### Why are the changes needed? In the current master, JDBC datasources can't accept `refreshKrb5Config` which is defined in `Krb5LoginModule`. So even if we change the `krb5.conf` after establishing a connection, the change will not be reflected. The similar issue happens when we run multiple `*KrbIntegrationSuites` at the same time. `MiniKDC` starts and stops every KerberosIntegrationSuite and different port number is recorded to `krb5.conf`. Due to `SecureConnectionProvider.JDBCConfiguration` doesn't take `refreshKrb5Config`, KerberosIntegrationSuites except the first running one see the wrong port so those suites fail. You can easily confirm with the following command. ``` build/sbt -Phive Phive-thriftserver -Pdocker-integration-tests "testOnly org.apache.spark.sql.jdbc.*KrbIntegrationSuite" ``` ### Does this PR introduce _any_ user-facing change? Yes. Users can set `refreshKrb5Config` to refresh krb5 relevant configuration. ### How was this patch tested? New test. Closes apache#32344 from sarutak/kerberos-refresh-issue. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Kousuke Saruta <sarutak@oss.nttdata.com> (cherry picked from commit 529b875) Signed-off-by: Kousuke Saruta <sarutak@oss.nttdata.com>
flyrain
pushed a commit
to flyrain/spark
that referenced
this pull request
Sep 21, 2021
…IntegrationSuite ### What changes were proposed in this pull request? This PR fixes an test added in SPARK-35226 (apache#32344). ### Why are the changes needed? `SELECT 1` seems non-valid query for DB2. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? DB2KrbIntegrationSuite passes on my laptop. I also confirmed all the KrbIntegrationSuites pass with the following command. ``` build/sbt -Phive -Phive-thriftserver -Pdocker-integration-tests "testOnly org.apache.spark.sql.jdbc.*KrbIntegrationSuite" ``` Closes apache#32632 from sarutak/followup-SPARK-35226. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Dongjoon Hyun <dhyun@apple.com> (cherry picked from commit 1a43415) Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This PR proposes to introduce a new JDBC option
refreshKrb5Configwhich allows to reflect the change ofkrb5.conf.Why are the changes needed?
In the current master, JDBC datasources can't accept
refreshKrb5Configwhich is defined inKrb5LoginModule.So even if we change the
krb5.confafter establishing a connection, the change will not be reflected.The similar issue happens when we run multiple
*KrbIntegrationSuitesat the same time.MiniKDCstarts and stops every KerberosIntegrationSuite and different port number is recorded tokrb5.conf.Due to
SecureConnectionProvider.JDBCConfigurationdoesn't takerefreshKrb5Config, KerberosIntegrationSuites except the first running one see the wrong port so those suites fail.You can easily confirm with the following command.
Does this PR introduce any user-facing change?
Yes. Users can set
refreshKrb5Configto refresh krb5 relevant configuration.How was this patch tested?
New test.