Support YARN endpoints protected by Kerberos/SPNEGO

[lresende]

There are a few commits here, mostly around Kerberos/SPNEGO and Integration Tests.
Also, bumping the version to 0.2.6 to perform a release with these changes to be used in Jupyter Enterprise Gateway.

Please review, but don't squash/merge.

[kevin-bates]

This is really great Luciano - thanks! I just had a couple comments.

[kevin-bates]

We should probably add checks against None for address and port at the very end of the constructor to maintain parity.

Also, this is removing a property that allowed the user to get a connection to the particular server. Seems like that needs to be preserved unless we know there are no applications using that property.

[lresende]

Good catch... added it back together with fixes for test cases that were failing

[kevin-bates]

Sorry, not finding where property http_conn was added back in. Please advise.

[kevin-bates]

Please fix typo to kerberosEnabled

[kevin-bates]

Please fix typo to kerberosEnabled

[lresende]

There are still some dependency issues with the tests, around the SPNEGO dependency, I will try to figure that out tomorrow.

[coveralls]

Coverage decreased (-4.4%) to 91.685% when pulling a21f612 on lresende:security into ad9a807 on toidi:master.

[lresende]

Ok, All good with the dependencies, it was a tox configuration issue.

[ediskandarov-cur]

it's not a good idea to pin requirements here, as it may conflict with project wide requirements
perhaps, it's possible to specify in terms of >=, <=?

[ediskandarov-cur]

I wish I would use pytest for testing
But fine for now. I may find some time to update tests

[ediskandarov-cur]

perhaps, use requests_mock as a decorator?

[ediskandarov-cur]

please keep this list sorted

[ediskandarov-cur]

don't mix variable naming styles. Project follows pep8 convention

[ediskandarov-cur]

with requests it becomes so much easies 👍

[ediskandarov-cur]

I have a doubt about hardcoding http here

[lresende]

enabling https requires some more work throughout the code, we could address that in the future

[ediskandarov-cur]

Thanks for the PR!
I'll look again tomorrow morning, as I'm sleepy now

[ediskandarov-cur]

these deps should be managed by tox

[ediskandarov-cur]

except tox and coveralls

[ediskandarov-cur]

is it possible to make integration tests as a part of CI process?

[lresende]

The integration tests require a running yarn, we could probably add docker, etc... let me create an issue to address that in the near future.

[ediskandarov-cur]

remove TODO

[lresende]

@toidi and @kevin-bates All comments have been addressed, and a few issues created around the things that are really general enhancements and not added by these commits. Any other issues, otherwise I would like to add these commits to master and perform a release so I can use this in EG.

[kevin-bates]

All looks good except I can't find where the http_conn property was restored.

[kevin-bates]

Sorry, not finding where property http_conn was added back in. Please advise.

[lresende]

In BaseYarnAPI there is now

    def _validate_configuration(self):
        if self.address is None:
            raise ConfigurationError('API address is not set')
        elif self.port is None:
            raise ConfigurationError('API port is not set')

and also the validation tests in test/test_base.py are passing:

   def test_http_configuration(self):
        with requests_mock.mock() as requests_get_mock:
            requests_get_mock.get('/ololo', text=json.dumps(BaseYarnAPITestCase.success_response()))

            client = self.get_client()
            client.address = None
            client.port = 80

            with self.assertRaises(ConfigurationError):
                client.request('/ololo')

[lresende]

Also note that, because we moved to now use the requests package, we are not using http_connection anymore.

[lresende]

And yes, looking from the diffs are a little strange, so I had to go into the dif, find the base.py and show the file from the diff page. You can probably do the same from the commits list as well.

[kevin-bates]

I understand we're not using http_connection any more, but http_conn was decorated as a property via @property and I had assumed that that meant it was publicly exposed - therefore a "contract". If that's not the case, then please ignore my comment/concern. I just don't know, nor can we really determine, if that property is in use elsewhere and, if so, that particular client will break after upgrading.

[lresende]

Ok, I now understand your question. This is indeed a breaking change, as the HTTP connection is now managed internally by requests package. How about naming the release 0.3.0 and updating the changelog to explicitly describe this breaking change:

0.3.0 Release
    - Add support for YARN endpoints protected by Kerberos/SPNEGO
    - Moved to `requests` package for REST API invocation
    - Remove `http_con` property, as connections are now managed by `requests` package

[ediskandarov-cur]

first item in tuple goes to hadoop api
does it expect ?construct_parameters=X instead of ?applicationTypes=X in query string?

[ediskandarov-cur]

👍 looks good to me
maybe except rename of application_types query string argument

[ediskandarov-cur]

@kevin-bates your concern about http_conn is valid.
On the other hand I didn't have an intention to include it in contract. That property should have been private.

[kevin-bates]

@toidi - thanks for the explanation - good to know there wasn't intention to make the property public. I was thinking about taking the version approach that @lresende suggested as well, and I think moving to 0.3.0 is probably the best approach since it covers our bases.

[kevin-bates]

Based on the final discussion of http_conn, these changes look good to me. Thanks for handling this @lresende and @toidi for your input and guidance.