Kerberos authentication support

[praveen-kanamarlapudi]

Fix #282

1. Enabled kerberos authentication on sparkmagic
2. Updated test cases.

[aggFTW]

Thanks so much! Nice to see 👍
Looking into how busy I'm at work, I cannot get to it now, but I will get to the review not later than Friday.

@pranayhasan, I hope this you and your team can get started on this review. Can you help us with the review to make sure it works for your scenario as well? I would suggest taking the commit and trying it out on your system. Feel free to make any code/test comments as well.

Thanks!

[aggFTW]

@joychak you may want to take a look :)

[aggFTW]

Let me know if you have any questions!
Thank you so much for the PR :)

[aggFTW]

Please add min, max versions. A good idea is to have the max version be the next major version.

[pranayhasan]

Also, requirements.txt needs to be updated.

[aggFTW]

+1

Thanks for catching this!

[aggFTW]

Can you please update the README with information on the new authentication types supported in the features section.

We also need a section on how to use the Kerberos implementation here: basically an overview of how it works/what sparkmagic does vs what you need to do out of band regarding ticket management: e.g. you need to do kinit out of band.

[pranayhasan]

Password widget has been added for the 7.0.0 version of ipywidgets and should be available soon. For now we can use 7.0.0a2 version of ipywidgets until 7.0.0 is published. But before this, we need to fix problems in display after ipywidget is updated to use 6.0.0 or later versions so as to make it usable.

[aggFTW]

Let's not use any alpha/dev versions of ipywidgets please.

I was not aware of these display issues with 6.0.0. Is this introduced by this PR or has it always been like this with 6.0.0?

[pranayhasan]

What I meant is that we need to the functionality with 7.0.0a2, so that we can use 7.0.0 once it gets published. We already have display issues with 6.0.0 version where the fields are displayed in a row as above. Can we revert back the commit and address UI issue to output the fields in columns? We can use the password widget only once we fix these.

[aggFTW]

Yes, we need to fix the issue with 6.0 first. I just created an issue for it (#358). I do not think I can prioritize it now. @pranayhasan do you want to take a crack at it?

[pranayhasan]

@aggFTW Took this up. Thanks for creating an issue!

[aggFTW]

Do we need to show/hide the password widget based on the authentication type selected?

[aggFTW]

I'm looking at #284, and we had this comment:

On change, we should hide/show the appropriate fields. So:

• On change to NO_AUTH: hide username and password.
• On change to AUTH_KERBEROS: hide username and password.
• On change to AUTH_SSL: show username and password.

Ipywidgets has a way to make widgets visible or not:
https://github.com/jupyter-incubator/sparkmagic/blob/master/autovizwidget/autovizwidget/widget/encodingwidget.py#L126

[praveen-kanamarlapudi]

@aggFTW Can you help me understand how to use that API? Any examples are appreciated.

[aggFTW]

Line number changed: https://github.com/jupyter-incubator/sparkmagic/blob/master/autovizwidget/autovizwidget/widget/encodingwidget.py#L134

Basically, you can take any widget and change its .layout.display property to flex or none to show/hide. You would have to create a callback that is called whenever the value changes and knows to show/hide the appropriate widgets. Here, we add a callback, for example:

y_column_view = self.ipywidget_factory.get_dropdown(options=options_y_view,
                                                            description="Y", value=self.encoding.y)
y_column_view.on_trait_change(self._y_changed_callback, 'value')

[praveen-kanamarlapudi]

Ok thanks. Let me check and update the PR.

[aggFTW]

This change will break

sparkmagic/sparkmagic/sparkmagic/serverextension/handlers.py

Line 55 in ed232d7

code = '%{} -s {} -u {} -p {}'.format(KernelMagics._do_not_call_change_endpoint.__name__, endpoint, username, password)

Please update the handler too so that it receives an auth parameter and passes it back.

[aggFTW]

Please add a check for non-valid auth types and throw an error for them. As it is, non-valid ones would just silently fail.

[aggFTW]

We need to update the documentation in the comment above to add the -t parameter for the add subcommand.

[aggFTW]

Ditto

[aggFTW]

We need the same for the other kernels too:

• kernel_r_credentials
• kernel_python3_credentials

[aggFTW]

This is where you could see if auth_type is there to begin with or not. Please also test it with an actual file.

[aggFTW]

I don't think we need a default value here, do we? If we don't need it, then we could get rid of the default_livy_endpoint_auth_type setting altogether.

[aggFTW]

I think this is not needed.

[joychak]

Let me look into this tomorrow or this weekend. Thanks, Joy

…

Sent from my iPhone

On May 11, 2017, at 8:31 PM, Alejandro Guerrero Gonzalez ***@***.***> wrote: @aggFTW requested changes on this pull request. Let me know if you have any questions! Thank you so much for the PR :) In sparkmagic/setup.py: > @@ -88,6 +88,7 @@ def version(path): 'ipykernel>=4.2.2,<5', 'ipywidgets>5.0.0,<7.0', 'notebook>=4.2,<5.0', - 'tornado>=4' + 'tornado>=4', + 'requests_kerberos' Please add min, max versions. A good idea is to have the max version be the next major version. In sparkmagic/sparkmagic/controllerwidget/addendpointwidget.py: > @@ -32,21 +33,26 @@ def __init__(self, spark_controller, ipywidget_factory, ipython_display, endpoin value='password', width=widget_width ) + self.auth_type = self.ipywidget_factory.get_dropdown( + options={constants.AUTH_KERBEROS: constants.AUTH_KERBEROS, constants.AUTH_BASIC: constants.AUTH_BASIC, Can you please update the README with information on the new authentication types supported. We also need a section on how to use the Kerberos implementation here: basically an overview of how it works/what sparkmagic does vs what you need to do out of band regarding ticket management: e.g. you need to do kinit out of band. In sparkmagic/sparkmagic/controllerwidget/addendpointwidget.py: > @@ -32,21 +33,26 @@ def __init__(self, spark_controller, ipywidget_factory, ipython_display, endpoin value='password', width=widget_width ) + self.auth_type = self.ipywidget_factory.get_dropdown( + options={constants.AUTH_KERBEROS: constants.AUTH_KERBEROS, constants.AUTH_BASIC: constants.AUTH_BASIC, + constants.NO_AUTH: constants.NO_AUTH}, + description=u"Auth type:" + ) Do we need to show/hide the password widget based on the authentication type selected? In sparkmagic/sparkmagic/kernels/kernelmagics.py: > @@ -349,23 +349,25 @@ def _do_not_call_change_language(self, line, cell="", local_ns=None): @argument("-u", "--username", type=str, help="Username to use.") @argument("-p", "--password", type=str, help="Password to use.") @argument("-s", "--server", type=str, help="Url of server to use.") + @argument("-t", "--auth_type", type=str, help="Auth type for authentication") This change will break https://github.com/jupyter-incubator/sparkmagic/blob/ed232d76f90ae9032d920efca21c90d1abcfc4d6/sparkmagic/sparkmagic/serverextension/handlers.py#L55 Please update the handler too so that it receives an auth parameter and passes it back. In sparkmagic/sparkmagic/livyclientlib/reliablehttpclient.py: > @@ -17,6 +20,11 @@ def __init__(self, endpoint, headers, retry_policy): self._endpoint = endpoint self._headers = headers self._retry_policy = retry_policy + if self._endpoint.auth_type == constants.AUTH_KERBEROS: + self._auth = HTTPKerberosAuth(mutual_authentication=REQUIRED) + elif self._endpoint.auth_type == constants.AUTH_BASIC: + self._auth = (self._endpoint.username, self._endpoint.password) + Please add a check for non-valid auth types and throw an error for them. As it is, non-valid ones would just silently fail. In sparkmagic/sparkmagic/utils/configuration.py: > @@ -44,7 +45,7 @@ def session_configs(): @_with_override def kernel_python_credentials(): - return {u'username': u'', u'base64_password': u'', u'url': u'http://localhost:8998'} + return {u'username': u'', u'base64_password': u'', u'url': u'http://localhost:8998', u'auth_type': constants.NO_AUTH} For this to be back compatible with old config.json files, we need to move the logic of: constants.NO_AUTH if username == '' and password == '' else constants.BASIC_AUTH In sparkmagic/sparkmagic/tests/test_configuration.py: > @with_setup(_setup) def test_configuration_override_fallback_to_password(): - kpc = { 'username': 'U', 'password': 'P', 'url': 'L' } + kpc = { 'username': 'U', 'password': 'P', 'url': 'L', 'auth_type': None } We need some extra tests: when auth_type is not there at all in the config file, conf.base64_kernel_python_credentials (and all other languages) should return auth_type as constants.NO_AUTH if the username and password are the empty string when auth_type is not there at all in the config file, conf.base64_kernel_python_credentials (and all other languages) should return auth_type as constants.AUTH_BASIC if the username or password are not the empty string This will ensure backwards compatibility to existing config.json files. In sparkmagic/sparkmagic/tests/test_reliablehttpclient.py: > import requests +from pandas.util.testing import assertIsInstance Please use assert isinstance() instead: https://docs.python.org/2/library/functions.html#isinstance since you are not checking Pandas dataframes here. In sparkmagic/sparkmagic/tests/test_reliablehttpclient.py: > @@ -207,3 +210,18 @@ def test_will_retry_error_no(): retry_policy.should_retry.assert_called_once_with(None, True, 0) ***@***.***_setup(_setup, _teardown) +def test_basic_auth_check_auth(): We need tests for NO_AUTH and for non-valid auth methods. In sparkmagic/sparkmagic/controllerwidget/addendpointwidget.py: > @@ -32,21 +33,26 @@ def __init__(self, spark_controller, ipywidget_factory, ipython_display, endpoin value='password', width=widget_width ) + self.auth_type = self.ipywidget_factory.get_dropdown( + options={constants.AUTH_KERBEROS: constants.AUTH_KERBEROS, constants.AUTH_BASIC: constants.AUTH_BASIC, + constants.NO_AUTH: constants.NO_AUTH}, + description=u"Auth type:" + ) I'm looking at #284, and we had this comment: On change, we should hide/show the appropriate fields. So: On change to NO_AUTH: hide username and password. On change to AUTH_KERBEROS: hide username and password. On change to AUTH_SSL: show username and password. Ipywidgets has a way to make widgets visible or not: https://github.com/jupyter-incubator/sparkmagic/blob/master/autovizwidget/autovizwidget/widget/encodingwidget.py#L126 In sparkmagic/sparkmagic/kernels/kernelmagics.py: > @@ -349,23 +349,25 @@ def _do_not_call_change_language(self, line, cell="", local_ns=None): @argument("-u", "--username", type=str, help="Username to use.") @argument("-p", "--password", type=str, help="Password to use.") @argument("-s", "--server", type=str, help="Url of server to use.") + @argument("-t", "--auth_type", type=str, help="Auth type for authentication") Let's change the long name to --auth to be consistent with the other magic In sparkmagic/sparkmagic/magics/remotesparkmagics.py: > @@ -112,7 +114,7 @@ def spark(self, line, cell="", local_ns=None): # info We need to update the documentation in the comment above to add the -t parameter for the add subcommand. In sparkmagic/sparkmagic/utils/configuration.py: > @@ -63,7 +64,7 @@ def base64_kernel_python3_credentials(): @_with_override def kernel_scala_credentials(): - return {u'username': u'', u'base64_password': u'', u'url': u'http://localhost:8998'} + return {u'username': u'', u'base64_password': u'', u'url': u'http://localhost:8998', u'auth_type': constants.NO_AUTH} Ditto In sparkmagic/sparkmagic/utils/configuration.py: > @@ -63,7 +64,7 @@ def base64_kernel_python3_credentials(): @_with_override def kernel_scala_credentials(): - return {u'username': u'', u'base64_password': u'', u'url': u'http://localhost:8998'} + return {u'username': u'', u'base64_password': u'', u'url': u'http://localhost:8998', u'auth_type': constants.NO_AUTH} We need the same for the other kernels too: kernel_r_credentials kernel_python3_credentials In sparkmagic/sparkmagic/utils/configuration.py: > @@ -202,7 +203,7 @@ def _credentials_override(f): If 'base64_password' is not set, it will fallback to to 'password' in config. """ credentials = f() This is where you could see if auth_type is there to begin with or not. Please also test it with an actual file. In sparkmagic/sparkmagic/livyclientlib/endpoint.py: > class Endpoint(object): - def __init__(self, url, username="", password=""): + def __init__(self, url, auth_type=conf.default_livy_endpoint_auth_type(), username="", password=""): I don't think we need a default value here, do we? If we don't need it, then we could get rid of the default_livy_endpoint_auth_type setting altogether. In sparkmagic/sparkmagic/utils/configuration.py: > @@ -212,3 +213,8 @@ def _credentials_override(f): msg = "base64_password for %s contains invalid base64 string: %s %s" % (f.__name__, exception_type, exception) raise BadUserConfigurationException(msg) return base64_decoded_credentials + + +@_with_override +def default_livy_endpoint_auth_type(): I think this is not needed. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[aggFTW]

Thanks @joychak. I am mostly interested in being able to support your use case presented here: https://spark-summit.org/east-2017/events/secured-kerberos-based-spark-notebook-for-data-science/

I think we could simply add a new authentication method (e.g. PROXY_USER_AUTH or some similar name), and follow the entire Endpoint/HttpClient pattern here in the future.

[praveen-kanamarlapudi]

Thanks for the comments @aggFTW. Let me look into the comments and update the PR this weekend.

[pranayhasan]

We need to make the authentication type, endpoints configurable from config.json so that there shall be no need to re-enter each time. It can be solved as a part of this issue or I can open a new issue as an enhancement and contribute to it.

[pranayhasan]

Also, requirements.txt needs to be updated.

[pranayhasan]

Password widget has been added for the 7.0.0 version of ipywidgets and should be available soon. For now we can use 7.0.0a2 version of ipywidgets until 7.0.0 is published. But before this, we need to fix problems in display after ipywidget is updated to use 6.0.0 or later versions so as to make it usable.

[joychak]

I have a general question (after reviewing the pull request) about this approach of Kerberized mechanism for the following 2 scenarios-

Scenario one:

When SparkMagic is being used inside JupyterHub then the kerberos authentication happens at JupyterHub (userid/passwd are authenticated at JupyterHub before opening any notebook) and the token (not any user-id/passwd) is normally passed to the SparkMagic for further authentication.

Scenario two:

Kerberos authentication can also being done using a keytab file which is very common in corporate environment. When you get authenticated using keytab file (using "KINIT") then you just need to pass the kerberos principal name to the HTTPKerberosAuth object inside "reliablehttpclient.py" file at "_send_request_helper" method. The HTTPKerberosAuth object then picks up the kerberos ticket from the KRB cache file for the given principal.

The above 2 scenarios doesnt need any mechanism within SparkMagic (inside notebook) context to accept userId/passwd.

We need to make sure that we cover these scenarios which is missing currently because the changes in reliablehttpclient.py can only work with UserId/Passwd based Kerberos authentication but not for keytab or KRB-ticket based Kerberos authentication.

[aggFTW]

We also need to modify the example_config.json file

[aggFTW]

@pranayhasan, regarding

We need to make the authentication type, endpoints configurable from config.json so that there shall be no need to re-enter each time.

I believe this PR already addresses it. Look at the configuration.py file. Do you have something else in mind?

[aggFTW]

@joychak Thanks for reviewing!

Those scenarios make sense and are needed. Is there anything on this PR that would prevent those scenarios from being implemented in a later PR? I'm thinking we could have a 4th and 5th authentication type (e.g. KERBEROS_TOKEN and KERBEROS_PRINCIPAL or something clearer if you have suggestions).

It seems you have implemented at least one of this. Would you be able to submit a PR after this one to add this support or is this design restrictive?

[joychak]

Adding KERBEROS_TOKEN and KERBEROS_PRINCIPAL makes sense. I would be able to submit the KERBEROS_PRINCIPAL one immediately after the PR and currently working on the KERBEROS_TOKEN. In case of KERBEROS_TOKEN, the notebook UI should have the provision to provide the keytab file path.

[aggFTW]

Thank @joychak! That would be wonderful. For the path, could we use a config based approach?

[joychak]

+1 => config based approach

[pranayhasan]

I believe this PR already addresses it. Look at the configuration.py file. Do you have something else in mind?

@aggFTW In a corporate environment where all the users need to use Kerberos by default, we don't want to show users the authentication type. It should be defaulted to Kerberos with no display of auth_type in widget. So, we should be able to handle that using auth/auth_type by specifying in ~/.sparkmagic/config.json

[aggFTW]

we don't want to show users the authentication type. It should be defaulted to Kerberos with no display of auth_type in widget. So, we should be able to handle that using auth/auth_type by specifying in ~/.sparkmagic/config.json

You want to add a config to not display the authentication type with the regular python kernel widget magics and instead use the default default_livy_endpoint_auth_type specified in the config (I previously asserted this was not needed, but this change would make it needed).

I think this could be a separate PR altogether. @pranayhasan would you mind sending that out if @praveenkanamarlapudi does not tackle it?

[pranayhasan]

@aggFTW Yes, sure.

[aggFTW]

@praveenkanamarlapudi, any updates?

[praveen-kanamarlapudi]

@aggFTW Sorry I was overloaded with other stuff. Let me update the PR by this weekend. Thanks

[aggFTW]

You are still using assertIsInstance. Previous comment:

Please use assert isinstance() instead: https://docs.python.org/2/library/functions.html#isinstance since you are not checking Pandas dataframes here.

[aggFTW]

Remove subprocess import

[aggFTW]

What happens if auth_type isn't there? Wouldn't this throw?

[aggFTW]

There's no tests here to test for when auth is not in the payload at all. There should be two tests for that case:

1. auth is not on payload but due to empty username and password, auth should default to None.
2. auth is not on payload but due to non-empty username and password, auth should default to Basic Auth.

[aggFTW]

@praveenkanamarlapudi Please look at all comments.
Also please be aware of this PR: #362
which will have collisions with yours.

[praveen-kanamarlapudi]

@aggFTW Update code. Sorry we had differences with our branch, so missed to push few changes earlier. I will update the README soon.

[praveen-kanamarlapudi]

Calling initially to display right display elements initially as per the auth type.

[aggFTW]

credentials is a dictionary, so the check would be if 'auth' in credentials

[aggFTW]

This check would not be here. When you call conf.base64_kernel_X_credentials(), the contract is that auth is always returned. So this code that sets auth if it's not specified by the user needs to be in configuration.py

[aggFTW]

Please add unit tests for this code in test_configuration.py. This back compat is extremely important to get right.

[aggFTW]

This is still ValueError when I asked to change it to Bad Config exception at https://github.com/jupyter-incubator/sparkmagic/blob/master/sparkmagic/sparkmagic/livyclientlib/exceptions.py#L41

[aggFTW]

Did you try this signature on trait change? Did it work? I would have expected it to throw and for the fields not to be updated if the signature of the method were wrong.

[praveen-kanamarlapudi]

I tested it and works fine.

[aggFTW]

Please review my comments again. Let's be thorough on reviewing comments and addressing them.
I will review when you have addressed all comments and updated the README too.

[aggFTW]

Can we please change this paragraph to:

## Authentication Methods

Sparkmagic supports:

* No auth
* Basic authentication
* Kerberos

Kerberos support is implemented via the [requests-kerberos](https://github.com/requests/requests-kerberos) package. Sparkmagic expects a kerberos ticket to be available in the system. Requests-kerberos will pick up the kerberos ticket from a cache file. For the ticket to be available, the user needs to have run [kinit](https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/kinit.html) to create the kerberos ticket.

Currently, sparkmagic does not support passing a kerberos principal/token, but we welcome pull requests.

[praveen-kanamarlapudi]

Sure.

[aggFTW]

Great to see these tests! 😄 Thanks for adding them!
Why are you overriding status_sleep_seconds here?

[aggFTW]

Same, why override status_sleep_seconds at all?

[praveen-kanamarlapudi]

Let me correct it.

[praveen-kanamarlapudi]

I thought it will be like extra check. I can remove it if not needed.

[aggFTW]

Yes, I think the extra check is not needed. Thank you!

[aggFTW]

Please add two tests where you don't send the auth parameter at all and still get no auth and basic auth as values for auth.

[praveen-kanamarlapudi]

Ok

[praveen-kanamarlapudi]

Done! 👍

[aggFTW]

Awesome! 👍

[aggFTW]

Ready for merge! 👍 Thanks so much @praveenkanamarlapudi. I hope a lot of people are going to find this very useful!

@joychak, we would love to see those code reviews for other authentication methods 😃

[ghoshtir]

I am trying to get Kerberos authentication working between livy 0.3 (in a Linux edge node of a cluster) and spakmagic 0.12.5 as part of jupyter notebook running on my windows box. On the windows side I am happy to kinit (I don't see the username/password on the UI when I select auth-type as Kerberos). Can you please confirm if the versions mentioned will allow Kerberos authentication between jupyter and livy?