In [48]:
from pyspark.sql import SparkSession

spark = SparkSession.builder \
      .master("local[1]") \
      .appName("NORD_Task") \
      .config("spark.redis.host", "cache") \
      .config("spark.redis.port", "6379") \
      .getOrCreate()

#.config("spark.redis.auth", "password") \
sc = spark.sparkContext




hadoop_conf=sc._jsc.hadoopConfiguration()
hadoop_conf.set("fs.s3.impl", "org.apache.hadoop.fs.s3a.S3AFileSystem")
hadoop_conf.set("fs.s3a.aws.credentials.provider", "org.apache.hadoop.fs.s3a.AnonymousAWSCredentialsProvider")

S3_BUCKET = 's3-nord-challenge-data'
S3_REGION = 'eu-central-1'
hadoop_conf.set("fs.s3a.endpoint", f"s3.{S3_REGION}.amazonaws.com")





### Note 
In general I can see 2 approaches to load files data:
   - Approach 1.
     - `spark.read.format('binaryFile').option("pathGlobFilter","<path-glob>").load(<s3-bucket>)`. This solution would read all files with metadata into single DataFrame (path, mod time,  length, content)
     - parse content of file in apropriate resulted dataframe transformation
   - The advantage of it is that you receive parallelized DataFrame, content of file would be read in lazy way during processing each file. So in theory on a big enough spark cluster spark should take care of distributing and performance for you. The problem seems to be when you have to work with pretty read milions of files with unknown file size. You may end up huge memory and performance issues. This problem is shown e.g. in [this blog article](https://wrightturn.wordpress.com/2015/07/22/getting-spark-data-from-aws-s3-using-boto-and-pyspark/). Although it's pretty old I did not find any more recent solution to the issue. It also describes second approach.
   - Approach 2.
       - list all objects you're interested files in s3 bucket into some collection (but without parallelizing it)
       - create parallelized dataframe based on the given collection
       - read and process file content as part of transformations
   - The bottleneck might that you have to iterate over millions of files so the size of the collection to be processed (on one node) might be huge. 
   
As I am not able to test on a large set of data and big enough spark cluster which approach is more efficient. I am going to use approach described in [mentioned article](https://wrightturn.wordpress.com/2015/07/22/getting-spark-data-from-aws-s3-using-boto-and-pyspark). However instead of using boto3 for listing all objects I will use [`hadoop.fs.path.getFilesystem.globStatus`](https://stackoverflow.com/a/67050173/2018369) because boto3 [seems to be not the most effective way](https://stackoverflow.com/q/69920805/2018369) to get file list.

I was also considering one more approach, which however I could not find any good way to implement. So my idea was to create a dataframe similar to the one created by `spark.read.format('binaryFile').option("pathGlobFilter","<path-glob>").load(<s3-bucket>)`, but which contain only prefix of file (first 1024 or 2048 bytes). This way we could have a Dataframe(path, mod time,  length, PE headers), we could process the header of file to get all required PE metadata apart from imports/expors and in next step we could load apropriate sections of file to get imports/exports.


In [49]:
clean_path = '/0/*.???'
malware_path = '/1/*.???'

# number of files to process - will be read as input
# N = 100
N = 10




cleanPath = sc._jvm.org.apache.hadoop.fs.Path(f's3a://{S3_BUCKET}{clean_path}')
cFs = cleanPath.getFileSystem(hadoop_conf)
clean_files = cFs.globStatus(cleanPath)

malwarePath = sc._jvm.org.apache.hadoop.fs.Path(f's3a://{S3_BUCKET}{malware_path}')
mFs = malwarePath.getFileSystem(hadoop_conf)
malware_files = mFs.globStatus(malwarePath)

In [50]:
import random
print(len(malware_files))
files_to_process = random.sample(clean_files, int(N/2))+ random.sample(malware_files, int(N/2))
print(len(files_to_process))

malware_files

14652
10


JavaObject id=o645

In [None]:
# put files into dataFrame

from pyspark.sql.types import StructType,StructField, StringType, IntegerType
schema = StructType([       
    StructField('path', StringType(), True),
    StructField('size', IntegerType(), True),
    StructField('type', StringType(), True)
])
data = [(f.getPath().toUri().getRawPath(), f.getLen(), f.getPath().getName().split('.')[-1]) for f in files_to_process]

# make sure we don't have duplicates
filesDF= spark.createDataFrame(data=data, schema = schema).distinct()
filesDF.orderBy("size").show()

In [None]:
filesDF.orderBy('size').show(50,False)

# Database Notes
I was considering SQL and NoSQL (key/value store) to store files info. Finally **Hybrid approach was used**

### SQL Database - MySQL
The architecture is rather not complicated. All **distinct** file records are processed and stored in one table with following schema
 `path Varchar primary key, size Int, type Varchar, architecture Varchar default NULL, imports Int default NULL, exports Int default NULL, INDEX(size, type));`
At the whole table is loaded into DataFrame. It is substracted from task files DF to ensure already processed files are skipped. And after processing transformed DF is appended to existing table in MySQL.

Although number of files processed can reach (hundred of) millions [MySQL should handle it properly](https://dba.stackexchange.com/questions/20335/can-mysql-reasonably-perform-queries-on-billions-of-rows) with proper indexes. If there are billions of rows in DB we might start [encontering problems](https://stackoverflow.com/questions/38346613/mysql-and-a-table-with-100-millions-of-rows)
In case of performance issue using different Database type might be considered as changing DB should be relatively easy. What should be changed in that case is `dataframe.write.` `format` and `options`

### NoSQL solutions

I was considering also NoSQL database which very often perform better in distributed environment and in most cases scale horizontally much easier than classical SQL DB. For this task I consider key/value store as a good solution.

#### Aerospike
Aerospike was considered as it promises high efficiency, distributed (based on shared nothing architecture) database for storing key/value pairs. In commercial version it support pyspark distributed operations, direct import to RDDs etc. So if required it might give very good performance.

#### Redis
Open source, in-memory data store used as a database, cache, streaming engine, and message broker.


### "hybrid" approach - caching
The issue with in-memory key/value store is that it does not provide (by default) persistence of data.
This can be achieved both in Redis and Aerospike of course but not by default.

My idea is to provide hybrid solution in which processed files data is stored in classical SQL database but apart from that it is also imported into key/value store. In that case there is no need to load all existing entries into DataFrame prior to processing new entries just to make sure some files weren't already processed. Instead,  `filesDF` entries that exists in key/value store should be filtered during transformation. As a last steps  `filesDB`should be saved (appended) not only to SQL database but also to key/value store




In [None]:
# get files already processed from redis cache

redis_files_info = spark.read.format("org.apache.spark.sql.redis").schema(schema)\
    .option("table", "s3").option("key.column", "path").load()


redis_files_info.show()





In [None]:
# Remove files that exists in DB from list of files to process
filesDF = filesDF.subtract(redis_files_info)
filesDF.show()

In [None]:
# process files 
from functools import partial
from spark_utils import parse_file

schema_with_meta = StructType(filesDF.schema.fields+[
    StructField('architecture', StringType(), True),
    StructField('imports', IntegerType(), True),
    StructField('exports',IntegerType(), True)
])

parsed=filesDF.rdd.map(partial(parse_file, bucket=S3_BUCKET, region=S3_REGION))

parsedDF = parsed.toDF(schema_with_meta)
parsedDF.show()


In [57]:
# Store result to DB
parsedDF.write.format('jdbc').options(
    url=jdbc_url, driver=driver,dbtable=table, user=username, password=password
).mode('append').save()


<botocore.response.StreamingBody object at 0x7f676b6c2290>          (0 + 1) / 1]
<botocore.response.StreamingBody object at 0x7f676ab8a7a0>
<botocore.response.StreamingBody object at 0x7f676c9ea5f0>
<botocore.response.StreamingBody object at 0x7f676ca04a00>
<botocore.response.StreamingBody object at 0x7f676d2db400>
<botocore.response.StreamingBody object at 0x7f676ab73a00>
<botocore.response.StreamingBody object at 0x7f676ad336d0>
<botocore.response.StreamingBody object at 0x7f676a405db0>
<botocore.response.StreamingBody object at 0x7f676a449870>
<botocore.response.StreamingBody object at 0x7f6769ee76d0>
                                                                                

In [58]:
# Store results also to Redis cache
parsedDF.select(["path","size", "type"]).write.format("org.apache.spark.sql.redis").option("table","s3").option("key.column", "path").mode('append').save()


<botocore.response.StreamingBody object at 0x7f676aae3550>          (0 + 1) / 1]
<botocore.response.StreamingBody object at 0x7f676aa99e70>
<botocore.response.StreamingBody object at 0x7f676eefa2f0>
<botocore.response.StreamingBody object at 0x7f676ef306d0>
<botocore.response.StreamingBody object at 0x7f676ef770d0>
<botocore.response.StreamingBody object at 0x7f676a9efe80>
<botocore.response.StreamingBody object at 0x7f676a7a0c70>
<botocore.response.StreamingBody object at 0x7f676a715ab0>
<botocore.response.StreamingBody object at 0x7f676a759570>
<botocore.response.StreamingBody object at 0x7f6769dff3a0>
                                                                                