yuqi1129 commented on code in PR #5040:
URL: https://github.com/apache/gravitino/pull/5040#discussion_r1804184745
##########
docs/spark-connector/spark-authentication-with-gravitino.md:
##########
@@ -0,0 +1,39 @@
+---
+title: "Spark authentication with Gravitino server"
+slug: /spark-connector/spark-authentication
+keyword: spark connector authentication oauth2 kerberos
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Overview
+
+Spark connector supports `simple` `oauth2` and `kerberos` authentication when
accessing Gravitino server.
+
+| Property | Type | Default Value | Description
| Required | Since Version |
+|------------------------------|--------|---------------|---------------------------------------------------------------------------------------------------------------------|----------|------------------|
+| spark.sql.gravitino.authType | string | `simple` | The authentication
mechanisms when communicating with Gravitino server, supports `simple`,
`oauth2` and `kerberos`. | No | 0.7.0-incubating |
+
+## Simple mode
+
+In the simple mode, the username originates from Spark, and is obtained using
the following sequences:
+1. The environment variable of `SPARK_USER`
+2. The environment variable of `HADOOP_USER_NAME`
+3. The user login in the machine
+
+## OAuth2 mode
+
+In the OAuth2 mode, you could use the following configuration to fetch an
OAuth2 token to access Gravitino server.
+
+| Property | Type | Default Value | Description
| Required | Since Version |
+|---------------------------------------|--------|---------------|-----------------------------------------------|----------------------|------------------|
+| spark.sql.gravitino.oauth2.serverUri | string | None | The OAuth2
server uri address. | Yes, for OAuth2 mode | 0.7.0-incubating |
+| spark.sql.gravitino.oauth2.tokenPath | string | None | The path of
token interface in OAuth2 server. | Yes, for OAuth2 mode | 0.7.0-incubating |
+| spark.sql.gravitino.oauth2.credential | string | None | The
credential to request the OAuth2 token. | Yes, for OAuth2 mode |
0.7.0-incubating |
+| spark.sql.gravitino.oauth2.scope | string | None | The scope
to request the OAuth2 token. | Yes, for OAuth2 mode | 0.7.0-incubating |
+
+## Kerberos mode
+
+In kerberos mode, you could use the Spark kerberos configuration to fetch a
kerberos ticket to access Gravitino server, use `spark.kerberos.principal`,
`spark.kerberos.keytab` to specify kerberos principal and keytab.
Review Comment:
Configuration keys `spark.kerberos.principal` and `spark.kerberos.keytab` is
used between `Spark` and undering storage engine like Iceberg or Hive, so is it
really reasonable to take the vaule and utilized it for Spark-Gravitino
authentication?
@jerryshao Do you have any thoughts on this point?
##########
spark-connector/spark-common/src/main/java/org/apache/gravitino/spark/connector/plugin/GravitinoDriverPlugin.java:
##########
@@ -155,4 +165,57 @@ private void registerSqlExtensions(SparkConf conf) {
conf.set(StaticSQLConf.SPARK_SESSION_EXTENSIONS().key(),
extensionString);
}
}
+
+ private static GravitinoClient createGravitinoClient(
+ String uri, String metalake, SparkConf sparkConf, String sparkUser) {
+ ClientBuilder builder =
GravitinoClient.builder(uri).withMetalake(metalake);
+ String authType =
+ sparkConf.get(GravitinoSparkConfig.GRAVITINO_AUTH_TYPE,
AuthProperties.SIMPLE_AUTH_TYPE);
+ if (AuthProperties.isSimple(authType)) {
+ Preconditions.checkArgument(
+ !UserGroupInformation.isSecurityEnabled(),
+ "Spark simple auth mode doesn't support setting kerberos
configurations");
+ builder.withSimpleAuth(sparkUser);
+ } else if (AuthProperties.isOAuth2(authType)) {
+ String oAuthUri = getRequiredConfig(sparkConf,
GravitinoSparkConfig.GRAVITINO_OAUTH2_URI);
+ String credential =
+ getRequiredConfig(sparkConf,
GravitinoSparkConfig.GRAVITINO_OAUTH2_CREDENTIAL);
+ String path = getRequiredConfig(sparkConf,
GravitinoSparkConfig.GRAVITINO_OAUTH2_PATH);
+ String scope = getRequiredConfig(sparkConf,
GravitinoSparkConfig.GRAVITINO_OAUTH2_SCOPE);
+ DefaultOAuth2TokenProvider oAuth2TokenProvider =
+ DefaultOAuth2TokenProvider.builder()
+ .withUri(oAuthUri)
+ .withCredential(credential)
+ .withPath(path)
+ .withScope(scope)
+ .build();
+ builder.withOAuth(oAuth2TokenProvider);
+ } else if (AuthProperties.isKerberos(authType)) {
+ String principal =
+ getRequiredConfig(sparkConf,
GravitinoSparkConfig.GRAVITINO_KERBEROS_PRINCIPAL);
+ String keyTabFile =
+ getRequiredConfig(sparkConf,
GravitinoSparkConfig.GRAVITINO_KERBEROS_KEYTAB_FILE_PATH);
+ KerberosTokenProvider kerberosTokenProvider =
+ KerberosTokenProvider.builder()
+ .withClientPrincipal(principal)
+ .withKeyTabFile(new File(keyTabFile))
+ .build();
+ builder.withKerberosAuth(kerberosTokenProvider);
+ } else {
+ throw new UnsupportedOperationException("Unsupported auth type: " +
authType);
+ }
+ return builder.build();
+ }
+
+ private static String getRequiredConfig(SparkConf sparkConf, String
configKey) {
+ String configValue = sparkConf.get(configKey, null);
+ Preconditions.checkArgument(
+ StringUtils.isNotBlank(configValue), configKey + " should not empty");
Review Comment:
should not empty -> should be not empty.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
