Github user vanzin commented on a diff in the pull request:
https://github.com/apache/spark/pull/19272#discussion_r149236410
--- Diff:
resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosCredentialRenewer.scala
---
@@ -0,0 +1,166 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.scheduler.cluster.mesos
+
+import java.security.PrivilegedExceptionAction
+import java.util.concurrent.{ScheduledExecutorService, TimeUnit}
+
+import org.apache.hadoop.security.UserGroupInformation
+
+import org.apache.spark.SparkConf
+import org.apache.spark.deploy.SparkHadoopUtil
+import org.apache.spark.deploy.security.HadoopDelegationTokenManager
+import org.apache.spark.internal.{config, Logging}
+import org.apache.spark.rpc.RpcEndpointRef
+import
org.apache.spark.scheduler.cluster.CoarseGrainedClusterMessages.UpdateDelegationTokens
+import org.apache.spark.util.ThreadUtils
+
+
+/**
+ * The MesosCredentialRenewer will update the Hadoop credentials for Spark
drivers accessing
+ * secured services using Kerberos authentication. It is modeled after the
YARN AMCredential
+ * renewer, and similarly will renew the Credentials when 75% of the
renewal interval has passed.
+ * The principal difference is that instead of writing the new credentials
to HDFS and
+ * incrementing the timestamp of the file, the new credentials (called
Tokens when they are
+ * serialized) are broadcast to all running executors. On the executor
side, when new Tokens are
+ * recieved they overwrite the current credentials.
+ */
+class MesosCredentialRenewer(
+ conf: SparkConf,
+ tokenManager: HadoopDelegationTokenManager) extends Logging {
+
+ private val credentialRenewerThread: ScheduledExecutorService =
+ ThreadUtils.newDaemonSingleThreadScheduledExecutor("Credential Renewal
Thread")
+
+ private val principal = conf.get(config.PRINCIPAL).orNull
+
+ private val (secretFile, mode) = getSecretFile(conf)
+
+ var (tokens: Array[Byte], timeOfNextRenewal: Long) = {
+ try {
+ val creds = UserGroupInformation.getCurrentUser.getCredentials
+ val hadoopConf = SparkHadoopUtil.get.newConfiguration(conf)
+ val rt = tokenManager.obtainDelegationTokens(hadoopConf, creds)
+ (SparkHadoopUtil.get.serialize(creds), rt)
+ } catch {
+ case e: Exception =>
+ throw new IllegalStateException("Failed to initialize Hadoop
delegation tokens\n" +
+ s"\tPricipal: $principal\n\tmode: $mode\n\tsecret file
$secretFile\n\tException: $e")
+ }
+
+ }
+
+ private def getSecretFile(conf: SparkConf): (String, String) = {
+ val keytab = conf.get(config.KEYTAB).orNull
+ val tgt = conf.getenv("KRB5CCNAME")
+ require(keytab != null || tgt != null, "A keytab or TGT required.")
+ // if both Keytab and TGT are detected we use the Keytab.
+ val (secretFile, mode) = if (keytab != null && tgt != null) {
+ logWarning(s"Keytab and TGT were detected, using keytab, " +
+ s"unset ${config.KEYTAB.key} to use TGT")
+ (keytab, "keytab")
+ } else {
+ val m = if (keytab != null) "keytab" else "tgt"
+ val sf = if (keytab != null) keytab else tgt
+ (sf, m)
+ }
+
+ if (principal == null) {
+ logInfo(s"Using mode: $mode to retrieve Hadoop delegation tokens")
+ } else {
+ logInfo(s"Using principal: $principal with mode: $mode to retrieve
Hadoop delegation tokens")
+ }
+
+ logDebug(s"secretFile is $secretFile")
+ (secretFile, mode)
+ }
+
+ def scheduleTokenRenewal(driverEndpoint: RpcEndpointRef): Unit = {
--- End diff --
Why isn't this done in the constructor? There's a single call to this
method, and the renewal interval could very easily be turned into a constructor
arg.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
