Github user steveloughran commented on a diff in the pull request:
https://github.com/apache/spark/pull/22598#discussion_r226234330
--- Diff:
core/src/main/scala/org/apache/spark/deploy/security/KafkaDelegationTokenProvider.scala
---
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.deploy.security
+
+import scala.reflect.runtime.universe
+import scala.util.control.NonFatal
+
+import org.apache.hadoop.conf.Configuration
+import org.apache.hadoop.security.Credentials
+import org.apache.hadoop.security.token.{Token, TokenIdentifier}
+
+import org.apache.spark.SparkConf
+import org.apache.spark.internal.Logging
+import org.apache.spark.internal.config.{KAFKA_BOOTSTRAP_SERVERS,
KAFKA_SECURITY_PROTOCOL}
+import org.apache.spark.util.Utils
+
+private[security] class KafkaDelegationTokenProvider
+ extends HadoopDelegationTokenProvider with Logging {
+
+ override def serviceName: String = "kafka"
+
+ override def obtainDelegationTokens(
+ hadoopConf: Configuration,
+ sparkConf: SparkConf,
+ creds: Credentials): Option[Long] = {
+ try {
+ val mirror =
universe.runtimeMirror(Utils.getContextOrSparkClassLoader)
+ val obtainToken = mirror.classLoader.
+ loadClass("org.apache.spark.sql.kafka010.TokenUtil").
+ getMethod("obtainToken", classOf[SparkConf])
+
+ logDebug("Attempting to fetch Kafka security token.")
+ val token = obtainToken.invoke(null, sparkConf)
+ .asInstanceOf[Token[_ <: TokenIdentifier]]
+ creds.addToken(token.getService, token)
+ } catch {
+ case NonFatal(e) =>
+ logInfo(s"Failed to get token from service $serviceName", e)
+ }
+
+ None
+ }
+
+ override def delegationTokensRequired(
--- End diff --
OK: so this asks for DTs even if UGI says the cluster is insecure?
Nothing wrong with that...I've been wondering what would happen if
`HadoopFSDelegationTokenProvider` did the same thing: asked filesystems for
their tokens even if in an insecure cluster, as it would let DT support in
object stores (HADOOP-14556...) work without kerberos.
I'd test to make sure that everything gets through OK. AFAIK YARN is happy
to pass round credentials in an insecure cluster (it get the AM/RM token to the
AM this way); its more a matter of making sure the launcher chain is all ready
fo it.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
