vanzin commented on a change in pull request #25760: [SPARK-29054][SS]
Invalidate Kafka consumer when new delegation token available
URL: https://github.com/apache/spark/pull/25760#discussion_r324872604
##########
File path:
external/kafka-0-10-sql/src/main/scala/org/apache/spark/sql/kafka010/KafkaDataConsumer.scala
##########
@@ -516,13 +521,41 @@ private[kafka010] class KafkaDataConsumer(
fetchedData.withNewPoll(records.listIterator, offsetAfterPoll)
}
- private def getOrRetrieveConsumer(): InternalKafkaConsumer = _consumer match
{
- case None =>
- _consumer = Option(consumerPool.borrowObject(cacheKey, kafkaParams))
- require(_consumer.isDefined, "borrowing consumer from pool must always
succeed.")
- _consumer.get
+ private[kafka010] def getOrRetrieveConsumer(): InternalKafkaConsumer = {
+ if (!_consumer.isDefined) {
+ retrieveConsumer()
+ }
+ ensureConsumerHasLatestToken()
+ _consumer.get
+ }
- case Some(consumer) => consumer
+ private def retrieveConsumer(): Unit = {
+ _consumer = Option(consumerPool.borrowObject(cacheKey, kafkaParams))
+ require(_consumer.isDefined, "borrowing consumer from pool must always
succeed.")
+ }
+
+ private def ensureConsumerHasLatestToken(): Unit = {
+ require(_consumer.isDefined, "Consumer must be defined")
+ val params = _consumer.get.kafkaParamsWithSecurity
+ if (params.containsKey(SaslConfigs.SASL_JAAS_CONFIG)) {
+ logDebug("Delegation token used by cached consumer, checking if uses the
latest token.")
+
+ val jaasParams =
params.get(SaslConfigs.SASL_JAAS_CONFIG).asInstanceOf[String]
+ val clusterConfig = KafkaTokenUtil.findMatchingToken(SparkEnv.get.conf,
Review comment:
Hmm... feels like it would be simpler to compare the value of
`SaslConfigs.SASL_JAAS_CONFIG` in the last updated config vs.
`KafkaTokenUtil.getTokenJaasParams` for the current token.
In that case, you could even potentially cache the (old, config-only) return
value of `KafkaTokenUtil.findMatchingToken` since it's not supposed to change
for the same consumer (right?).
Also, `KafkaTokenUtil.findMatchingToken` is kinda wrongly named, since it
currently returns a config, not a token. Not sure I like the updated signature
of that method, either.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
