Basic Secure HDFS Support [514]

[ifilonenko]

What changes were proposed in this pull request?

This is the on-going work of setting up Secure HDFS interaction with Spark-on-K8S #514
The architecture is discussed in this community-wide google doc
This initiative can be broken down into 3 stages.

STAGE 1

• Detecting HADOOP_CONF_DIR environmental variable and using Config Maps to store all Hadoop config files locally, while also setting HADOOP_CONF_DIR locally in the driver / executors

STAGE 2

• Grabbing TGT from LTC or using keytabs+principle and creating a DT that will be mounted as a secret

STAGE 3

• Driver + Executor Logic

[liyinan926]

I have gone through about half of the PR. Haven't touched much of the Kerberos logic though. Will need more time on that.

[liyinan926]

Delete "you".

[liyinan926]

Wrong indention.

[liyinan926]

Is writeTokenStorageToStream calling close on dataStream?

[ifilonenko]

handled this below

[mccheah]

Use Utils.tryWithResource. That will close even if an exception is thrown.

[liyinan926]

HadoopConfBootstrapImpl also sets SPARK_USER, but to hadoopUGI.getShortName. So one will override the value set by the other, right?

[ifilonenko]

SPARK_USER could be different from Job User so yes we are overwriting it.

[mccheah]

Can we resolve it in one place and set it consistently everywhere? Right now the ordering and overwriting is ambiguous.

[ifilonenko]

Its not ambiguous as there are scenarios where the UGI could be either the Job User or taken from the TGT

[liyinan926]

We changed to use the new initContainer field in Kubernetes 1.8 and removed this annotation in #528.

[liyinan926]

Should the value be kberberos or simple?

[ifilonenko]

simple

[mccheah]

Why is this the case? The intuition is to set this to kerberos.

[kimoonkim]

Right. The same question was asked for the executor side as well. Copying my answer below. I'd love to hear your opinions about this:

Excellent question.

If this is set to "kerberos", then UserGroupInformation code crashes complaining it cannot read kerberos config files like /etc/krb5.conf. So we want to prevent that by suppressing the code path.

As an alternative, we could create a config map containing /etc/krb5.conf and mount it in the driver and executor pods. But that seems to be an overkill.

Now, there is another question. How can setting it to "simple" allows the driver and executor to access secure HDFS? It works because the driver and executor need only the delegation token to access secure HDFS. i.e. They don't need to sign on to Kerberos on their own.

This is counter-intuitive and hard to explain. I am open to suggestions to make this part easier to read. Maybe we can call the associated variable like maybeTokenOnlyAuthentication.

[mccheah]

Fine as long as we document this.

[liyinan926]

Does the encoding of the strings from the files matter?

[ifilonenko]

No it doesn't. I thought this method was the most simple

[liyinan926]

Looks like this version of readFileToString has been deprecated. https://commons.apache.org/proper/commons-io/javadocs/api-2.5/org/apache/commons/io/FileUtils.html#readFileToString(java.io.File). I would suggest using https://commons.apache.org/proper/commons-io/javadocs/api-2.5/org/apache/commons/io/FileUtils.html#readFileToString(java.io.File,%20java.lang.String) with UTF-8.

[liyinan926]

Or you can use Guava's Files.toString https://google.github.io/guava/releases/19.0/api/docs/com/google/common/io/Files.html#toString(java.io.File, java.nio.charset.Charset) with https://google.github.io/guava/releases/19.0/api/docs/com/google/common/base/Charsets.html#UTF_8.

[mccheah]

Always hard encode to UTF-8. It's unclear between JVMs if the default encoding will be consistent. +1 for using Guava's Files.toString. I think we read files into string contents elsewhere in the codebase - be consistent with those.

[liyinan926]

Add an space after Logging.

[liyinan926]

Hadoop not configured with Kerberos or Hadoop configured with Kerberos?

[liyinan926]

I need more time to understand this.

[liyinan926]

Seems simple is the default. I don't quite understand why you need to set it to simple when Kerberos is enabled. Can you elaborate on this?

[kimoonkim]

Excellent question.

If this is set to "kerberos", then UserGroupInformation code crashes complaining it cannot read kerberos config files like /etc/krb5.conf. So we want to prevent that by suppressing the code path.

As an alternative, we could create a config map containing /etc/krb5.conf and mount it in the driver and executor pods. But that seems to be an overkill.

Now, there is another question. How can setting it to "simple" allows the driver and executor to access secure HDFS? It works because the driver and executor need only the delegation token to access secure HDFS. i.e. They don't need to sign on to Kerberos on their own.

This is counter-intuitive and hard to explain. I am open to suggestions to make this part easier to read. Maybe we can call the associated variable like maybeTokenOnlyAuthentication.

[liyinan926]

Or at least some comments on why this is set to simple would be very helpful.

[liyinan926]

Wondering why you use UserGroupInformation.getCurrentUser.getShortUserName here but jobUserUGI.getShortUserName in HadoopKerberosKeytabResolverStep .

[mccheah]

+1 - make this consistent.

[ifilonenko]

jobUserUGI is different from the UGI obtained in the LTC via UserGroupInformation.getCurrentUser

[liyinan926]

Got it.

[liyinan926]

HDFS -> Hadoop.

[liyinan926]

Should we filter out .xml files only?

[ifilonenko]

I mean the goal is to mount all files in the hadoop conf directory. .xml or not. But if we wish to filter we can do that as well

[liyinan926]

We need to make sure this is called even if creds.writeTokenStorageToStream(dataStream) throws an exception (unlikely but still worth considering). Not sure what's the best practice to do this in Scala.

[kimoonkim]

+1

[liyinan926]

Also the same for properties below.

[mccheah]

Avoid using var in general

[ifilonenko]

These are Hadoop objects, in java, that are being modified, I believe that I need var.

[mccheah]

We only have one method in this class - can't all of the fields be defined as vals as they are being created?

[mccheah]

nit: space between Logging and { at the end of the line

[mccheah]

Perhaps a more clear name - especially since driverSparkConf = executorSparkConf below doesn't read very well.

[ifilonenko]

But that is because we want the executorSparkConf to clone the driverSparkConf and append extra EnvVariables. I don't see what is wrong with naming convention here

[mccheah]

Think we want driverSparkConfWithExecutorSetup or something like that. Basically we want to say "This is the driver's spark configuration, that configures executors to behave such and such a way". Current naming suggests that this is the SparkConf that the executor itself will get.

[kimoonkim]

Typo. s/rewewer/renewer/

[kimoonkim]

Curious. Is the token refresh server supposed to renew this pre-populated token as well? Or is it supposed to be renewed by the job user? We may want to comment on that.

[ifilonenko]

The token refresh server is supposed to renew this pre-populated token. The assumption is that if you supply a pre-populated token it will be automatically updated by either an administrator or the token refresh server. In the later PR if you think, you should probably note this.

[kimoonkim]

file.toPath.getFileName.toString is used repeatedly at line 53 and 54. Extract to a val, say fileName at a line before 52 and use the variable in these lines?

[kimoonkim]

Maybe s/mainContainerWithMountedHadoopConf/hadoopSupportedContainer/ to be consistent with hadoopSupportedPod at line 56?

[kimoonkim]

Maybe we don't need this method. There is only one caller. And the caller can easily just do hadoopUgiUtil.getCurrentUser.getShortUserName itself.

[ifilonenko]

This is used purely for mocking

[kimoonkim]

We should wrap a minimal set of methods for mocking. And we already wrap getCurrentUser, so this wrapping is unnecessary. Besides, this method name getShortName makes the caller code a bit difficult to read by masking that the short name is for the current user. The reader will question "short name of what?".

[kimoonkim]

Line 30 says "Function of this class is merely for mocking reasons". But it seems this function has real business logic, more than just mocking purpose. Move it to some other class?

[kimoonkim]

Ditto. It has business logic that should be tested than just being mocked. Move to some other class?

[kimoonkim]

Can we also name the auto-generated secret using kubernetesResourceNamePrefix and pass it down below so that secret is named after the job name? So that it is easier to find which secret is used by which spark job.

[ifilonenko]

We find secrets based on labels... secret name is irrelevant tho...

[ifilonenko]

although, you are right... this could be helpful. It will break my unit tests... but I guess it is worth for the sake of naming conventions :P

[mccheah]

The generated secret needs to have a unique name, and we've been using the kubernetes resource name prefix to guarantee uniqueness everywhere.

[kimoonkim]

Can we name this using $kubernetesResourceNamePrefix like the hadoop config map name so it's easier to tell which secret is for which Spark job?

[kimoonkim]

Maybe put "refresh-hadoop-tokens" and "yes" in named constants and indicate that they are expected by the token refresh server in the constant names and/or comments?

[kimoonkim]

Excellent question.

If this is set to "kerberos", then UserGroupInformation code crashes complaining it cannot read kerberos config files like /etc/krb5.conf. So we want to prevent that by suppressing the code path.

As an alternative, we could create a config map containing /etc/krb5.conf and mount it in the driver and executor pods. But that seems to be an overkill.

Now, there is another question. How can setting it to "simple" allows the driver and executor to access secure HDFS? It works because the driver and executor need only the delegation token to access secure HDFS. i.e. They don't need to sign on to Kerberos on their own.

This is counter-intuitive and hard to explain. I am open to suggestions to make this part easier to read. Maybe we can call the associated variable like maybeTokenOnlyAuthentication.

[kimoonkim]

I just realized we have an edge case that this will fail. Imagine a job ran for many weeks and the refresh server added new weekly tokens. And also imagine the dynamic allocation is enabled and new executors are launching.

Those new executors should use the latest token, not the initial token. i.e. ENV_HADOOP_TOKEN_FILE_LOCATION should point to the latest token data item key.

I don't know how we can solve this yet. And we should probably address it later in a follow-up PR that we'll write for picking up the new token. Maybe add a TODO here so we don't forget this?

[liyinan926]

Add a space after Logging.

[liyinan926]

The DataInputStream also needs to be closed.

[liyinan926]

Space after Logging.

[liyinan926]

Wraps close in a finally block.

[mccheah]

Imports are not consistent with the rest of the project. Order should be as follows everywhere:

1. java.io.*
2. Empty Space
3. Everything that isn't java.io.* or org.apache.spark.* (this includes scala.*)
4. Empty space
5. org.apache.spark.*

Please look over all files and fix all imports.

[kimoonkim]

I was curious about the import order. According to http://spark.apache.org/contributing.html, the recommended import order is slightly different. scala.* and other 3rd parties libraries are separated by an empty space. Do we know which one is correct?

In addition, sort imports in the following order (use alphabetical order within each group):

• java.* and javax.*
• scala.*
• Third-party libraries (org., com., etc)
• Project classes (org.apache.spark.*)

An example from the same page:

import java.*
import javax.*
 
import scala.*
 
import *
 
import org.apache.spark.*

[mccheah]

Actually @kimoonkim and I think our code is incorrect in most places.

[kimoonkim]

@mccheah Cool. Should we then follow the import order suggested in http://spark.apache.org/contributing.html going forward?

[mccheah]

Yes we should. We can fix the ordering as we merge upstream.

[mccheah]

Can this all fit on one line?

[mccheah]

Put a trait over this and extend the trait. Then, only mock the trait.

[mccheah]

Just return a FileSystem,the test can mock the FileSystem object, and then call addDelegationTokens on the mock FileSystem.

[ifilonenko]

How exactly can this be done? This has been tripping me up, as I am trying to mock this FileSystem object but with no luck (while ensuring that it passes Integration tests)

[kimoonkim]

I think you can add a method to this class like:

def getFileSystem(hadoopConf: Configuration): FileSystem = FileSystem.get(hadoopConf)

[mccheah]

Use Utils.tryWithResource.

[mccheah]

Indentation is off here - think we want this line and the next line indented in one more.

[mccheah]

Indentation is off here, indent in one more along with the line below.

[mccheah]

Should be simple enough to inline the isFile method. Alternatively: Some(file).filter(_.isFile)

[mccheah]

No unit tests exist for the new classes - were those drafted up in the original as well? Can we include them here? Some of the utility classes created for testing lack that context.

[ifilonenko]

Unit tests were a massive portion of the PR that would almost double line count. Should I include them in this or separate PR?

[ifilonenko]

rerun integration tests please

[ifilonenko]

rerun integration tests please

[ifilonenko]

rerun integration tests please

[ifilonenko]

Rerun integration tests please

[ifilonenko]

rerun integration tests please

[kimoonkim]

Most of my comments are addressed in the latest commit. LGTM.

Thanks for writing this change, @ifilonenko!

[liyinan926]

nit: empty space after map.

[liyinan926]

Should we filter .xml files only?

[liyinan926]

nit: put an empty line before the returned value.

[liyinan926]

nit: empty space at the end of the first part. Ditto below.

[liyinan926]

nit: use ENV_HADOOP_CONF_DIR.

[liyinan926]

Use HADOOP_SECURITY_AUTHENTICATION .

[liyinan926]

nit: empty line before.

[liyinan926]

nit: empty line before.

[liyinan926]

Is the description accurate and are we missing something in the here? I don't see asserts that are HadoopConfSparkUserBootstrap specific.

[ifilonenko]

The description is not accurate. But for the steps, because we are leveraging the bootstrap method. This allows for us to mock the call to the bootstrap. As such, we can just mock the method with a label change.

[liyinan926]

We should be consistent in using capitals.

[liyinan926]

Overall the changes LGTM, with one minor comment.

[liyinan926]

Can we also rename the constant val names?

[ifilonenko]

Would like to merge since I have already recieved two LGTM. Any contentions / comments?

[liyinan926]

Any more comments? If not, will merge by EOD today.