[KYUUBI #6003] Allow disabling user impersonation on launching engine #6003
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
kind:documentation
pan3793
commented
Jan 22, 2024
| @@ -2087,20 +2087,33 @@ object KyuubiConf { | |||
| .version("1.5.0") | |||
| .fallbackConf(ENGINE_CONNECTION_URL_USE_HOSTNAME) | |||
|
|
|||
| val ENGINE_DO_AS_ENABLED: ConfigEntry[Boolean] = | |||
| buildConf("kyuubi.engine.doAs.enabled") | |||
There was a problem hiding this comment.
cc @yaooqinn @zhouyifan279 WDYT of this configuration name? My another candidate is kyuubi.engine.impersonation.enabled
There was a problem hiding this comment.
+1 for kyuubi.engine.doAs.enabled.
pan3793
changed the title
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #6003 +/- ##
============================================
- Coverage 61.10% 61.09% -0.02%
Complexity 23 23
============================================
Files 623 623
Lines 37103 37136 +33
Branches 5029 5031 +2
============================================
+ Hits 22672 22687 +15
- Misses 11981 12001 +20
+ Partials 2450 2448 -2 ☔ View full report in Codecov by Sentry. |
wForget
reviewed
Jan 22, 2024
kyuubi-server/src/main/scala/org/apache/kyuubi/engine/spark/SparkProcessBuilder.scala
Show resolved
Hide resolved
pan3793
commented
Jan 22, 2024
| @@ -97,6 +98,8 @@ private[kyuubi] class EngineRef( | |||
| case _ => user | |||
| } | |||
|
|
|||
| private[kyuubi] val effectiveUser: String = if (doAsEnabled) appUser else Utils.currentUser | |||
There was a problem hiding this comment.
there are three user variables in this class now,
user: session userappUser: for engine routingeffectiveUser: for engine launching
those name are not much straightforward, maybe I need to rename them to
user=>sessionUserappUser=>routingUsereffectiveUser=>appUser
thought?
There was a problem hiding this comment.
+1. It's better to let appUser be consistent with the user on YARN.
yaooqinn
reviewed
Jan 22, 2024
| s"`kyuubi.engine.share.level`, different users will be used to launch the engine. " + | ||
| "Otherwise, Kyuubi Server's user will always be used to launch the engine.") | ||
| .version("1.8.1") | ||
| .booleanConf |
There was a problem hiding this comment.
Let's add this to 1.9.0 instead of a bugfix version
pan3793
changed the title
| @@ -2087,20 +2087,33 @@ object KyuubiConf { | |||
| .version("1.5.0") | |||
| .fallbackConf(ENGINE_CONNECTION_URL_USE_HOSTNAME) | |||
|
|
|||
| val ENGINE_DO_AS_ENABLED: ConfigEntry[Boolean] = | |||
| buildConf("kyuubi.engine.doAs.enabled") | |||
There was a problem hiding this comment.
+1 for kyuubi.engine.doAs.enabled.
| warn(s"The session proxy user: $proxyUser is not same with " + | ||
| s"spark principal: ${ugi.getShortUserName}, so we can't support use keytab. " + | ||
| s"Fallback to use proxy user.") | ||
| None | ||
| } else if (!doAsEnabled && ugi.getShortUserName != Utils.currentUser) { | ||
| warn(s"The server's user: ${Utils.currentUser} is not same with " + | ||
| s"spark principal: ${ugi.getShortUserName}, skip to use keytab.") |
There was a problem hiding this comment.
Change skip to use keytab. to Fallback to use server's user. can avoid misunderstanding.
wForget
reviewed
Jan 25, 2024
kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
Outdated
Show resolved
Hide resolved
| warn(s"The session proxy user: $proxyUser is not same with " + | ||
| s"spark principal: ${ugi.getShortUserName}, so we can't support use keytab. " + | ||
| s"Fallback to use proxy user.") | ||
| None | ||
| } else if (!doAsEnabled && ugi.getShortUserName != Utils.currentUser) { | ||
| warn(s"The server's user: ${Utils.currentUser} is not same with " + | ||
| s"spark principal: ${ugi.getShortUserName}, skip to use keytab. " + |
There was a problem hiding this comment.
Should be skip using keytab
|
LGTM |
|
Thanks, merged to master |
zhaohehuhu
pushed a commit
to zhaohehuhu/incubator-kyuubi
that referenced
this pull request
Feb 5, 2024
…engine # 🔍 Description ## Issue References 🔗 HiveServer2 has a configuration `hive.server2.enable.doAs` to control the execution user between the session user and the server user, Kyuubi's CONNECTION and USER share levels always perform like doAs enabled do. In CDH 5/6, this is disabled by default, users who want to migrate from CDH to Kyuubi may encounter permission issues with the current implementation. ## Describe Your Solution 🔧 This pull request introduces a new configuration `kyuubi.engine.doAs.enabled` to allow enable/disable user impersonation on launching engine. For security purpose, it's not allowed to be overridden by session conf. The change in this PR has certain limitations: - only supports Spark engine - only supports interactive mode, specifically, it does not take effect on Spark batch mode now. ## Types of changes 🔖 - [ ] Bugfix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 The first step is passing all existing UTs when `kyuubi.engine.doAs.enabled=true`. Tested on internal Kerberized-environment, when `kyuubi.engine.share.level=CONNECTION` and `kyuubi.engine.doAs.enabled=false`, use user 'spark' to launch engine, and the engine submitted without `--proxy-user spark`, thus engine launched by server user `hive`, then run `select session_user(), current_user()` and returns ``` +-----------------+-----------------+ | session_user() | current_user() | +-----------------+-----------------+ | spark | hive | +-----------------+-----------------+ ``` And I checked the `spark.app.name` and registered path on Zookeeper also expected. ``` +-----------------+--------------------------------------------------------------------------+ | key | value | +-----------------+--------------------------------------------------------------------------+ | spark.app.name | kyuubi_USER_SPARK_SQL_spark_default_51a416e5-6023-4bac-a964-cd9605f17c61 | +-----------------+--------------------------------------------------------------------------+ ``` --- # Checklist 📝 - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes apache#6003 from pan3793/doas. Closes apache#6003 c4002fe [Cheng Pan] grammar add20fd [Cheng Pan] nit 8711c22 [Cheng Pan] address comment 033a322 [Cheng Pan] 1.9.0 9273b94 [Cheng Pan] fix a1563e1 [Cheng Pan] HadoopCredentialsManager e982e23 [Cheng Pan] Allow disable user impersonation on launching engine Authored-by: Cheng Pan <[email protected]> Signed-off-by: Cheng Pan <[email protected]>
zhaohehuhu
pushed a commit
to zhaohehuhu/incubator-kyuubi
that referenced
this pull request
Mar 21, 2024
…engine # 🔍 Description ## Issue References 🔗 HiveServer2 has a configuration `hive.server2.enable.doAs` to control the execution user between the session user and the server user, Kyuubi's CONNECTION and USER share levels always perform like doAs enabled do. In CDH 5/6, this is disabled by default, users who want to migrate from CDH to Kyuubi may encounter permission issues with the current implementation. ## Describe Your Solution 🔧 This pull request introduces a new configuration `kyuubi.engine.doAs.enabled` to allow enable/disable user impersonation on launching engine. For security purpose, it's not allowed to be overridden by session conf. The change in this PR has certain limitations: - only supports Spark engine - only supports interactive mode, specifically, it does not take effect on Spark batch mode now. ## Types of changes 🔖 - [ ] Bugfix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan 🧪 The first step is passing all existing UTs when `kyuubi.engine.doAs.enabled=true`. Tested on internal Kerberized-environment, when `kyuubi.engine.share.level=CONNECTION` and `kyuubi.engine.doAs.enabled=false`, use user 'spark' to launch engine, and the engine submitted without `--proxy-user spark`, thus engine launched by server user `hive`, then run `select session_user(), current_user()` and returns ``` +-----------------+-----------------+ | session_user() | current_user() | +-----------------+-----------------+ | spark | hive | +-----------------+-----------------+ ``` And I checked the `spark.app.name` and registered path on Zookeeper also expected. ``` +-----------------+--------------------------------------------------------------------------+ | key | value | +-----------------+--------------------------------------------------------------------------+ | spark.app.name | kyuubi_USER_SPARK_SQL_spark_default_51a416e5-6023-4bac-a964-cd9605f17c61 | +-----------------+--------------------------------------------------------------------------+ ``` --- # Checklist 📝 - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes apache#6003 from pan3793/doas. Closes apache#6003 c4002fe [Cheng Pan] grammar add20fd [Cheng Pan] nit 8711c22 [Cheng Pan] address comment 033a322 [Cheng Pan] 1.9.0 9273b94 [Cheng Pan] fix a1563e1 [Cheng Pan] HadoopCredentialsManager e982e23 [Cheng Pan] Allow disable user impersonation on launching engine Authored-by: Cheng Pan <[email protected]> Signed-off-by: Cheng Pan <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔍 Description
Issue References 🔗
HiveServer2 has a configuration
hive.server2.enable.doAsto control the execution user between the session user and the server user, Kyuubi's CONNECTION and USER share levels always perform like doAs enabled do. In CDH 5/6, this is disabled by default, users who want to migrate from CDH to Kyuubi may encounter permission issues with the current implementation.Describe Your Solution 🔧
This pull request introduces a new configuration
kyuubi.engine.doAs.enabledto allow enable/disable user impersonation on launching engine. For security purpose, it's not allowed to be overridden by session conf.The change in this PR has certain limitations:
Types of changes 🔖
Test Plan 🧪
The first step is passing all existing UTs when
kyuubi.engine.doAs.enabled=true.Tested on internal Kerberized-environment, when
kyuubi.engine.share.level=CONNECTIONandkyuubi.engine.doAs.enabled=false, use user 'spark' to launch engine, and the engine submitted without--proxy-user spark, thus engine launched by server userhive, then runselect session_user(), current_user()and returnsAnd I checked the
spark.app.nameand registered path on Zookeeper also expected.Checklist 📝
Be nice. Be informative.