You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by "pan3793 (via GitHub)" <gi...@apache.org> on 2023/04/18 04:35:50 UTC
[GitHub] [spark] pan3793 opened a new pull request, #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
pan3793 opened a new pull request, #40831:
URL: https://github.com/apache/spark/pull/40831
<!--
Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines: https://spark.apache.org/contributing.html
2. Ensure you have added or run the appropriate tests for your PR: https://spark.apache.org/developer-tools.html
3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][SPARK-XXXX] Your PR title ...'.
4. Be sure to keep the PR description updated to reflect all changes.
5. Please write your PR title to summarize what this PR proposes.
6. If possible, provide a concise example to reproduce the issue for a faster review.
7. If you want to add a new configuration, please read the guideline first for naming configurations in
'core/src/main/scala/org/apache/spark/internal/config/ConfigEntry.scala'.
8. If you want to add or modify an error type or message, please read the guideline first in
'core/src/main/resources/error/README.md'.
-->
### What changes were proposed in this pull request?
<!--
Please clarify what changes you are proposing. The purpose of this section is to outline the changes and how this PR fixes the issue.
If possible, please consider writing useful notes for better and faster reviews in your PR. See the examples below.
1. If you refactor some codes with changing classes, showing the class hierarchy will help reviewers.
2. If you fix some SQL features, you can provide some references of other DBMSes.
3. If there is design documentation, please add the link.
4. If there is a discussion in the mailing list, please add the link.
-->
This PR allows the users to custom Unix username in Pod by setting env var `SPARK_USER_NAME`, which reduces the gap between Spark on YARN and K8s.
Each line in `/etc/passwd` is compose of
```
username:password:UID:GID:comment:home_directory:shell
```
This PR simply change the first item from `$myuid` to `${SPARK_USER_NAME:$myuid}` to achieve the above ability.
### Why are the changes needed?
<!--
Please clarify why the changes are needed. For instance,
1. If you propose a new API, clarify the use case for a new API.
2. If you fix a bug, you can clarify why it is a bug.
-->
In Spark on Yarn mode, when we launch a Spark application via `spark-submit --proxy-user jack ...`, the Yarn will launch containers(usually Linux processes) using Unix user "jack", and some components/libraries rely on the login user in default, one example is Alluxio
https://github.com/Alluxio/alluxio/blob/da77d688bdbb0cf0c6477bed4d3187897fe2a2e1/core/common/src/main/java/alluxio/conf/PropertyKey.java#L6469-L6476
```
public static final PropertyKey SECURITY_LOGIN_USERNAME =
stringBuilder(Name.SECURITY_LOGIN_USERNAME)
.setDescription("When alluxio.security.authentication.type is set to SIMPLE or "
+ "CUSTOM, user application uses this property to indicate the user requesting "
+ "Alluxio service. If it is not set explicitly, the OS login user will be used.")
.setConsistencyCheckLevel(ConsistencyCheckLevel.ENFORCE)
.setScope(Scope.CLIENT)
.build();
```
To reduce the difference between Spark on YARN and Spark on K8s, we hope Spark on K8s keeps the same ability to allow to dynamically change login user on submitting Spark application.
### Does this PR introduce _any_ user-facing change?
<!--
Note that it means *any* user-facing change including all aspects such as the documentation fix.
If yes, please clarify the previous behavior and the change this PR proposes - provide the console output, description and/or an example to show the behavior difference if possible.
If possible, please also clarify if this is a user-facing change compared to the released Spark versions or within the unreleased branches such as master.
If no, write 'No'.
-->
Yes, it allows the user to custom Pod Unix username by setting env var `SPARK_USER_NAME` in K8s, reducing the gap between Spark YARN and K8s.
### How was this patch tested?
<!--
If tests were added, say they were added here. Please make sure to add some test cases that check the changes thoroughly including negative and positive cases if possible.
If it was tested in a way different from regular unit tests, please clarify how you tested step by step, ideally copy and paste-able, so that other reviewers can test and check, and descendants can verify in the future.
If tests were not added, please describe why they were not added and/or why it was difficult to add.
If benchmark tests were added, please run the benchmarks in GitHub Actions for the consistent environment, and the instructions could accord to: https://spark.apache.org/developer-tools.html#github-workflow-benchmarks.
-->
Manually testing in our internal K8s cluster.
```
spark-submit --master=k8s://xxxx \
--conf spark.kubernetes.driverEnv.SPARK_USER_NAME=tom \
--conf spark.executorEnv.SPARK_USER_NAME=tom \
--proxy-user tom \
...
```
And login the Pod, verify the Unix username is `tom` instead of `185`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] pan3793 commented on a diff in pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "pan3793 (via GitHub)" <gi...@apache.org>.
pan3793 commented on code in PR #40831:
URL: https://github.com/apache/spark/pull/40831#discussion_r1180202192
##########
resource-managers/kubernetes/integration-tests/src/test/scala/org/apache/spark/deploy/k8s/integrationtest/KubernetesSuite.scala:
##########
@@ -623,6 +623,7 @@ private[spark] object KubernetesSuite {
val decomTestTag = Tag("decom")
val rTestTag = Tag("r")
val MinikubeTag = Tag("minikube")
+ val usernameTestTag = Tag("username")
Review Comment:
@Yikun A new tag is added, you can use it to exclude this test for `apache/spark-docker` GA
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] pan3793 commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "pan3793 (via GitHub)" <gi...@apache.org>.
pan3793 commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1512824480
Also cc @yaooqinn
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] pan3793 commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "pan3793 (via GitHub)" <gi...@apache.org>.
pan3793 commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1512541064
@Yikun I suppose it's a K8s-only feature.
As mentioned in the PR description, the main purpose is to reduce the gap between Spark on YARN and K8s, to allow users seamlessly migrate Spark jobs from YARN to K8s.
I don't have much knowledge about docker/container technology, and I agree w/ you it looks not easy to dynamically switch user based on the Docker Official Image rule
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] pan3793 commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "pan3793 (via GitHub)" <gi...@apache.org>.
pan3793 commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1527304010
> Do you think you can add an integration test case in order to prevent a future regression, @pan3793 ?
Sure, IT is added.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] DerekTBrown commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "DerekTBrown (via GitHub)" <gi...@apache.org>.
DerekTBrown commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1526441574
@pan3793 are we good to merge?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] pan3793 commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "pan3793 (via GitHub)" <gi...@apache.org>.
pan3793 commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1512423177
cc @Yikun
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] pan3793 commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "pan3793 (via GitHub)" <gi...@apache.org>.
pan3793 commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1512422982
`SPARK_USER_NAME` is introduced in SPARK-26015(https://github.com/apache/spark/pull/23017), and I guess supporting dynamic user name is one of the author initial intention
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] holdenk commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "holdenk (via GitHub)" <gi...@apache.org>.
holdenk commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1627540271
So I would say this looks ok to me, but I hear the concerns around modifying /etc/passwd so I agree on waiting to to see what comes out of the DOI discussions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] Yikun commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "Yikun (via GitHub)" <gi...@apache.org>.
Yikun commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1515680101
Just for others reviewer infomation, I also wanna share some considerations about this (also include some idea in offline discussion with @pan3793 ):
1. (-0.5) As per docker official recommendation about [USER](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user), we should use `groupadd` and `useradd` to address, rather than change `/etc/passwd` directly. If we specify the USER (useradd/groupadd) in Dockerfile in future, this change will be ignored.
2. (-0.5) In theory, application users should be decoupled from container users. Such as, spark docker image should use static user `spark` (just like we done in spark-docker), and other application respect the `spark` user, or don’t depends on the container user.
3. (+0.5) As per https://github.com/apache/spark/pull/23017 original design, it was intend to switch user name dynamically.
4. (+0.5) Consider the Spark case, there are many users want to migrate YARN to K8s easily, support user dynamic switch is a reasonable case.
5. (+0.5) It's a K8s only feature, not for Docker image, so 1 / 2 could be balanced in some level.
So, I am +0.5 on this PR. : )
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
Re: [PR] [SPARK-43171][K8S] Support custom Unix username in Pod [spark]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1767390338
We're closing this PR because it hasn't been updated in a while. This isn't a judgement on the merit of the PR in any way. It's just a way of keeping the PR queue manageable.
If you'd like to revive this PR, please reopen it and ask a committer to remove the Stale tag!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] pan3793 commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "pan3793 (via GitHub)" <gi...@apache.org>.
pan3793 commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1533967009
@Yikun @dongjoon-hyun would you please take a look again?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] Yikun commented on pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
Posted by "Yikun (via GitHub)" <gi...@apache.org>.
Yikun commented on PR #40831:
URL: https://github.com/apache/spark/pull/40831#issuecomment-1627672609
Here is the solution according to DOI suggestion: https://github.com/apache/spark-docker/pull/45. (use libnss to fake user)
I also had a offline discussion with @pan3793, it's also work for this case (if specified the SPARK_USER, then use the libnss to switch fake user).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
Re: [PR] [SPARK-43171][K8S] Support custom Unix username in Pod [spark]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed pull request #40831: [SPARK-43171][K8S] Support custom Unix username in Pod
URL: https://github.com/apache/spark/pull/40831
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org