You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by js...@apache.org on 2018/05/03 01:28:20 UTC
spark git commit: [SPARK-24110][THRIFT-SERVER] Avoid
UGI.loginUserFromKeytab in STS
Repository: spark
Updated Branches:
refs/heads/master e4c91c089 -> bf4352ca6
[SPARK-24110][THRIFT-SERVER] Avoid UGI.loginUserFromKeytab in STS
## What changes were proposed in this pull request?
Spark ThriftServer will call UGI.loginUserFromKeytab twice in initialization. This is unnecessary and will cause various potential problems, like Hadoop IPC failure after 7 days, or RM failover issue and so on.
So here we need to remove all the unnecessary login logics and make sure UGI in the context never be created again.
Note this is actually a HS2 issue, If later on we upgrade supported Hive version, the issue may already be fixed in Hive side.
## How was this patch tested?
Local verification in secure cluster.
Author: jerryshao <ss...@hortonworks.com>
Closes #21178 from jerryshao/SPARK-24110.
Project: http://git-wip-us.apache.org/repos/asf/spark/repo
Commit: http://git-wip-us.apache.org/repos/asf/spark/commit/bf4352ca
Tree: http://git-wip-us.apache.org/repos/asf/spark/tree/bf4352ca
Diff: http://git-wip-us.apache.org/repos/asf/spark/diff/bf4352ca
Branch: refs/heads/master
Commit: bf4352ca6c96dfab16b286c54720685e32b216f1
Parents: e4c91c0
Author: jerryshao <ss...@hortonworks.com>
Authored: Thu May 3 09:28:14 2018 +0800
Committer: jerryshao <ss...@hortonworks.com>
Committed: Thu May 3 09:28:14 2018 +0800
----------------------------------------------------------------------
.../hive/service/auth/HiveAuthFactory.java | 62 ++++++++++++++++++--
.../hive/thriftserver/SparkSQLCLIService.scala | 20 ++++++-
2 files changed, 75 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/spark/blob/bf4352ca/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HiveAuthFactory.java
----------------------------------------------------------------------
diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HiveAuthFactory.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HiveAuthFactory.java
index c5ade65..10000f1 100644
--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HiveAuthFactory.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HiveAuthFactory.java
@@ -18,6 +18,8 @@
package org.apache.hive.service.auth;
import java.io.IOException;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
@@ -26,6 +28,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
+import java.util.Objects;
import javax.net.ssl.SSLServerSocket;
import javax.security.auth.login.LoginException;
@@ -92,7 +95,30 @@ public class HiveAuthFactory {
public static final String HS2_PROXY_USER = "hive.server2.proxy.user";
public static final String HS2_CLIENT_TOKEN = "hiveserver2ClientToken";
- public HiveAuthFactory(HiveConf conf) throws TTransportException {
+ private static Field keytabFile = null;
+ private static Method getKeytab = null;
+ static {
+ Class<?> clz = UserGroupInformation.class;
+ try {
+ keytabFile = clz.getDeclaredField("keytabFile");
+ keytabFile.setAccessible(true);
+ } catch (NoSuchFieldException nfe) {
+ LOG.debug("Cannot find private field \"keytabFile\" in class: " +
+ UserGroupInformation.class.getCanonicalName(), nfe);
+ keytabFile = null;
+ }
+
+ try {
+ getKeytab = clz.getDeclaredMethod("getKeytab");
+ getKeytab.setAccessible(true);
+ } catch(NoSuchMethodException nme) {
+ LOG.debug("Cannot find private method \"getKeytab\" in class:" +
+ UserGroupInformation.class.getCanonicalName(), nme);
+ getKeytab = null;
+ }
+ }
+
+ public HiveAuthFactory(HiveConf conf) throws TTransportException, IOException {
this.conf = conf;
transportMode = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE);
authTypeStr = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION);
@@ -107,9 +133,16 @@ public class HiveAuthFactory {
authTypeStr = AuthTypes.NONE.getAuthName();
}
if (authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) {
- saslServer = ShimLoader.getHadoopThriftAuthBridge()
- .createServer(conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB),
- conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL));
+ String principal = conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);
+ String keytab = conf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB);
+ if (needUgiLogin(UserGroupInformation.getCurrentUser(),
+ SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keytab)) {
+ saslServer = ShimLoader.getHadoopThriftAuthBridge().createServer(principal, keytab);
+ } else {
+ // Using the default constructor to avoid unnecessary UGI login.
+ saslServer = new HadoopThriftAuthBridge.Server();
+ }
+
// start delegation token manager
try {
// rawStore is only necessary for DBTokenStore
@@ -362,4 +395,25 @@ public class HiveAuthFactory {
}
}
+ public static boolean needUgiLogin(UserGroupInformation ugi, String principal, String keytab) {
+ return null == ugi || !ugi.hasKerberosCredentials() || !ugi.getUserName().equals(principal) ||
+ !Objects.equals(keytab, getKeytabFromUgi());
+ }
+
+ private static String getKeytabFromUgi() {
+ synchronized (UserGroupInformation.class) {
+ try {
+ if (keytabFile != null) {
+ return (String) keytabFile.get(null);
+ } else if (getKeytab != null) {
+ return (String) getKeytab.invoke(UserGroupInformation.getCurrentUser());
+ } else {
+ return null;
+ }
+ } catch (Exception e) {
+ LOG.debug("Fail to get keytabFile path via reflection", e);
+ return null;
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/spark/blob/bf4352ca/sql/hive-thriftserver/src/main/scala/org/apache/spark/sql/hive/thriftserver/SparkSQLCLIService.scala
----------------------------------------------------------------------
diff --git a/sql/hive-thriftserver/src/main/scala/org/apache/spark/sql/hive/thriftserver/SparkSQLCLIService.scala b/sql/hive-thriftserver/src/main/scala/org/apache/spark/sql/hive/thriftserver/SparkSQLCLIService.scala
index ad1f5eb..1335e16 100644
--- a/sql/hive-thriftserver/src/main/scala/org/apache/spark/sql/hive/thriftserver/SparkSQLCLIService.scala
+++ b/sql/hive-thriftserver/src/main/scala/org/apache/spark/sql/hive/thriftserver/SparkSQLCLIService.scala
@@ -27,7 +27,7 @@ import org.apache.commons.logging.Log
import org.apache.hadoop.hive.conf.HiveConf
import org.apache.hadoop.hive.conf.HiveConf.ConfVars
import org.apache.hadoop.hive.shims.Utils
-import org.apache.hadoop.security.UserGroupInformation
+import org.apache.hadoop.security.{SecurityUtil, UserGroupInformation}
import org.apache.hive.service.{AbstractService, Service, ServiceException}
import org.apache.hive.service.Service.STATE
import org.apache.hive.service.auth.HiveAuthFactory
@@ -52,8 +52,22 @@ private[hive] class SparkSQLCLIService(hiveServer: HiveServer2, sqlContext: SQLC
if (UserGroupInformation.isSecurityEnabled) {
try {
- HiveAuthFactory.loginFromKeytab(hiveConf)
- sparkServiceUGI = Utils.getUGI()
+ val principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL)
+ val keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB)
+ if (principal.isEmpty || keyTabFile.isEmpty) {
+ throw new IOException(
+ "HiveServer2 Kerberos principal or keytab is not correctly configured")
+ }
+
+ val originalUgi = UserGroupInformation.getCurrentUser
+ sparkServiceUGI = if (HiveAuthFactory.needUgiLogin(originalUgi,
+ SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keyTabFile)) {
+ HiveAuthFactory.loginFromKeytab(hiveConf)
+ Utils.getUGI()
+ } else {
+ originalUgi
+ }
+
setSuperField(this, "serviceUGI", sparkServiceUGI)
} catch {
case e @ (_: IOException | _: LoginException) =>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org