You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2021/11/15 14:54:30 UTC

[GitHub] [spark] jojochuang opened a new pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

jojochuang opened a new pull request #34604:
URL: https://github.com/apache/spark/pull/34604


   <!--
   Thanks for sending a pull request!  Here are some tips for you:
     1. If this is your first time, please read our contributor guidelines: https://spark.apache.org/contributing.html
     2. Ensure you have added or run the appropriate tests for your PR: https://spark.apache.org/developer-tools.html
     3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][SPARK-XXXX] Your PR title ...'.
     4. Be sure to keep the PR description updated to reflect all changes.
     5. Please write your PR title to summarize what this PR proposes.
     6. If possible, provide a concise example to reproduce the issue for a faster review.
     7. If you want to add a new configuration, please read the guideline first for naming configurations in
        'core/src/main/scala/org/apache/spark/internal/config/ConfigEntry.scala'.
     8. If you want to add or modify an error type or message, please read the guideline first in
        'core/src/main/resources/error/README.md'.
   -->
   
   ### What changes were proposed in this pull request?
   <!--
   Please clarify what changes you are proposing. The purpose of this section is to outline the changes and how this PR fixes the issue. 
   If possible, please consider writing useful notes for better and faster reviews in your PR. See the examples below.
     1. If you refactor some codes with changing classes, showing the class hierarchy will help reviewers.
     2. If you fix some SQL features, you can provide some references of other DBMSes.
     3. If there is design documentation, please add the link.
     4. If there is a discussion in the mailing list, please add the link.
   -->
   Explicitly cancel the delegation token that's not taken care of by YARN.
   
   
   ### Why are the changes needed?
   <!--
   Please clarify why the changes are needed. For instance,
     1. If you propose a new API, clarify the use case for a new API.
     2. If you fix a bug, you can clarify why it is a bug.
   -->
   Leaking file system delegation tokens create burden for the file system components (for example, KMS), and in the worst case, cause performance regression or even making FS inaccessible.
   
   ### Does this PR introduce _any_ user-facing change?
   <!--
   Note that it means *any* user-facing change including all aspects such as the documentation fix.
   If yes, please clarify the previous behavior and the change this PR proposes - provide the console output, description and/or an example to show the behavior difference if possible.
   If possible, please also clarify if this is a user-facing change compared to the released Spark versions or within the unreleased branches such as master.
   If no, write 'No'.
   -->
   No
   
   ### How was this patch tested?
   <!--
   If tests were added, say they were added here. Please make sure to add some test cases that check the changes thoroughly including negative and positive cases if possible.
   If it was tested in a way different from regular unit tests, please clarify how you tested step by step, ideally copy and paste-able, so that other reviewers can test and check, and descendants can verify in the future.
   If tests were not added, please describe why they were not added and/or why it was difficult to add.
   If benchmark tests were added, please run the benchmarks in GitHub Actions for the consistent environment, and the instructions could accord to: https://spark.apache.org/developer-tools.html#github-workflow-benchmarks.
   -->
   Manually tested on a small cluster, verify the kms delegation tokens are created and cancelled properly.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins removed a comment on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
AmplabJenkins removed a comment on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970657854


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/145286/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-971142246


   Can one of the admins verify this patch?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970606153


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder-K8s/49756/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970554327


   Kubernetes integration test starting
   URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/49756/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA removed a comment on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
SparkQA removed a comment on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970509327


   **[Test build #145286 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/145286/testReport)** for PR 34604 at commit [`aaf4b01`](https://github.com/apache/spark/commit/aaf4b01ca5e8008302886ea44bfdbeebcfafa863).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] jojochuang edited a comment on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
jojochuang edited a comment on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970834911


   :) thanks for the review. I have absolutely zero experience with Scala. Will update the code.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-969021141


   Can one of the admins verify this patch?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] xkrogen commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
xkrogen commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r750622374



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -121,6 +121,15 @@ private[deploy] class HadoopFSDelegationTokenProvider
     creds
   }
 
+  private def cancelDelegationTokens(hadoopConf: Configuration,
+                                     creds: Credentials) : Unit = {
+
+    creds.getAllTokens
+      .asScala
+      .filter(_.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier])
+      .foreach { token => token.cancel(hadoopConf) }
+  }

Review comment:
       Maybe this? A little more Scala-idiomatic to use a pattern match instead of `isInstanceOf` 
   ```suggestion
       creds.getAllTokens.asScala.foreach {
         case id: AbstractDelegationTokenIdentifier => id.cancel(hadoopConf)
         case _ => // ignore
       }
   ```
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970657854


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/145286/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970509327


   **[Test build #145286 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/145286/testReport)** for PR 34604 at commit [`aaf4b01`](https://github.com/apache/spark/commit/aaf4b01ca5e8008302886ea44bfdbeebcfafa863).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] gaborgsomogyi commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
gaborgsomogyi commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r751009455



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -145,6 +145,12 @@ private[deploy] class HadoopFSDelegationTokenProvider
         interval
       }.toOption
     }
+    // cancel the temporary delegation tokens to avoid leakage
+    creds.getAllTokens.asScala.foreach {
+      case id: AbstractDelegationTokenIdentifier => id.cancel(hadoopConf)

Review comment:
       `cancel` throws `IOException` and `InterruptedException`. Let's say we have 2+ tmp tokens and the following happens:
   * First token `cancel` throws an exception
   * All the rest is just skipped to be canceled
   * Leak partially solved
   
   All in all it would be good to handle cancels independently with catch part + adding some error log into the catch area including the exception content.
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970656372


   **[Test build #145286 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/145286/testReport)** for PR 34604 at commit [`aaf4b01`](https://github.com/apache/spark/commit/aaf4b01ca5e8008302886ea44bfdbeebcfafa863).
    * This patch passes all tests.
    * This patch merges cleanly.
    * This patch adds no public classes.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins removed a comment on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
AmplabJenkins removed a comment on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-969021141


   Can one of the admins verify this patch?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970508671


   Jenkins test this please


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] HyukjinKwon commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
HyukjinKwon commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970893171


   cc @gaborgsomogyi FYI


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
srowen commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r753678616



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -145,6 +145,12 @@ private[deploy] class HadoopFSDelegationTokenProvider
         interval
       }.toOption
     }
+    // cancel the temporary delegation tokens to avoid leakage
+    creds.getAllTokens.asScala.foreach {
+      case id: AbstractDelegationTokenIdentifier => id.cancel(hadoopConf)

Review comment:
       Agree, can you make this change @jojochuang ?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
srowen commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r750515508



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -121,6 +121,15 @@ private[deploy] class HadoopFSDelegationTokenProvider
     creds
   }
 
+  private def cancelDelegationTokens(hadoopConf: Configuration,
+                                     creds: Credentials) : Unit = {
+
+    creds.getAllTokens
+      .asScala
+      .filter(_.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier])
+      .foreach { token => token.cancel(hadoopConf) }

Review comment:
       Trivial, but `.foreach(_.cancel(hadoofConf))` is good too.
   Does this even need to be a separate method?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] SparkQA commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970601767


   Kubernetes integration test status failure
   URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/49756/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
srowen commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r750839712



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -121,6 +121,15 @@ private[deploy] class HadoopFSDelegationTokenProvider
     creds
   }
 
+  private def cancelDelegationTokens(hadoopConf: Configuration,
+                                     creds: Credentials) : Unit = {
+
+    creds.getAllTokens
+      .asScala
+      .filter(_.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier])
+      .foreach { token => token.cancel(hadoopConf) }
+  }

Review comment:
       What's the error? that looks fine. The proposed change really isn't simpler than the original




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
srowen commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r750856114



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -121,6 +121,15 @@ private[deploy] class HadoopFSDelegationTokenProvider
     creds
   }
 
+  private def cancelDelegationTokens(hadoopConf: Configuration,
+                                     creds: Credentials) : Unit = {
+
+    creds.getAllTokens
+      .asScala
+      .filter(_.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier])
+      .foreach { token => token.cancel(hadoopConf) }
+  }

Review comment:
       Oh right. I'd go back to the original




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] jojochuang commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
jojochuang commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r750851015



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -121,6 +121,15 @@ private[deploy] class HadoopFSDelegationTokenProvider
     creds
   }
 
+  private def cancelDelegationTokens(hadoopConf: Configuration,
+                                     creds: Credentials) : Unit = {
+
+    creds.getAllTokens
+      .asScala
+      .filter(_.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier])
+      .foreach { token => token.cancel(hadoopConf) }
+  }

Review comment:
       Hi Sean, the github action in my repo aborted with
   "[error] /home/runner/work/spark/spark/core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala:150:16: fruitless type test: a value of type org.apache.hadoop.security.token.Token[?0] cannot also be a org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier
   [error]       case id: AbstractDelegationTokenIdentifier => id.cancel(hadoopConf)
   [error]                ^
   [error] one error found"
   
   https://github.com/jojochuang/spark/runs/4232847626?check_suite_focus=true




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins removed a comment on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
AmplabJenkins removed a comment on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970606153


   
   Refer to this link for build results (access rights to CI server needed): 
   https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder-K8s/49756/
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] jojochuang commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
jojochuang commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r750837533



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -121,6 +121,15 @@ private[deploy] class HadoopFSDelegationTokenProvider
     creds
   }
 
+  private def cancelDelegationTokens(hadoopConf: Configuration,
+                                     creds: Credentials) : Unit = {
+
+    creds.getAllTokens
+      .asScala
+      .filter(_.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier])
+      .foreach { token => token.cancel(hadoopConf) }
+  }

Review comment:
       Oops this won't compile.
   Let me try this instead:
   
   creds.getAllTokens.asScala.foreach {
         case id if id.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier] =>
           id.cancel(hadoopConf)
         case _ => // ignore
       }




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] jojochuang commented on pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
jojochuang commented on pull request #34604:
URL: https://github.com/apache/spark/pull/34604#issuecomment-970834911


   :) thanks for the review. I have absolutely zero knowledge about Scala. Will update the code.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] gaborgsomogyi commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
gaborgsomogyi commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r779428985



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -145,6 +145,12 @@ private[deploy] class HadoopFSDelegationTokenProvider
         interval
       }.toOption
     }
+    // cancel the temporary delegation tokens to avoid leakage
+    creds.getAllTokens.asScala.foreach {
+      case id: AbstractDelegationTokenIdentifier => id.cancel(hadoopConf)

Review comment:
       @jojochuang can you make the change to merge this? You've made the majority of the work already :)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on a change in pull request #34604: [SPARK-37329][YARN] File system delegation tokens are leaked

Posted by GitBox <gi...@apache.org>.
srowen commented on a change in pull request #34604:
URL: https://github.com/apache/spark/pull/34604#discussion_r753678616



##########
File path: core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -145,6 +145,12 @@ private[deploy] class HadoopFSDelegationTokenProvider
         interval
       }.toOption
     }
+    // cancel the temporary delegation tokens to avoid leakage
+    creds.getAllTokens.asScala.foreach {
+      case id: AbstractDelegationTokenIdentifier => id.cancel(hadoopConf)

Review comment:
       Agree, can you make this change @jojochuang ?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org