You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/08/23 06:21:48 UTC
[GitHub] [airflow] mik-laj opened a new pull request #10488: Add Kerberos Auth for Presto
mik-laj opened a new pull request #10488:
URL: https://github.com/apache/airflow/pull/10488
https://github.com/apache/airflow/issues/10306
<!--
Thank you for contributing! Please make sure that your code changes
are covered with tests. And in case of new features or big changes
remember to adjust the documentation.
Feel free to ping committers for the review!
In case of existing issue, reference it using one of the following:
closes: #ISSUE
related: #ISSUE
How to write a good git commit message:
http://chris.beams.io/posts/git-commit/
-->
---
**^ Add meaningful description above**
Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pull-request-guidelines)** for more information.
In case of fundamental code change, Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals)) is needed.
In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
In case of backwards incompatible changes please leave a note in [UPDATING.md](https://github.com/apache/airflow/blob/master/UPDATING.md).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj merged pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
mik-laj merged pull request #10488:
URL: https://github.com/apache/airflow/pull/10488
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#issuecomment-703492310
The CI and PROD Docker Images for the build are prepared in a separate "Build Image" workflow,
that you will not see in the list of checks (you will see "Wait for images" jobs instead).
You can checks the status of those images in [The workflow run](https://github.com/apache/airflow/actions/runs/289042312)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#issuecomment-703482144
[The Build Workflow run](https://github.com/apache/airflow/actions/runs/289012812) is cancelling this PR. It has some failed jobs matching ^Pylint$,^Static checks$,^Build docs$,^Spell check docs$,^Backport packages$,^Checks: Helm tests$,^Test OpenAPI*.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
mik-laj commented on pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#issuecomment-680404365
@jaketf @potiuk It is ready to be reviewed if you could find the time.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] michalslowikowski00 commented on a change in pull request #10488: [WIP] Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
michalslowikowski00 commented on a change in pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#discussion_r475393307
##########
File path: airflow/providers/presto/hooks/presto.py
##########
@@ -44,9 +59,28 @@ class PrestoHook(DbApiHook):
def get_conn(self):
"""Returns a connection object"""
db = self.get_connection(self.presto_conn_id) # pylint: disable=no-member
- auth = prestodb.auth.BasicAuthentication(db.login, db.password) if db.password else None
+ extra = db.extra_dejson
+ auth = None
+ if db.password and extra.get('auth') == 'kerberos':
+ raise AirflowException("Kerberos authorization don't support password.")
Review comment:
```suggestion
raise AirflowException("Kerberos authorization doesn't support password.")
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on a change in pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
potiuk commented on a change in pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#discussion_r477108067
##########
File path: scripts/ci/libraries/_kerberos.sh
##########
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+network_name="example.com"
Review comment:
I initially wanted to ask you to capitalize that one, but I think that's the right time we switch to google's bash conventions. I will create an issue for that.
##########
File path: scripts/ci/docker-compose/integration-kerberos.yml
##########
@@ -17,16 +17,55 @@
---
version: "2.2"
services:
- kerberos:
- image: godatadriven/krb5-kdc-server
- hostname: kerberos
+ kdc-server-example-com:
+ build:
+ context: ..
+ dockerfile: ./docker-files/kdc-server/Dockerfile
+ image: krb5-kdc-server-example-com
+ hostname: krb5-kdc-server-example-com
domainname: example.com
+ networks:
+ example.com:
+ ipv4_address: 10.5.0.2
+
volumes:
+ - kerberos-keytabs:/root/kerberos-keytabs
- /dev/urandom:/dev/random # Required to get non-blocking entropy source
+
+ environment:
+ - KRB5_TRACE=/dev/stderr
+ - POST_BOOTSTRAP_COMMAND=
+ /opt/kerberos-utils/create_admin.sh alice alice;
+ /opt/kerberos-utils/create_client.sh bob bob /root/kerberos-keytabs/airflow.keytab;
Review comment:
We had recently discussion about the "alice/bob" characters and having to introduce more "neutral" names. But it's good for now
##########
File path: scripts/ci/libraries/_kerberos.sh
##########
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+network_name="example.com"
Review comment:
Issue here: https://github.com/apache/airflow/issues/10576
##########
File path: breeze
##########
@@ -630,6 +630,9 @@ function parse_arguments() {
else
INTEGRATIONS+=("${INTEGRATION}");
fi
+ if [[ " ${INTEGRATIONS[*]} " =~ " presto " ]]; then
Review comment:
:heart:
##########
File path: scripts/ci/docker-compose/integration-presto.yml
##########
@@ -18,9 +18,30 @@
version: "2.2"
services:
presto:
- image: prestosql/presto:330
+ build:
+ context: ..
+ dockerfile: ./docker-files/presto/Dockerfile
Review comment:
Love it - this then will build as needed ! We should do the same with other images we use for Devel.
##########
File path: scripts/ci/docker-compose/integration-kerberos.yml
##########
@@ -17,16 +17,55 @@
---
version: "2.2"
services:
- kerberos:
- image: godatadriven/krb5-kdc-server
- hostname: kerberos
+ kdc-server-example-com:
+ build:
+ context: ..
+ dockerfile: ./docker-files/kdc-server/Dockerfile
Review comment:
This is MY favourite part :)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on a change in pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
potiuk commented on a change in pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#discussion_r501616475
##########
File path: scripts/ci/docker-compose/integration-kerberos.yml
##########
@@ -17,16 +17,55 @@
---
version: "2.2"
services:
- kerberos:
- image: apache/airflow:krb5-kdc-server-2020.08.28
- hostname: kerberos
+ kdc-server-example-com:
+ build:
+ context: ..
+ dockerfile: ./dockerfiles/krb5-kdc-server/Dockerfile
+ image: krb5-kdc-server-example-com
Review comment:
One thing I would like to change here - rather than building the kerberos image, we should publish it in airflow repo. This way we will have much faster tests.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#discussion_r476951974
##########
File path: scripts/ci/docker-compose/integration-kerberos.yml
##########
@@ -17,16 +17,55 @@
---
version: "2.2"
services:
- kerberos:
- image: godatadriven/krb5-kdc-server
- hostname: kerberos
+ kdc-server-example-com:
+ build:
+ context: ..
+ dockerfile: ./docker-files/kdc-server/Dockerfile
+ image: krb5-kdc-server-example-com
+ hostname: krb5-kdc-server-example-com
domainname: example.com
+ networks:
+ example.com:
+ ipv4_address: 10.5.0.2
+
volumes:
+ - kerberos-keytabs:/root/kerberos-keytabs
- /dev/urandom:/dev/random # Required to get non-blocking entropy source
+
+ environment:
+ - KRB5_TRACE=/dev/stderr
+ - POST_BOOTSTRAP_COMMAND=
+ /opt/kerberos-utils/create_admin.sh alice alice;
+ /opt/kerberos-utils/create_client.sh bob bob /root/kerberos-keytabs/airflow.keytab;
Review comment:
This is my favorite part, it's very easy now to set up more services and clients as we keep adding more integrations.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on a change in pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
potiuk commented on a change in pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#discussion_r501616475
##########
File path: scripts/ci/docker-compose/integration-kerberos.yml
##########
@@ -17,16 +17,55 @@
---
version: "2.2"
services:
- kerberos:
- image: apache/airflow:krb5-kdc-server-2020.08.28
- hostname: kerberos
+ kdc-server-example-com:
+ build:
+ context: ..
+ dockerfile: ./dockerfiles/krb5-kdc-server/Dockerfile
+ image: krb5-kdc-server-example-com
Review comment:
One thing I would like to change here - rather than building the kerberos image, we should publish it in airflow repo. This way we will have much faster tests.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#discussion_r476946689
##########
File path: airflow/providers/presto/hooks/presto.py
##########
@@ -44,9 +59,28 @@ class PrestoHook(DbApiHook):
def get_conn(self):
"""Returns a connection object"""
db = self.get_connection(self.presto_conn_id) # pylint: disable=no-member
- auth = prestodb.auth.BasicAuthentication(db.login, db.password) if db.password else None
+ extra = db.extra_dejson
+ auth = None
+ if db.password and extra.get('auth') == 'kerberos':
+ raise AirflowException("Kerberos authorization doesn't support password.")
+ elif db.password:
+ auth = prestodb.auth.BasicAuthentication(db.login, db.password)
+ elif extra.get('auth') == 'kerberos':
+ auth = prestodb.auth.KerberosAuthentication(
+ config=extra.get('kerberos__config', os.environ.get('KRB5_CONFIG')),
Review comment:
We cannot use nested structures because this is not supported by URI representations and the secret backends.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
potiuk commented on pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#issuecomment-681783577
Great change ! Love the way you implemented Dev images - that's exactly how we can improve our dev docker images used for Development,
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] github-actions[bot] commented on pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#issuecomment-703466485
The CI and PROD Docker Images for the build are prepared in a separate "Build Image" workflow,
that you will not see in the list of checks (you will see "Wait for images" jobs instead).
You can checks the status of those images in [The workflow run](https://github.com/apache/airflow/actions/runs/288966537)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on a change in pull request #10488: Add Kerberos Auth for Presto
Posted by GitBox <gi...@apache.org>.
mik-laj commented on a change in pull request #10488:
URL: https://github.com/apache/airflow/pull/10488#discussion_r476316573
##########
File path: airflow/providers/presto/hooks/presto.py
##########
@@ -44,9 +59,28 @@ class PrestoHook(DbApiHook):
def get_conn(self):
"""Returns a connection object"""
db = self.get_connection(self.presto_conn_id) # pylint: disable=no-member
- auth = prestodb.auth.BasicAuthentication(db.login, db.password) if db.password else None
+ extra = db.extra_dejson
+ auth = None
+ if db.password and extra.get('auth') == 'kerberos':
+ raise AirflowException("Kerberos authorization don't support password.")
Review comment:
Done.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org