Github user vanzin commented on a diff in the pull request: https://github.com/apache/spark/pull/19272#discussion_r146436883 --- Diff: resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosCredentialRenewer.scala --- @@ -0,0 +1,169 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.spark.scheduler.cluster.mesos + +import java.security.PrivilegedExceptionAction +import java.util.concurrent.{Executors, TimeUnit} + +import scala.collection.JavaConverters._ +import scala.util.Try + +import org.apache.hadoop.security.UserGroupInformation + +import org.apache.spark.SparkConf +import org.apache.spark.deploy.SparkHadoopUtil +import org.apache.spark.deploy.security.HadoopDelegationTokenManager +import org.apache.spark.internal.Logging +import org.apache.spark.internal.config +import org.apache.spark.rpc.RpcEndpointRef +import org.apache.spark.scheduler.cluster.CoarseGrainedClusterMessages.UpdateDelegationTokens +import org.apache.spark.util.ThreadUtils + + +/** + * The MesosCredentialRenewer will update the Hadoop credentials for Spark drivers accessing + * secured services using Kerberos authentication. It is modeled after the YARN AMCredential + * renewer, and similarly will renew the Credentials when 75% of the renewal interval has passed. + * The principal difference is that instead of writing the new credentials to HDFS and + * incrementing the timestamp of the file, the new credentials (called Tokens when they are + * serialized) are broadcast to all running executors. On the executor side, when new Tokens are + * recieved they overwrite the current credentials. + */ +class MesosCredentialRenewer( + conf: SparkConf, + tokenManager: HadoopDelegationTokenManager, + nextRenewal: Long, + driverEndpoint: RpcEndpointRef) extends Logging { + private val credentialRenewerThread = + ThreadUtils.newDaemonSingleThreadScheduledExecutor("Credential Renewal Thread") + + @volatile private var timeOfNextRenewal = nextRenewal + + private val principal = conf.get(config.PRINCIPAL).orNull + + private val (secretFile, mode) = getSecretFile(conf) + + private def getSecretFile(conf: SparkConf): (String, String) = { + val keytab = conf.get(config.KEYTAB).orNull + val tgt = conf.getenv("KRB5CCNAME") + require(keytab != null || tgt != null, "A keytab or TGT required.") + // if both Keytab and TGT are detected we use the Keytab. + val (secretFile, mode) = if (keytab != null && tgt != null) { + logWarning(s"Keytab and TGT were detected, using keytab, unset $keytab to use TGT") --- End diff -- `${KEYTAB.key}`?
--- --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org