Repository: spark Updated Branches: refs/heads/branch-2.2 49968de52 -> 0848df1bb
[SPARK-21890] Credentials not being passed to add the tokens ## What changes were proposed in this pull request? I observed this while running a oozie job trying to connect to hbase via spark. It look like the creds are not being passed in thehttps://github.com/apache/spark/blob/branch-2.2/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/HadoopFSCredentialProvider.scala#L53 for 2.2 release. More Info as to why it fails on secure grid: Oozie client gets the necessary tokens the application needs before launching. It passes those tokens along to the oozie launcher job (MR job) which will then actually call the Spark client to launch the spark app and pass the tokens along. The oozie launcher job cannot get anymore tokens because all it has is tokens ( you can't get tokens with tokens, you need tgt or keytab). The error here is because the launcher job runs the Spark Client to submit the spark job but the spark client doesn't see that it already has the hdfs tokens so it tries to get more, which ends with the exception. There was a change with SPARK-19021 to generalize the hdfs credentials provider that changed it so we don't pass the existing credentials into the call to get tokens so it doesn't realize it already has the necessary tokens. https://issues.apache.org/jira/browse/SPARK-21890 Modified to pass creds to get delegation tokens ## How was this patch tested? Manual testing on our secure cluster Author: Sanket Chintapalli <schin...@yahoo-inc.com> Closes #19103 from redsanket/SPARK-21890. Project: http://git-wip-us.apache.org/repos/asf/spark/repo Commit: http://git-wip-us.apache.org/repos/asf/spark/commit/0848df1b Tree: http://git-wip-us.apache.org/repos/asf/spark/tree/0848df1b Diff: http://git-wip-us.apache.org/repos/asf/spark/diff/0848df1b Branch: refs/heads/branch-2.2 Commit: 0848df1bb6f27fc7182e0e52efeef1407fd532d2 Parents: 49968de Author: Sanket Chintapalli <schin...@yahoo-inc.com> Authored: Thu Sep 7 10:20:39 2017 -0700 Committer: Marcelo Vanzin <van...@cloudera.com> Committed: Thu Sep 7 10:20:39 2017 -0700 ---------------------------------------------------------------------- .../deploy/yarn/security/HadoopFSCredentialProvider.scala | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/spark/blob/0848df1b/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/HadoopFSCredentialProvider.scala ---------------------------------------------------------------------- diff --git a/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/HadoopFSCredentialProvider.scala b/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/HadoopFSCredentialProvider.scala index f65c886..19ed026 100644 --- a/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/HadoopFSCredentialProvider.scala +++ b/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/HadoopFSCredentialProvider.scala @@ -45,12 +45,11 @@ private[security] class HadoopFSCredentialProvider sparkConf: SparkConf, creds: Credentials): Option[Long] = { // NameNode to access, used to get tokens from different FileSystems - val tmpCreds = new Credentials() val tokenRenewer = getTokenRenewer(hadoopConf) hadoopFSsToAccess(hadoopConf, sparkConf).foreach { dst => val dstFs = dst.getFileSystem(hadoopConf) logInfo("getting token for: " + dst) - dstFs.addDelegationTokens(tokenRenewer, tmpCreds) + dstFs.addDelegationTokens(tokenRenewer, creds) } // Get the token renewal interval if it is not set. It will only be called once. @@ -60,7 +59,7 @@ private[security] class HadoopFSCredentialProvider // Get the time of next renewal. val nextRenewalDate = tokenRenewalInterval.flatMap { interval => - val nextRenewalDates = tmpCreds.getAllTokens.asScala + val nextRenewalDates = creds.getAllTokens.asScala .filter(_.decodeIdentifier().isInstanceOf[AbstractDelegationTokenIdentifier]) .map { t => val identifier = t.decodeIdentifier().asInstanceOf[AbstractDelegationTokenIdentifier] @@ -69,7 +68,6 @@ private[security] class HadoopFSCredentialProvider if (nextRenewalDates.isEmpty) None else Some(nextRenewalDates.min) } - creds.addAll(tmpCreds) nextRenewalDate } --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org