[Spark-21842][Mesos] Support Kerberos ticket renewal and creation in Mesos

core/src/main/scala/org/apache/spark/deploy/SparkHadoopUtil.scala

@@ -142,6 +142,13 @@ class SparkHadoopUtil extends Logging {
     }
   }
 
+  def addDelegationTokens(tokens: Array[Byte], sparkConf: SparkConf) {
+    val hadoopConf = newConfiguration(sparkConf)
+    hadoopConf.set("hadoop.security.authentication", "Token")
+    UserGroupInformation.setConfiguration(hadoopConf)
+    addCurrentUserCredentials(deserialize(tokens))
+  }
+
   /**
    * Returns a function that can be called to find Hadoop FileSystem bytes read. If
    * getFSBytesReadOnThreadCallback is called from thread r at time t, the returned callback will

core/src/main/scala/org/apache/spark/executor/CoarseGrainedExecutorBackend.scala

@@ -123,6 +123,11 @@ private[spark] class CoarseGrainedExecutorBackend(
           executor.stop()
         }
       }.start()
+
+    // This message is only sent by Mesos Drivers, and is not expected from other
+    // SchedulerBackends at this time
+    case UpdateDelegationTokens(tokens) =>
+      SparkHadoopUtil.get.addDelegationTokens(tokens, env.conf)
   }
 
   override def onDisconnected(remoteAddress: RpcAddress): Unit = {

core/src/main/scala/org/apache/spark/scheduler/cluster/CoarseGrainedClusterMessage.scala

@@ -54,6 +54,8 @@ private[spark] object CoarseGrainedClusterMessages {
   case class RegisterExecutorFailed(message: String) extends CoarseGrainedClusterMessage
     with RegisterExecutorResponse
 
+  case class UpdateDelegationTokens(tokens: Array[Byte]) extends CoarseGrainedClusterMessage
+
   // Executors to driver
   case class RegisterExecutor(
       executorId: String,

core/src/main/scala/org/apache/spark/scheduler/cluster/CoarseGrainedSchedulerBackend.scala

@@ -159,6 +159,11 @@ class CoarseGrainedSchedulerBackend(scheduler: TaskSchedulerImpl, val rpcEnv: Rp
         scheduler.getExecutorsAliveOnHost(host).foreach { exec =>
           killExecutors(exec.toSeq, replace = true, force = true)
         }
+
+      case UpdateDelegationTokens(tokens) =>
+        executorDataMap.values.foreach {
+          ed => ed.executorEndpoint.send(UpdateDelegationTokens(tokens))
+        }
     }
 
     override def receiveAndReply(context: RpcCallContext): PartialFunction[Any, Unit] = {

resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosClusterManager.scala

@@ -17,7 +17,7 @@
 
 package org.apache.spark.scheduler.cluster.mesos
 
-import org.apache.spark.{SparkContext, SparkException}
+import org.apache.spark.SparkContext
 import org.apache.spark.internal.config._
 import org.apache.spark.scheduler.{ExternalClusterManager, SchedulerBackend, TaskScheduler, TaskSchedulerImpl}
 

resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackend.scala

@@ -22,12 +22,13 @@ import java.util.{Collections, List => JList}
 import java.util.concurrent.atomic.{AtomicBoolean, AtomicLong}
 import java.util.concurrent.locks.ReentrantLock
 
-import org.apache.mesos.Protos.{TaskInfo => MesosTaskInfo, _}
-import org.apache.mesos.SchedulerDriver
 import scala.collection.JavaConverters._
 import scala.collection.mutable
 import scala.concurrent.Future
 
+import org.apache.mesos.Protos.{TaskInfo => MesosTaskInfo, _}
+import org.apache.mesos.SchedulerDriver
+
 import org.apache.spark.{SecurityManager, SparkContext, SparkException, TaskState}
 import org.apache.spark.deploy.mesos.config._
 import org.apache.spark.deploy.security.HadoopDelegationTokenManager
@@ -39,6 +40,7 @@ import org.apache.spark.scheduler.{SlaveLost, TaskSchedulerImpl}
 import org.apache.spark.scheduler.cluster.CoarseGrainedSchedulerBackend
 import org.apache.spark.util.Utils
 
+
 /**
  * A SchedulerBackend that runs tasks on Mesos, but uses "coarse-grained" tasks, where it holds
  * onto each Mesos node for the duration of the Spark job instead of relinquishing cores whenever
@@ -60,6 +62,8 @@ private[spark] class MesosCoarseGrainedSchedulerBackend(
   override def hadoopDelegationTokenManager: Option[HadoopDelegationTokenManager] =
     Some(new HadoopDelegationTokenManager(sc.conf, sc.hadoopConfiguration))
 
+  private val principal = conf.get("spark.yarn.principal", null)
+
   // Blacklist a slave after this many failures
   private val MAX_SLAVE_FAILURES = 2
 
@@ -194,6 +198,26 @@ private[spark] class MesosCoarseGrainedSchedulerBackend(
       sc.conf.getOption("spark.mesos.driver.frameworkId").map(_ + suffix)
     )
 
+    // check that the credentials are defined, even though it's likely that auth would have failed
+    // already if you've made it this far
+    if (principal != null && hadoopDelegationCreds.isDefined) {
+      logDebug(s"Principal found ($principal) starting token renewer")
+      val credentialRenewerThread = new Thread {
+        setName("MesosCredentialRenewer")
+        override def run(): Unit = {
+          val credentialRenewer =
+            new MesosCredentialRenewer(
+              conf,
+              hadoopDelegationTokenManager.get,
+              MesosCredentialRenewer.getTokenRenewalTime(hadoopDelegationCreds.get, conf),
+              driverEndpoint)
+          credentialRenewer.scheduleTokenRenewal()
+        }
+      }
+
+      credentialRenewerThread.start()
+      credentialRenewerThread.join()
+    }
     startScheduler(driver)
   }
 

resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosCredentialRenewer.scala

@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.scheduler.cluster.mesos
+
+import java.security.PrivilegedExceptionAction
+import java.util.concurrent.{Executors, TimeUnit}
+
+import scala.collection.JavaConverters._
+import scala.util.Try
+
+import org.apache.hadoop.security.UserGroupInformation
+
+import org.apache.spark.SparkConf
+import org.apache.spark.deploy.SparkHadoopUtil
+import org.apache.spark.deploy.security.HadoopDelegationTokenManager
+import org.apache.spark.internal.Logging
+import org.apache.spark.rpc.RpcEndpointRef
+import org.apache.spark.scheduler.cluster.CoarseGrainedClusterMessages.UpdateDelegationTokens
+import org.apache.spark.util.ThreadUtils
+
+
+class MesosCredentialRenewer(
+    conf: SparkConf,
+    tokenManager: HadoopDelegationTokenManager,
+    nextRenewal: Long,
+    de: RpcEndpointRef) extends Logging {
+  private val credentialRenewerThread =
+    Executors.newSingleThreadScheduledExecutor(
+      ThreadUtils.namedThreadFactory("Credential Refresh Thread"))
+
+  @volatile private var timeOfNextRenewal = nextRenewal
+
+  private val principal = conf.get("spark.yarn.principal")
+
+  private val (secretFile, mode) = getSecretFile(conf)
+
+  private def getSecretFile(conf: SparkConf): (String, String) = {
+    val keytab64 = conf.get("spark.yarn.keytab", null)
+    val tgt64 = System.getenv("KRB5CCNAME")
+    require(keytab64 != null || tgt64 != null, "keytab or tgt required")
+    require(keytab64 == null || tgt64 == null, "keytab and tgt cannot be used at the same time")
+    val mode = if (keytab64 != null) "keytab" else "tgt"
+    val secretFile = if (keytab64 != null) keytab64 else tgt64
+    logInfo(s"Logging in as $principal with mode $mode to retrieve HDFS delegation tokens")
+    logDebug(s"secretFile is $secretFile")
+    (secretFile, mode)
+  }
+
+  def scheduleTokenRenewal(): Unit = {
+    def scheduleRenewal(runnable: Runnable): Unit = {
+      val remainingTime = timeOfNextRenewal - System.currentTimeMillis()
+      if (remainingTime <= 0) {
+        logInfo("Credentials have expired, creating new ones now.")
+        runnable.run()
+      } else {
+        logInfo(s"Scheduling login from keytab in $remainingTime millis.")
+        credentialRenewerThread.schedule(runnable, remainingTime, TimeUnit.MILLISECONDS)
+      }
+    }
+
+    val credentialRenewerRunnable =
+      new Runnable {
+        override def run(): Unit = {
+          try {
+            val creds = getRenewedDelegationTokens(conf)
+            broadcastDelegationTokens(creds)
+          } catch {
+            case e: Exception =>
+              // Log the error and try to write new tokens back in an hour
+              logWarning("Couldn't broadcast tokens, trying again in an hour", e)
+              credentialRenewerThread.schedule(this, 1, TimeUnit.HOURS)
+              return
+          }
+          scheduleRenewal(this)
+        }
+      }
+    scheduleRenewal(credentialRenewerRunnable)
+  }
+
+  private def getRenewedDelegationTokens(conf: SparkConf): Array[Byte] = {
+    logInfo(s"Attempting to login with ${conf.get("spark.yarn.principal", null)}")
+    // Get new delegation tokens by logging in with a new UGI
+    // inspired by AMCredentialRenewer.scala:L174
+    val ugi = if (mode == "keytab") {
+      UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, secretFile)
+    } else {
+      UserGroupInformation.getUGIFromTicketCache(secretFile, principal)
+    }
+    val tempCreds = ugi.getCredentials
+    val hadoopConf = SparkHadoopUtil.get.newConfiguration(conf)
+    var nextRenewalTime = Long.MaxValue
+    ugi.doAs(new PrivilegedExceptionAction[Void] {
+      override def run(): Void = {
+        nextRenewalTime = tokenManager.obtainDelegationTokens(hadoopConf, tempCreds)
+        null
+      }
+    })
+
+    val currTime = System.currentTimeMillis()
+    timeOfNextRenewal = if (nextRenewalTime <= currTime) {
+      logWarning(s"Next credential renewal time ($nextRenewalTime) is earlier than " +
+        s"current time ($currTime), which is unexpected, please check your credential renewal " +
+        "related configurations in the target services.")
+      currTime
+    } else {
+      val rt = 0.75 * (nextRenewalTime - currTime)
+      (currTime + rt).toLong
+    }
+    logInfo(s"Time of next renewal is $timeOfNextRenewal")
+
+    // Add the temp credentials back to the original ones.
+    UserGroupInformation.getCurrentUser.addCredentials(tempCreds)
+    SparkHadoopUtil.get.serialize(tempCreds)
+  }
+
+  private def broadcastDelegationTokens(tokens: Array[Byte]): Unit = {
+    // send token to existing executors
+    logInfo("Sending new tokens to all executors")
+    de.send(UpdateDelegationTokens(tokens))
+  }
+}
+
+object MesosCredentialRenewer extends Logging {
+  def getTokenRenewalTime(bytes: Array[Byte], conf: SparkConf): Long = {
+    val hadoopConf = SparkHadoopUtil.get.newConfiguration(conf)
+    val creds = SparkHadoopUtil.get.deserialize(bytes)
+    val renewalTimes = creds.getAllTokens.asScala.flatMap { t =>
+      Try {
+        t.renew(hadoopConf)
+      }.toOption
+    }
+    if (renewalTimes.isEmpty) Long.MaxValue else renewalTimes.min
+  }
+}
+