[SPARK-31337][SQL]Support MS SQL Kerberos login in JDBC connector

[gaborgsomogyi]

What changes were proposed in this pull request?

When loading DataFrames from JDBC datasource with Kerberos authentication, remote executors (yarn-client/cluster etc. modes) fail to establish a connection due to lack of Kerberos ticket or ability to generate it.

This is a real issue when trying to ingest data from kerberized data sources (SQL Server, Oracle) in enterprise environment where exposing simple authentication access is not an option due to IT policy issues.

In this PR I've added MS SQL support.

What this PR contains:

• Added MSSQLConnectionProvider
• Added MSSQLConnectionProviderSuite
• Changed MS SQL JDBC driver to use the latest (test scope only)
• Changed MsSqlServerIntegrationSuite docker image to use the latest
• Added a version comment to MariaDBConnectionProvider to increase trackability

Why are the changes needed?

Missing JDBC kerberos support.

Does this PR introduce any user-facing change?

Yes, now user is able to connect to MS SQL using kerberos.

How was this patch tested?

• Additional + existing unit tests
• Existing integration tests
• Test on cluster manually

[gaborgsomogyi]

Apart from manual testing I've tried to add docker integration test (failed) and tried out the following:

• Set up an active directory docker => not yet supported, please see this link for details.
• Use Hadoop MiniKdc => simply never authenticated, furthermore MS never claimed it is working

If there will be a working docker image with an Active Directory instance we can try it again. In the meantime if somebody has an idea how to overcome this feel free to add.

[SparkQA]

Test build #123081 has finished for PR 28635 at commit 3c30c4a.

• This patch fails build dependency tests.
• This patch merges cleanly.
• This patch adds no public classes.

[gaborgsomogyi]

Couple of pointers to help reviewers.

There is a driver wrapper here which achieves more or less the same behaviour but with an external jar. The blogpost can be found here.

[gaborgsomogyi]

This is not absolutely necessary, if we think we can extract it into a new PR. Thought it would be overkill.

[gaborgsomogyi]

There are basically 2 approaches to parse the URL to get jaasConfigurationName:

• Try to call private parseAndMergeProperties => tried it first
• Parse the URL manually => used as fallback

Both way has been tested in MSSQLConnectionProviderSuite.

[gaborgsomogyi]

The implementation is based on this.

[gaborgsomogyi]

These props needed to reach kerberos authentication case:
https://github.com/microsoft/mssql-jdbc/blob/0d4e97f401dc0e55779460d9709dd7ee399246be/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerConnection.java#L3771-L3772

[HeartSaVioR]

It'd be nice to add the background information on comment, either the code side or the class doc.

[gaborgsomogyi]

Added an inline comment.

[gaborgsomogyi]

This simulates a driver where the private parser method doesn't exist. Such case manual parsing takes place and the code goes forward without issue.

[gaborgsomogyi]

cc @HeartSaVioR

[SparkQA]

Test build #123082 has finished for PR 28635 at commit 88306f0.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #123090 has finished for PR 28635 at commit 16687d6.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #123177 has finished for PR 28635 at commit 587a502.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds the following public classes (experimental):
• case class ClusterStats(featureSum: Vector, squaredNormSum: Double, weightSum: Double)
• class ClusteringEvaluator(JavaEvaluator, HasPredictionCol, HasFeaturesCol, HasWeightCol,
• case class Log(child: Expression) extends UnaryLogExpression(StrictMath.log, \"LOG\")
• case class CurrentCatalog() extends LeafExpression with Unevaluable
• case class GetCurrentDatabaseAndCatalog(catalogManager: CatalogManager) extends Rule[LogicalPlan]

[gaborgsomogyi]

retest this, please

[SparkQA]

Test build #123184 has finished for PR 28635 at commit 587a502.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds the following public classes (experimental):
• case class ClusterStats(featureSum: Vector, squaredNormSum: Double, weightSum: Double)
• class ClusteringEvaluator(JavaEvaluator, HasPredictionCol, HasFeaturesCol, HasWeightCol,
• case class Log(child: Expression) extends UnaryLogExpression(StrictMath.log, \"LOG\")
• case class CurrentCatalog() extends LeafExpression with Unevaluable
• case class GetCurrentDatabaseAndCatalog(catalogManager: CatalogManager) extends Rule[LogicalPlan]

[HeartSaVioR]

I've gone through the general review but I'm afraid I'm not qualified to review in details.

[HeartSaVioR]

It'd be nice to add the background information on comment, either the code side or the class doc.

[gaborgsomogyi]

cc @vanzin

[SparkQA]

Test build #123530 has finished for PR 28635 at commit 0a71849.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[vanzin]

retest this please

[SparkQA]

Test build #124083 has finished for PR 28635 at commit 0a71849.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[vanzin]

Merging to master.

[thereverand]

I could be wrong, but it doesn't look like this fixes this issue completely.
It doesn't support username/password and Kerberos, which the driver supports, and if the proper krb5.conf and JAAS config are in place does work on the driver node of a Databricks cluster, but then fails on the remote executors in the cluster with the same error being described here. So it looks to me to be the same issue.

[gaborgsomogyi]

@thereverand just seen your comment. It has never stated that username/password is working.
Propagating u/p through the whole cluster will enlarge the attack surface.
This supports keytab which can be better protected.

As a resolution we're planning to add JDBC connection provider API in SPARK-32001 where any custom provider can be added.
This allows each provider to add custom authentication possibilities.