From 2a3f435e7bd923abe0686c8c1ff5efca13d6f00c Mon Sep 17 00:00:00 2001 From: mcheah Date: Wed, 8 Mar 2017 12:46:57 -0800 Subject: [PATCH 1/5] Allow providing an OAuth token for authenticating against k8s --- docs/running-on-kubernetes.md | 8 ++++++++ .../org/apache/spark/deploy/kubernetes/Client.scala | 10 +++++++++- .../org/apache/spark/deploy/kubernetes/config.scala | 12 ++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/docs/running-on-kubernetes.md b/docs/running-on-kubernetes.md index 73c28ec69919b..a05ee8011fac4 100644 --- a/docs/running-on-kubernetes.md +++ b/docs/running-on-kubernetes.md @@ -222,6 +222,14 @@ from the other deployment modes. See the [configuration page](configuration.html machine's disk. + + spark.kubernetes.submit.oauthTokenFile + (none) + + File containing an OAuth token for authenticating against the Kubernetes API server. This file should be located on + the submitting machine's disk. + + spark.kubernetes.submit.serviceAccountName default diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala index 770821e97d12c..27673ad08744b 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala @@ -21,10 +21,11 @@ import java.security.SecureRandom import java.util.ServiceLoader import java.util.concurrent.{CountDownLatch, TimeUnit} +import com.google.common.base.Charsets import com.google.common.io.Files import com.google.common.util.concurrent.SettableFuture import io.fabric8.kubernetes.api.model._ -import io.fabric8.kubernetes.client.{ConfigBuilder => K8SConfigBuilder, DefaultKubernetesClient, KubernetesClient, KubernetesClientException, Watcher} +import io.fabric8.kubernetes.client.{DefaultKubernetesClient, KubernetesClient, KubernetesClientException, Watcher, ConfigBuilder => K8SConfigBuilder} import io.fabric8.kubernetes.client.Watcher.Action import org.apache.commons.codec.binary.Base64 import scala.collection.JavaConverters._ @@ -131,6 +132,13 @@ private[spark] class Client( sparkConf.get(KUBERNETES_CLIENT_CERT_FILE).foreach { f => k8ConfBuilder = k8ConfBuilder.withClientCertFile(f) } + sparkConf.get(KUBERNETES_OAUTH_TOKEN_FILE).foreach { f => + val oauthTokenFile = new File(f) + require(oauthTokenFile.isFile, s"OAuth token file provided at $f does not exist or is" + + s" not a file.") + val oauthToken = Files.toString(oauthTokenFile, Charsets.UTF_8) + k8ConfBuilder = k8ConfBuilder.withOauthToken(oauthToken) + } val k8ClientConfig = k8ConfBuilder.build Utils.tryWithResource(new DefaultKubernetesClient(k8ClientConfig)) { kubernetesClient => diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala index dc61ad4025f0f..0e4c1152a456e 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala @@ -83,6 +83,18 @@ package object config { .stringConf .createOptional + private[spark] val KUBERNETES_OAUTH_TOKEN_FILE = + ConfigBuilder("spark.kubernetes.submit.oauthTokenFile") + .doc(""" + | File containing an OAuth token for authenticating + | against the Kubernetes API server. This file + | should be located on the submitting machine's + | disk. + """.stripMargin) + .stringConf + .createOptional + + private[spark] val KUBERNETES_SERVICE_ACCOUNT_NAME = ConfigBuilder("spark.kubernetes.submit.serviceAccountName") .doc(""" From f1771376f5e0d90e1dad5e1acf89d8726e1d9f4c Mon Sep 17 00:00:00 2001 From: mcheah Date: Wed, 8 Mar 2017 13:13:49 -0800 Subject: [PATCH 2/5] Organize imports --- .../main/scala/org/apache/spark/deploy/kubernetes/Client.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala index 27673ad08744b..a24630063ca7b 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala @@ -25,7 +25,7 @@ import com.google.common.base.Charsets import com.google.common.io.Files import com.google.common.util.concurrent.SettableFuture import io.fabric8.kubernetes.api.model._ -import io.fabric8.kubernetes.client.{DefaultKubernetesClient, KubernetesClient, KubernetesClientException, Watcher, ConfigBuilder => K8SConfigBuilder} +import io.fabric8.kubernetes.client.{ConfigBuilder => K8SConfigBuilder, DefaultKubernetesClient, KubernetesClient, KubernetesClientException, Watcher} import io.fabric8.kubernetes.client.Watcher.Action import org.apache.commons.codec.binary.Base64 import scala.collection.JavaConverters._ From f0aceec4f65af3526d81374af373db06b4cd5d12 Mon Sep 17 00:00:00 2001 From: mcheah Date: Wed, 8 Mar 2017 13:20:46 -0800 Subject: [PATCH 3/5] Fix style --- .../org/apache/spark/deploy/kubernetes/Client.scala | 4 ++-- .../org/apache/spark/deploy/kubernetes/config.scala | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala index a24630063ca7b..36130ce0c0788 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala @@ -134,8 +134,8 @@ private[spark] class Client( } sparkConf.get(KUBERNETES_OAUTH_TOKEN_FILE).foreach { f => val oauthTokenFile = new File(f) - require(oauthTokenFile.isFile, s"OAuth token file provided at $f does not exist or is" + - s" not a file.") + require(oauthTokenFile.isFile, + s"OAuth token file provided at $f does not exist or is not a file.") val oauthToken = Files.toString(oauthTokenFile, Charsets.UTF_8) k8ConfBuilder = k8ConfBuilder.withOauthToken(oauthToken) } diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala index 0e4c1152a456e..90639a7c586d4 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala @@ -86,11 +86,11 @@ package object config { private[spark] val KUBERNETES_OAUTH_TOKEN_FILE = ConfigBuilder("spark.kubernetes.submit.oauthTokenFile") .doc(""" - | File containing an OAuth token for authenticating - | against the Kubernetes API server. This file - | should be located on the submitting machine's - | disk. - """.stripMargin) + | File containing an OAuth token for authenticating + | against the Kubernetes API server. This file + | should be located on the submitting machine's + | disk. + """.stripMargin) .stringConf .createOptional From a53804a0180dd8f05a07ec3ac9f27a4c66617a5f Mon Sep 17 00:00:00 2001 From: mcheah Date: Wed, 8 Mar 2017 13:30:33 -0800 Subject: [PATCH 4/5] Remove extra newline --- .../main/scala/org/apache/spark/deploy/kubernetes/config.scala | 1 - 1 file changed, 1 deletion(-) diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala index 90639a7c586d4..884c53832583a 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala @@ -94,7 +94,6 @@ package object config { .stringConf .createOptional - private[spark] val KUBERNETES_SERVICE_ACCOUNT_NAME = ConfigBuilder("spark.kubernetes.submit.serviceAccountName") .doc(""" From 41ca400ef15bb17fa32f86fb3d7d61eb240b3b37 Mon Sep 17 00:00:00 2001 From: mcheah Date: Wed, 8 Mar 2017 17:36:18 -0800 Subject: [PATCH 5/5] Use OAuth token data instead of a file. --- docs/running-on-kubernetes.md | 6 +++--- .../org/apache/spark/deploy/kubernetes/Client.scala | 10 ++++------ .../org/apache/spark/deploy/kubernetes/config.scala | 13 +++++++------ 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/docs/running-on-kubernetes.md b/docs/running-on-kubernetes.md index a05ee8011fac4..8de06f1bd3a18 100644 --- a/docs/running-on-kubernetes.md +++ b/docs/running-on-kubernetes.md @@ -223,11 +223,11 @@ from the other deployment modes. See the [configuration page](configuration.html - spark.kubernetes.submit.oauthTokenFile + spark.kubernetes.submit.oauthToken (none) - File containing an OAuth token for authenticating against the Kubernetes API server. This file should be located on - the submitting machine's disk. + OAuth token to use when authenticating against the against the Kubernetes API server. Note that unlike the other + authentication options, this should be the exact string value of the token to use for the authentication. diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala index 36130ce0c0788..6f715ebad2d75 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/Client.scala @@ -132,12 +132,10 @@ private[spark] class Client( sparkConf.get(KUBERNETES_CLIENT_CERT_FILE).foreach { f => k8ConfBuilder = k8ConfBuilder.withClientCertFile(f) } - sparkConf.get(KUBERNETES_OAUTH_TOKEN_FILE).foreach { f => - val oauthTokenFile = new File(f) - require(oauthTokenFile.isFile, - s"OAuth token file provided at $f does not exist or is not a file.") - val oauthToken = Files.toString(oauthTokenFile, Charsets.UTF_8) - k8ConfBuilder = k8ConfBuilder.withOauthToken(oauthToken) + sparkConf.get(KUBERNETES_OAUTH_TOKEN).foreach { token => + k8ConfBuilder = k8ConfBuilder.withOauthToken(token) + // Remove the oauth token from Spark conf so that its doesn't appear in the Spark UI. + sparkConf.set(KUBERNETES_OAUTH_TOKEN, "") } val k8ClientConfig = k8ConfBuilder.build diff --git a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala index 884c53832583a..0c4269080335f 100644 --- a/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala +++ b/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/kubernetes/config.scala @@ -83,13 +83,14 @@ package object config { .stringConf .createOptional - private[spark] val KUBERNETES_OAUTH_TOKEN_FILE = - ConfigBuilder("spark.kubernetes.submit.oauthTokenFile") + private[spark] val KUBERNETES_OAUTH_TOKEN = + ConfigBuilder("spark.kubernetes.submit.oauthToken") .doc(""" - | File containing an OAuth token for authenticating - | against the Kubernetes API server. This file - | should be located on the submitting machine's - | disk. + | OAuth token to use when authenticating against the + | against the Kubernetes API server. Note that unlike + | the other authentication options, this should be the + | exact string value of the token to use for the + | authentication. """.stripMargin) .stringConf .createOptional