[#1451] feat(hive): Hive catalog supports to execute operations in the Kerberos mode. #1685
Conversation
|
Wait for #596 |
| try { | ||
| URI uri = new URI(keyTabUri); | ||
| String scheme = Optional.ofNullable(uri.getScheme()).orElse("file"); | ||
| switch (scheme) { | ||
| case "http": | ||
| case "https": | ||
| case "ftp": | ||
| int timeout = | ||
| (int) | ||
| catalogPropertiesMetadata.getOrDefault( | ||
| conf, HiveCatalogPropertiesMeta.FETCH_TIMEOUT_SEC); | ||
| URLConnection uc = uri.toURL().openConnection(); | ||
| uc.setConnectTimeout(timeout * 1000); | ||
| uc.setReadTimeout(timeout * 1000); | ||
| uc.connect(); | ||
|
|
||
| Files.copy(uc.getInputStream(), keyTabFile.toPath()); | ||
| break; | ||
|
|
||
| case "file": | ||
| Files.createSymbolicLink(keyTabFile.toPath(), new File(uri.getPath()).toPath()); | ||
| break; | ||
|
|
||
| // TODO: Supports to download keytab from HCFS, it's unsafe to store | ||
| // keytab in an unsecured HDFS cluster. If we use a secured HDFS cluster, | ||
| // we should have a keytab first. | ||
| default: | ||
| throw new IllegalArgumentException( | ||
| String.format("Don't support the scheme %s", scheme)); | ||
| } | ||
| } catch (URISyntaxException ue) { | ||
| throw new IllegalArgumentException("The uri of keytab has the wrong format", ue); | ||
| } |
There was a problem hiding this comment.
Can you please move this to a common module with a generic method?
| // we should have a keytab first. | ||
| default: | ||
| throw new IllegalArgumentException( | ||
| String.format("Don't support the scheme %s", scheme)); |
| Files.createSymbolicLink(keyTabFile.toPath(), new File(uri.getPath()).toPath()); | ||
| break; | ||
|
|
||
| // TODO: Supports to download keytab from HCFS, it's unsafe to store |
There was a problem hiding this comment.
I would suggest to add HDFS support, it is quite common to use.
There was a problem hiding this comment.
Hadoop Compatible File System.
There was a problem hiding this comment.
I would suggest to add HDFS support, it is quite common to use.
Like the comment. If we use a unsecured cluster to download a key tab. It's weird.
| refreshScheduledExecutor = null; | ||
| } | ||
|
|
||
| File keyTabFile = new File(String.format("/tmp/gravitino-%s-keytab", entity.id())); |
There was a problem hiding this comment.
It is not safe to put keytab in /tmp folder, /tmp folder will be cleaned by the administrator. You'd better choose a new folder.
| @@ -204,6 +322,7 @@ public HiveSchema createSchema( | |||
| NameIdentifier ident, String comment, Map<String, String> properties) | |||
| throws NoSuchCatalogException, SchemaAlreadyExistsException { | |||
| try { | |||
| LOG.warn("Current user : " + UserGroupInformation.getCurrentUser().getUserName()); | |||
| .put( | ||
| REFRESH_INTERVAL_SEC, | ||
| PropertyEntry.integerOptionalPropertyEntry( | ||
| REFRESH_INTERVAL_SEC, "The interval to refresh the principal", true, 60, false)) |
There was a problem hiding this comment.
60 seconds is too frequent for key refreshment.
There was a problem hiding this comment.
This interval just check whether the UserGroupInformation is valid. It won't login every time. I will optimize the name and description.
| File keyTabFile = new File(String.format("/tmp/gravitino-%s-keytab", entity.id())); | ||
| keyTabFile.deleteOnExit(); | ||
| if (keyTabFile.exists() && !keyTabFile.delete()) { | ||
| LOG.warn("Fail to delete key tab file {}", keyTabFile.getAbsolutePath()); |
There was a problem hiding this comment.
I believe the warn level is not enough for the failure of dropping keyTableFile.
| Files.createSymbolicLink(keyTabFile.toPath(), new File(uri.getPath()).toPath()); | ||
| break; | ||
|
|
||
| // TODO: Supports to download keytab from HCFS, it's unsafe to store |
| case "https": | ||
| case "ftp": | ||
| int timeout = | ||
| (int) |
There was a problem hiding this comment.
FileUtils.copyURLToFile();
| throw new IllegalArgumentException( | ||
| String.format("Don't support the scheme %s", scheme)); | ||
| } | ||
| } catch (URISyntaxException ue) { |
There was a problem hiding this comment.
I believe we can simplify the nested try-catch block.
.../catalog-hive/src/main/java/com/datastrato/gravitino/catalog/hive/HiveCatalogOperations.java
Show resolved
Hide resolved
| private DownloadUtils() {} | ||
|
|
||
| public static void downloadFile( | ||
| String keyTabUri, File keyTabFile, int timeout, Configuration conf) throws IOException { |
There was a problem hiding this comment.
Why the parameter should be keyTabXXX, it is a common method. Please carefully review your code again.
Also, can you please move this method to common module. It actually can be used by other modules.
There was a problem hiding this comment.
We can't put this to common module. If we put this to common module, the Hadoop class will be loaded by the root JVM. We can't isolate the class of Hadoop.
| String.format("Doesn't support the scheme %s", scheme)); | ||
| } | ||
| } catch (URISyntaxException ue) { | ||
| throw new IllegalArgumentException("The uri of keytab has the wrong format", ue); |
There was a problem hiding this comment.
Can you have a UT for this?
| File keyTabFile = new File(String.format("tmp/gravitino-%s-keytab", entity.id())); | ||
| keyTabFile.deleteOnExit(); | ||
| if (keyTabFile.exists() && !keyTabFile.delete()) { | ||
| LOG.error("Fail to delete key tab file {}", keyTabFile.getAbsolutePath()); |
There was a problem hiding this comment.
Should you throw an exception here, or continue to execute your code?
| file.mkdir(); | ||
| } | ||
|
|
||
| File keyTabFile = new File(String.format("tmp/gravitino-%s-keytab", entity.id())); |
There was a problem hiding this comment.
“keytab” is a word here, so don't use camel style like "keyTab".
There was a problem hiding this comment.
Why don't you use a random name to avoid duplication?
There was a problem hiding this comment.
entity id is a unique id. We won't duplicate.
| return client.getDelegationToken( | ||
| currentUser.getUserName(), | ||
| PrincipalUtils.getCurrentPrincipal().getName()); | ||
| }); |
There was a problem hiding this comment.
Did you get delegation token every time you do the action?
There was a problem hiding this comment.
Yes, we will have many users. It's useless if we cache the token.
| checkScheduledExecutor = null; | ||
| } | ||
|
|
||
| File keyTabFile = new File(String.format("tmp/gravitino-%s-keytab", entity.id())); |
There was a problem hiding this comment.
I noticed that you have used deleteOnExit to remove the file when JVM terminates, do we need to drop it explicitly here?
There was a problem hiding this comment.
I dropped them in the close method, too.
| DownloadUtils.downloadFile(srcFile.toURI().toString(), destFile, 10, new Configuration()); | ||
| Assertions.assertTrue(destFile.exists()); | ||
|
|
||
| srcFile.delete(); |
There was a problem hiding this comment.
It's best to test one remote file system to ensure it functions properly.
There was a problem hiding this comment.
Do you mean that I should add a MiniHdfsCluster for this pr?
| break; | ||
|
|
||
| case "hdfs": | ||
| FileSystem.get(conf).copyToLocalFile(new Path(uri), new Path(destFile.toURI())); |
There was a problem hiding this comment.
Do you need a break here?
| String.format("Doesn't support the scheme %s", scheme)); | ||
| } | ||
| } catch (URISyntaxException ue) { | ||
| throw new IllegalArgumentException("The uri of keytab has the wrong format", ue); |
There was a problem hiding this comment.
The exception message is not correct.
| if (UserGroupInformation.AuthenticationMethod.KERBEROS | ||
| == SecurityUtil.getAuthenticationMethod(hadoopConf)) { | ||
| try { | ||
| File keytabTemporaryDirectory = new File("tmp"); |
There was a problem hiding this comment.
I would suggest to use name of "keytabs", is it better?
| } | ||
|
|
||
| // The id of entity is a random unique id. | ||
| File keytabFile = new File(String.format("tmp/gravitino-%s-keytab", entity.id())); |
There was a problem hiding this comment.
It is a unique id, not a random id. So if you have your gravitino restart, the id will not changed, so the keytab will be existed anyway.
There was a problem hiding this comment.
The file is deleteOnExit.
| keytabFile.deleteOnExit(); | ||
| if (keytabFile.exists() && !keytabFile.delete()) { | ||
| throw new IllegalStateException( | ||
| String.format("Fail to delete key tab file %s", keytabFile.getAbsolutePath())); |
There was a problem hiding this comment.
keytab is a word here and below.
| String catalogPrincipal = (String) catalogPropertiesMetadata.getOrDefault(conf, PRINCIPAL); | ||
| Preconditions.checkArgument( | ||
| StringUtils.isNotBlank(catalogPrincipal), | ||
| "If you use Kerberos, principal can't be blank"); |
There was a problem hiding this comment.
Please use the third-person statement here and above.
What changes were proposed in this pull request?
Hive catalog supports to execute operations in the Kerberos mode.
Why are the changes needed?
Fix: #1451
Does this PR introduce any user-facing change?
Yes, added the document.
How was this patch tested?
Manual test.