[feat] add yarn resource manager delegation token support

Author: Z1Wu

kyuubi-server/src/main/resources/META-INF/services/org.apache.kyuubi.credentials.HadoopDelegationTokenProvider

@@ -17,3 +17,4 @@
 
 org.apache.kyuubi.credentials.HadoopFsDelegationTokenProvider
 org.apache.kyuubi.credentials.HiveDelegationTokenProvider
+org.apache.kyuubi.credentials.YarnRMDelegationTokenProvider

kyuubi-server/src/main/scala/org/apache/kyuubi/credentials/YarnRMDelegationTokenProvider.scala

@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.credentials
+
+import org.apache.hadoop.conf.Configuration
+import org.apache.hadoop.io.Text
+import org.apache.hadoop.security.{Credentials, SecurityUtil}
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod
+import org.apache.hadoop.yarn.client.ClientRMProxy
+import org.apache.hadoop.yarn.client.api.YarnClient
+import org.apache.hadoop.yarn.conf.YarnConfiguration
+import org.apache.hadoop.yarn.util.ConverterUtils
+
+import org.apache.kyuubi.Logging
+import org.apache.kyuubi.config.KyuubiConf
+import org.apache.kyuubi.credentials.HadoopFsDelegationTokenProvider.doAsProxyUser
+
+class YarnRMDelegationTokenProvider extends HadoopDelegationTokenProvider with Logging {
+  private var yarnConf: YarnConfiguration = _
+  private var tokenService: Text = _
+  private var required = false
+  override def serviceName: String = "yarn"
+
+  def getTokenService(): Text = tokenService
+
+  // Only support engine and kyuubi server using same hadoop conf
+  override def initialize(hadoopConf: Configuration, kyuubiConf: KyuubiConf): Unit = {
+    if (SecurityUtil.getAuthenticationMethod(hadoopConf) != AuthenticationMethod.SIMPLE) {
+      yarnConf = new YarnConfiguration(hadoopConf)
+      tokenService = ClientRMProxy.getRMDelegationTokenService(yarnConf)
+      required = true
+    }
+  }
+
+  override def delegationTokensRequired(): Boolean = required
+
+  override def obtainDelegationTokens(owner: String, creds: Credentials): Unit = {
+    doAsProxyUser(owner) {
+      var client: Option[YarnClient] = None
+      try {
+        client = Some(YarnClient.createYarnClient())
+        client.foreach(client => {
+          client.init(yarnConf)
+          client.start()
+          val yarnToken = ConverterUtils.convertFromYarn(
+            client.getRMDelegationToken(new Text()),
+            tokenService)
+          info(s"Get Token from Resource Manager service ${tokenService}, " +
+            s"token : ${yarnToken.toString}")
+          creds.addToken(new Text(yarnToken.getService), yarnToken)
+        })
+      } catch {
+        case e: Throwable => error("Error occurs when get delegation token", e)
+      } finally {
+        client.foreach(_.close())
+      }
+    }
+  }
+}

kyuubi-server/src/test/scala/org/apache/kyuubi/WithSecuredYarnCluster.scala

@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi
+
+import org.apache.hadoop.conf.Configuration
+import org.apache.hadoop.security.UserGroupInformation
+
+import org.apache.kyuubi.config.KyuubiConf
+import org.apache.kyuubi.server.MiniYarnService
+
+trait WithSecuredYarnCluster extends KerberizedTestHelper {
+
+  private var miniYarnService: MiniYarnService = _
+
+  private def newSecuredConf(): Configuration = {
+    val hdfsConf = new Configuration()
+    hdfsConf.set("ignore.secure.ports.for.testing", "true")
+    hdfsConf.set("hadoop.security.authentication", "kerberos")
+    hdfsConf.set("yarn.resourcemanager.keytab", testKeytab)
+    hdfsConf.set("yarn.resourcemanager.principal", testPrincipal)
+
+    hdfsConf.set("yarn.nodemanager.keytab", testPrincipal)
+    hdfsConf.set("yarn.nodemanager.principal", testKeytab)
+
+    hdfsConf
+  }
+
+  override def beforeAll(): Unit = {
+    super.beforeAll()
+    tryWithSecurityEnabled {
+      UserGroupInformation.loginUserFromKeytab(testPrincipal, testKeytab)
+      miniYarnService = new MiniYarnService(newSecuredConf())
+      miniYarnService.initialize(new KyuubiConf(false))
+      miniYarnService.start()
+    }
+  }
+
+  override def afterAll(): Unit = {
+    miniYarnService.stop()
+    super.afterAll()
+  }
+
+  def getHadoopConf: Configuration = miniYarnService.getYarnConf
+  def getHadoopConfDir: String = miniYarnService.getYarnConfDir
+}

kyuubi-server/src/test/scala/org/apache/kyuubi/credentials/YarnDelegationTokenProviderSuite.scala

@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kyuubi.credentials
+
+import org.apache.hadoop.io.Text
+import org.apache.hadoop.security.{Credentials, UserGroupInformation}
+import org.apache.hadoop.security.token.Token
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier
+import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier
+
+import org.apache.kyuubi.WithSecuredYarnCluster
+import org.apache.kyuubi.config.KyuubiConf
+
+class YarnDelegationTokenProviderSuite extends WithSecuredYarnCluster {
+
+  test("obtain yarn rm delegation tokens") {
+    tryWithSecurityEnabled {
+      UserGroupInformation.loginUserFromKeytab(testPrincipal, testKeytab)
+
+      val hadoopConf = getHadoopConf
+      val kyuubiConf = new KyuubiConf(false)
+
+      val provider = new YarnRMDelegationTokenProvider
+      provider.initialize(hadoopConf, kyuubiConf)
+      assert(provider.delegationTokensRequired())
+
+      val owner = "who"
+      val credentials = new Credentials()
+      provider.obtainDelegationTokens(owner, credentials)
+
+      val token = credentials
+        .getToken(provider.getTokenService())
+        .asInstanceOf[Token[AbstractDelegationTokenIdentifier]]
+      assert(token != null)
+
+      val tokenIdent = token.decodeIdentifier()
+      assertResult(RMDelegationTokenIdentifier.KIND_NAME)(token.getKind)
+      assertResult(new Text(owner))(tokenIdent.getOwner)
+      val currentUserName = UserGroupInformation.getCurrentUser.getUserName
+      assertResult(new Text(currentUserName))(tokenIdent.getRealUser)
+    }
+  }
+}

kyuubi-server/src/test/scala/org/apache/kyuubi/server/MiniYarnService.scala

@@ -31,11 +31,12 @@ import org.apache.kyuubi.Utils
 import org.apache.kyuubi.config.KyuubiConf
 import org.apache.kyuubi.service.AbstractService
 
-class MiniYarnService extends AbstractService("TestMiniYarnService") {
+class MiniYarnService(configuration: Configuration = new Configuration())
+  extends AbstractService("TestMiniYarnService") {
 
   private val yarnConfDir: File = Utils.createTempDir().toFile
   private var yarnConf: YarnConfiguration = {
-    val yarnConfig = new YarnConfiguration()
+    val yarnConfig = new YarnConfiguration(configuration)
     // Disable the disk utilization check to avoid the test hanging when people's disks are
     // getting full.
     yarnConfig.set(