[feat] 1. setup HADOOP_TOKEN_FILE_LOCATION env for SparkProcessBuilder 2. minor refactors

Z1Wu · Z1Wu · commit b3377a7ad898 · 2025-09-02T22:39:47.000+08:00
diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
@@ -2390,6 +2390,13 @@ object KyuubiConf {
       .booleanConf
       .createWithDefault(true)
 
+  val ENGINE_EXTERNAL_ENABLED: ConfigEntry[Boolean] =
+    buildConf("kyuubi.engine.external.token.enabled")
+      .doc("start kerberos-enabled application with external delegation tokens")
+      .version("1.9.0")
+      .booleanConf
+      .createWithDefault(true)
+
   val ENGINE_SHARE_LEVEL: ConfigEntry[String] = buildConf("kyuubi.engine.share.level")
     .doc("Engines will be shared in different levels, available configs are: <ul>" +
       " <li>CONNECTION: the engine will not be shared but only used by the current client" +
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/ProcBuilder.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/ProcBuilder.scala
@@ -27,14 +27,16 @@ import scala.collection.JavaConverters._
 import com.google.common.collect.EvictingQueue
 import org.apache.commons.lang3.StringUtils
 import org.apache.commons.lang3.StringUtils.containsIgnoreCase
+import org.apache.hadoop.conf.Configuration
 
 import org.apache.kyuubi._
 import org.apache.kyuubi.config.{KyuubiConf, KyuubiReservedKeys}
 import org.apache.kyuubi.config.KyuubiConf.KYUUBI_HOME
+import org.apache.kyuubi.config.KyuubiReservedKeys.KYUUBI_ENGINE_CREDENTIALS_KEY
 import org.apache.kyuubi.operation.log.OperationLog
-import org.apache.kyuubi.util.{JavaUtils, NamedThreadFactory}
+import org.apache.kyuubi.util.{JavaUtils, KyuubiHadoopUtils, NamedThreadFactory}
 
-trait ProcBuilder {
+trait ProcBuilder extends Logging {
 
   import ProcBuilder._
 
@@ -168,6 +170,7 @@ trait ProcBuilder {
   private var logCaptureThread: Thread = _
   @volatile private[kyuubi] var process: Process = _
   @volatile private[kyuubi] var processLaunched: Boolean = false
+  @volatile private[kyuubi] var tokenTempDir: java.nio.file.Path = _
 
   // Set engine application manger info conf
   conf.set(
@@ -270,6 +273,14 @@ trait ProcBuilder {
       Utils.terminateProcess(process, engineStartupDestroyTimeout)
       process = null
     }
+    if (tokenTempDir != null) {
+      try {
+        Utils.deleteDirectoryRecursively(tokenTempDir.toFile)
+      } catch {
+        case e: Throwable =>
+          error(s"Error deleting token temp dir: $tokenTempDir", e)
+      }
+    }
   }
 
   def getError: Throwable = synchronized {
@@ -359,6 +370,19 @@ trait ProcBuilder {
   def waitEngineCompletion: Boolean = {
     !isClusterMode() || conf.get(KyuubiConf.SESSION_ENGINE_STARTUP_WAIT_COMPLETION)
   }
+
+  def generateEngineTokenFile: Option[String] = {
+    conf.getOption(KYUUBI_ENGINE_CREDENTIALS_KEY).map { encodedCredentials =>
+      val credentials = KyuubiHadoopUtils.decodeCredentials(encodedCredentials)
+      tokenTempDir = Utils.createTempDir()
+      val file = s"${tokenTempDir.toString}/kyuubi_credentials_${System.currentTimeMillis()}"
+      credentials.writeTokenStorageFile(
+        new org.apache.hadoop.fs.Path(s"file://$file"),
+        new Configuration())
+      info(s"Generated hadoop token file: $file")
+      file
+    }
+  }
 }
 
 object ProcBuilder extends Logging {
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/flink/FlinkProcessBuilder.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/flink/FlinkProcessBuilder.scala
@@ -24,18 +24,15 @@ import scala.collection.mutable
 
 import com.google.common.annotations.VisibleForTesting
 import org.apache.commons.lang3.StringUtils
-import org.apache.hadoop.conf.Configuration
-import org.apache.hadoop.fs.Path
 import org.apache.hadoop.security.UserGroupInformation
 
 import org.apache.kyuubi._
 import org.apache.kyuubi.config.KyuubiConf
 import org.apache.kyuubi.config.KyuubiConf._
-import org.apache.kyuubi.config.KyuubiReservedKeys.{KYUUBI_ENGINE_CREDENTIALS_KEY, KYUUBI_SESSION_USER_KEY}
+import org.apache.kyuubi.config.KyuubiReservedKeys.KYUUBI_SESSION_USER_KEY
 import org.apache.kyuubi.engine.{ApplicationManagerInfo, KyuubiApplicationManager, ProcBuilder}
 import org.apache.kyuubi.engine.flink.FlinkProcessBuilder._
 import org.apache.kyuubi.operation.log.OperationLog
-import org.apache.kyuubi.util.KyuubiHadoopUtils
 import org.apache.kyuubi.util.command.CommandLineUtils._
 
 /**
@@ -47,7 +44,7 @@ class FlinkProcessBuilder(
     override val conf: KyuubiConf,
     val engineRefId: String,
     val extraEngineLog: Option[OperationLog] = None)
-  extends ProcBuilder with Logging {
+  extends ProcBuilder {
 
   @VisibleForTesting
   def this(proxyUser: String, doAsEnabled: Boolean, conf: KyuubiConf) {
@@ -276,35 +273,20 @@ class FlinkProcessBuilder(
     }
   }
 
-  @volatile private var tokenTempDir: java.nio.file.Path = _
   private def generateTokenFile(): Option[(String, String)] = {
     if (conf.get(ENGINE_FLINK_DOAS_GENERATE_TOKEN_FILE)) {
       // We disabled `hadoopfs` token service, which may cause yarn client to miss hdfs token.
       // So we generate a hadoop token file to pass kyuubi engine tokens to submit process.
       // TODO: Removed this after FLINK-35525 (1.20.0), delegation tokens will be passed
       //  by `kyuubi` provider
-      conf.getOption(KYUUBI_ENGINE_CREDENTIALS_KEY).map { encodedCredentials =>
-        val credentials = KyuubiHadoopUtils.decodeCredentials(encodedCredentials)
-        tokenTempDir = Utils.createTempDir()
-        val file = s"${tokenTempDir.toString}/kyuubi_credentials_${System.currentTimeMillis()}"
-        credentials.writeTokenStorageFile(new Path(s"file://$file"), new Configuration())
-        info(s"Generated hadoop token file: $file")
-        "HADOOP_TOKEN_FILE_LOCATION" -> file
-      }
+      generateEngineTokenFile.map(tokenFile => "HADOOP_TOKEN_FILE_LOCATION" -> tokenFile)
     } else {
       None
     }
   }
 
   override def close(destroyProcess: Boolean): Unit = {
     super.close(destroyProcess)
-    if (tokenTempDir != null) {
-      try {
-        Utils.deleteDirectoryRecursively(tokenTempDir.toFile)
-      } catch {
-        case e: Throwable => error(s"Error deleting token temp dir: $tokenTempDir", e)
-      }
-    }
   }
 
   override def shortName: String = "flink"
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/spark/SparkProcessBuilder.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/engine/spark/SparkProcessBuilder.scala
@@ -51,7 +51,7 @@ class SparkProcessBuilder(
     override val conf: KyuubiConf,
     val engineRefId: String,
     val extraEngineLog: Option[OperationLog] = None)
-  extends ProcBuilder with Logging {
+  extends ProcBuilder {
 
   @VisibleForTesting
   def this(proxyUser: String, doAsEnabled: Boolean, conf: KyuubiConf) {
@@ -61,13 +61,24 @@ class SparkProcessBuilder(
   import SparkProcessBuilder._
 
   private[kyuubi] val sparkHome = getEngineHome(shortName)
+  private[kyuubi] val externalTokensEnabled = conf.get(ENGINE_EXTERNAL_ENABLED)
 
   override protected val executable: String = {
     Paths.get(sparkHome, "bin", SPARK_SUBMIT_FILE).toFile.getCanonicalPath
   }
 
   override def mainClass: String = "org.apache.kyuubi.engine.spark.SparkSQLEngine"
 
+  override def env: Map[String, String] = {
+    val extraEnvs: Map[String, String] =
+      if ((conf.getOption(PRINCIPAL).isEmpty || conf.getOption(KEYTAB).isEmpty)
+        && doAsEnabled && externalTokensEnabled) {
+        Map(ENV_KERBEROS_TGT -> "", ENV_SPARK_PROXY_USER -> proxyUser) ++
+          generateEngineTokenFile.map(tokenFile => HADOOP_TOKEN_FILE_LOCATION -> tokenFile)
+      } else Map.empty
+    conf.getEnvs ++ extraEnvs
+  }
+
   /**
    * Add `spark.master` if KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT
    * are defined. So we can deploy spark on kubernetes without setting `spark.master`
@@ -169,8 +180,10 @@ class SparkProcessBuilder(
     tryKeytab() match {
       case None if doAsEnabled =>
         setSparkUserName(proxyUser, buffer)
-        buffer += PROXY_USER
-        buffer += proxyUser
+        if (!externalTokensEnabled) {
+          buffer += PROXY_USER
+          buffer += proxyUser
+        }
       case None => // doAs disabled
         setSparkUserName(Utils.currentUser, buffer)
       case Some(name) =>
@@ -409,6 +422,9 @@ object SparkProcessBuilder {
   final val YARN_MAX_APP_ATTEMPTS_KEY = "spark.yarn.maxAppAttempts"
   final val YARN_SUBMIT_WAIT_APP_COMPLETION = "spark.yarn.submit.waitAppCompletion"
   final val INTERNAL_RESOURCE = "spark-internal"
+  final val HADOOP_TOKEN_FILE_LOCATION = "HADOOP_TOKEN_FILE_LOCATION"
+  final val ENV_KERBEROS_TGT = "KRB5CCNAME"
+  final val ENV_SPARK_PROXY_USER = "HADOOP_PROXY_USER"
 
   final val KUBERNETES_FILE_UPLOAD_PATH = "spark.kubernetes.file.upload.path"
   final val KUBERNETES_UPLOAD_PATH_PERMISSION =
diff --git a/kyuubi-server/src/test/scala/org/apache/kyuubi/engine/spark/SparkProcessBuilderSuite.scala b/kyuubi-server/src/test/scala/org/apache/kyuubi/engine/spark/SparkProcessBuilderSuite.scala
@@ -30,8 +30,9 @@ import org.scalatestplus.mockito.MockitoSugar
 import org.apache.kyuubi._
 import org.apache.kyuubi.config.KyuubiConf
 import org.apache.kyuubi.config.KyuubiConf._
+import org.apache.kyuubi.config.KyuubiReservedKeys.KYUUBI_ENGINE_CREDENTIALS_KEY
 import org.apache.kyuubi.engine.ProcBuilder.KYUUBI_ENGINE_LOG_PATH_KEY
-import org.apache.kyuubi.engine.spark.SparkProcessBuilder._
+import org.apache.kyuubi.engine.spark.SparkProcessBuilder.{PROXY_USER, _}
 import org.apache.kyuubi.ha.HighAvailabilityConf
 import org.apache.kyuubi.ha.client.AuthTypes
 import org.apache.kyuubi.service.ServiceUtils
@@ -484,6 +485,41 @@ class SparkProcessBuilderSuite extends KerberizedTestHelper with MockitoSugar {
     val toady = DateTimeFormatter.ofPattern("yyyyMMdd").format(LocalDate.now())
     assert(commands1.contains(s"spark.kubernetes.file.upload.path=hdfs:///spark-upload-$toady"))
   }
+
+  test("spark engine with external token file") {
+    val conf1 = KyuubiConf(false)
+    val tokenStr = "SERUUwAID2hhLWhkZnM6cmVkcG9sbD8ABmhhZG9vcAAfaGl2ZS9oaXZl" +
+      "c2VydmVyQE5JRS5ORVRFQVNFLkNPTYoBmEC/zomKAZhkzFKJjEQmld6OB4YUpNYg2W5h9" +
+      "+2R2gWTPCf0Ut/Qr9QVSERGU19ERUxFR0FUSU9OX1RPS0VOD2hhLWhkZnM6cmVkcG9sbB" +
+      "FoYS1oZGZzOmZlbmdodWFuZz8ABmhhZG9vcAAfaGl2ZS9oaXZlc2VydmVyQE5JRS5ORVR" +
+      "FQVNFLkNPTYoBmEC/zu2KAZhkzFLtjCqL5mKOEtAUbr+Tl2CACTcgnvac9RcxZAoMq28V" +
+      "SERGU19ERUxFR0FUSU9OX1RPS0VOEWhhLWhkZnM6ZmVuZ2h1YW5ndnRocmlmdDovL3NkY" +
+      "y5mZW5naHVhbmcud2FnZ2xlZGFuY2UuZ2RjLm5pZS5uZXRlYXNlLmNvbToyMDA1MCx0aH" +
+      "JpZnQ6Ly8xMC4xOTEuNTkuMTYyOjIwMDUwLHRocmlmdDovLzEwLjE5MS41OS4xNjM6MjA" +
+      "wNTApAAZoYWRvb3AEaGl2ZQRoaXZligGYQL/PVYoBmGTMU1WMAVM2x40BBgsUIKFw7GME" +
+      "1U6N/ZhxObek/I1RA0sVSElWRV9ERUxFR0FUSU9OX1RPS0VOAA9oYS1oZGZzOmRpamlhb" +
+      "mc/AAZoYWRvb3AAH2hpdmUvaGl2ZXNlcnZlckBOSUUuTkVURUFTRS5DT02KAZhAv89Hig" +
+      "GYZMxTR4wBz4hHjgGVFOfgiMNZ/B2acCmYkV7P0euzVBXWFUhERlNfREVMRUdBVElPTl9" +
+      "UT0tFTg9oYS1oZGZzOmRpamlhbmcPaGEtaGRmczpqaW5nd2VpPwAGaGFkb29wAB9oaXZl" +
+      "L2hpdmVzZXJ2ZXJATklFLk5FVEVBU0UuQ09NigGYQL/PIYoBmGTMUyGMIPu5VY4WwBQH9" +
+      "xpTeUCxroeNIOCW0908k1ZbSBVIREZTX0RFTEVHQVRJT05fVE9LRU4PaGEtaGRmczpqaW" +
+      "5nd2VpEWhhLWhkZnM6aHVhbmdsb25nPwAGaGFkb29wAB9oaXZlL2hpdmVzZXJ2ZXJATkl" +
+      "FLk5FVEVBU0UuQ09NigGYQL/PAIoBmGTMUwCMHv0cmI4bCBQOKo3I+WxPcz+nrXlGdbZ/" +
+      "nCPKyRVIREZTX0RFTEVHQVRJT05fVE9LRU4RaGEtaGRmczpodWFuZ2xvbmcSaGEtaGRmc" +
+      "zpnZGNjbHVzdGVyPwAGaGFkb29wAB9oaXZlL2hpdmVzZXJ2ZXJATklFLk5FVEVBU0UuQ0" +
+      "9NigGYQL/OvYoBmGTMUr2Ef72TD44URBSQajq5T6KZuMgk7cFuIHz7PAvGixVIREZTX0R" +
+      "FTEVHQVRJT05fVE9LRU4SaGEtaGRmczpnZGNjbHVzdGVyE2hhLWhkZnM6Z2RjY2x1c3Rl" +
+      "cjI/AAZoYWRvb3AAH2hpdmUvaGl2ZXNlcnZlckBOSUUuTkVURUFTRS5DT02KAZhAv88Qi" +
+      "gGYZMxTEIwSFo7AjgepFEwXJHRr7YVk7fxXxfRcbElkLI1QFUhERlNfREVMRUdBVElPTl" +
+      "9UT0tFThNoYS1oZGZzOmdkY2NsdXN0ZXIyAA=="
+    conf1.set(KYUUBI_ENGINE_CREDENTIALS_KEY, tokenStr)
+    conf1.set(ENGINE_EXTERNAL_ENABLED, true)
+    val builder1 = new SparkProcessBuilder("", true, conf1)
+    assert(builder1.env.contains(HADOOP_TOKEN_FILE_LOCATION))
+    assert(builder1.env.contains(ENV_KERBEROS_TGT) &&
+      builder1.env(ENV_KERBEROS_TGT).isEmpty)
+    assert(builder1.commands.forall(e => !e.contains(PROXY_USER)))
+  }
 }
 
 class FakeSparkProcessBuilder(config: KyuubiConf)
