[SPARK-25501][SS] Add kafka delegation token support.

Author: gaborgsomogyi

core/src/main/scala/org/apache/spark/deploy/security/HadoopDelegationTokenManager.scala

@@ -66,7 +66,8 @@ private[spark] class HadoopDelegationTokenManager(
   private def getDelegationTokenProviders: Map[String, HadoopDelegationTokenProvider] = {
     val providers = Seq(new HadoopFSDelegationTokenProvider(fileSystems)) ++
       safeCreateProvider(new HiveDelegationTokenProvider) ++
-      safeCreateProvider(new HBaseDelegationTokenProvider)
+      safeCreateProvider(new HBaseDelegationTokenProvider) ++
+      safeCreateProvider(new KafkaDelegationTokenProvider)
 
     // Filter out providers for which spark.security.credentials.{service}.enabled is false.
     providers

core/src/main/scala/org/apache/spark/deploy/security/KafkaDelegationTokenProvider.scala

@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.deploy.security
+
+import scala.reflect.runtime.universe
+import scala.util.control.NonFatal
+
+import org.apache.hadoop.conf.Configuration
+import org.apache.hadoop.security.Credentials
+import org.apache.hadoop.security.token.{Token, TokenIdentifier}
+
+import org.apache.spark.SparkConf
+import org.apache.spark.internal.Logging
+import org.apache.spark.internal.config.{KAFKA_DELEGATION_TOKEN_ENABLED, KAFKA_SECURITY_PROTOCOL}
+import org.apache.spark.util.Utils
+
+private[security] class KafkaDelegationTokenProvider
+  extends HadoopDelegationTokenProvider with Logging {
+
+  override def serviceName: String = "kafka"
+
+  override def obtainDelegationTokens(
+      hadoopConf: Configuration,
+      sparkConf: SparkConf,
+      creds: Credentials): Option[Long] = {
+    try {
+      val mirror = universe.runtimeMirror(Utils.getContextOrSparkClassLoader)
+      val obtainToken = mirror.classLoader.
+        loadClass("org.apache.spark.sql.kafka010.TokenUtil").
+        getMethod("obtainToken", classOf[SparkConf])
+
+      logDebug("Attempting to fetch Kafka security token.")
+      val token = obtainToken.invoke(null, sparkConf)
+        .asInstanceOf[Token[_ <: TokenIdentifier]]
+      logInfo(s"Get token from Kafka: ${token.toString}")
+      creds.addToken(token.getService, token)
+    } catch {
+      case NonFatal(e) =>
+        logDebug(s"Failed to get token from service $serviceName", e)
+    }
+
+    None
+  }
+
+  override def delegationTokensRequired(
+      sparkConf: SparkConf,
+      hadoopConf: Configuration): Boolean = {
+    sparkConf.get(KAFKA_DELEGATION_TOKEN_ENABLED) &&
+      sparkConf.get(KAFKA_SECURITY_PROTOCOL).startsWith("SASL")
+  }
+}

core/src/main/scala/org/apache/spark/internal/config/package.scala

@@ -647,4 +647,42 @@ package object config {
       .stringConf
       .toSequence
       .createWithDefault(Nil)
+
+  private[spark] val KAFKA_DELEGATION_TOKEN_ENABLED =
+    ConfigBuilder("spark.kafka.delegation.token.enabled")
+      .doc("Set to 'true' for obtaining delegation token from kafka.")
+      .booleanConf
+      .createWithDefault(false)
+
+  private[spark] val KAFKA_BOOTSTRAP_SERVERS =
+    ConfigBuilder("spark.kafka.bootstrap.servers")
+      .doc("A list of coma separated host/port pairs to use for establishing the initial " +
+        "connection to the Kafka cluster. For further details please see kafka documentation.")
+      .stringConf.createOptional
+
+  private[spark] val KAFKA_SECURITY_PROTOCOL =
+    ConfigBuilder("spark.kafka.security.protocol")
+      .doc("Protocol used to communicate with brokers. For further details please see kafka " +
+        "documentation.")
+      .stringConf.createWithDefault("SASL_SSL")
+
+  private[spark] val KAFKA_KERBEROS_SERVICE_NAME =
+    ConfigBuilder("spark.kafka.sasl.kerberos.service.name")
+      .doc("The Kerberos principal name that Kafka runs as. This can be defined either in " +
+        "Kafka's JAAS config or in Kafka's config. For further details please see kafka " +
+        "documentation.")
+      .stringConf.createOptional
+
+  private[spark] val KAFKA_TRUSTSTORE_LOCATION =
+    ConfigBuilder("spark.kafka.ssl.truststore.location")
+      .doc("The location of the trust store file. For further details please see kafka " +
+        "documentation.")
+      .stringConf.createOptional
+
+  private[spark] val KAFKA_TRUSTSTORE_PASSWORD =
+    ConfigBuilder("spark.kafka.ssl.truststore.password")
+      .doc("The store password for the key store file. This is optional for client and only " +
+        "needed if ssl.keystore.location is configured. For further details please see kafka " +
+        "documentation.")
+      .stringConf.createOptional
 }

core/src/test/scala/org/apache/spark/deploy/security/HadoopDelegationTokenManagerSuite.scala

@@ -24,6 +24,7 @@ import org.apache.hadoop.security.Credentials
 import org.scalatest.Matchers
 
 import org.apache.spark.{SparkConf, SparkFunSuite}
+import org.apache.spark.internal.config._
 
 class HadoopDelegationTokenManagerSuite extends SparkFunSuite with Matchers {
   private var delegationTokenManager: HadoopDelegationTokenManager = null
@@ -46,6 +47,7 @@ class HadoopDelegationTokenManagerSuite extends SparkFunSuite with Matchers {
     delegationTokenManager.getServiceDelegationTokenProvider("hadoopfs") should not be (None)
     delegationTokenManager.getServiceDelegationTokenProvider("hbase") should not be (None)
     delegationTokenManager.getServiceDelegationTokenProvider("hive") should not be (None)
+    delegationTokenManager.getServiceDelegationTokenProvider("kafka") should not be (None)
     delegationTokenManager.getServiceDelegationTokenProvider("bogus") should be (None)
   }
 
@@ -81,7 +83,7 @@ class HadoopDelegationTokenManagerSuite extends SparkFunSuite with Matchers {
       hadoopFSsToAccess)
     val creds = new Credentials()
 
-    // Tokens cannot be obtained from HDFS, Hive, HBase in unit tests.
+    // Tokens cannot be obtained from HDFS, Hive, HBase, Kafka in unit tests.
     delegationTokenManager.obtainDelegationTokens(hadoopConf, creds)
     val tokens = creds.getAllTokens
     tokens.size() should be (0)
@@ -111,6 +113,17 @@ class HadoopDelegationTokenManagerSuite extends SparkFunSuite with Matchers {
     creds.getAllTokens.size should be (0)
   }
 
+  test("Obtain tokens For Kafka") {
+    val hadoopConf = new Configuration()
+    sparkConf.set(KAFKA_DELEGATION_TOKEN_ENABLED, true)
+
+    val kafkaTokenProvider = new KafkaDelegationTokenProvider()
+    val creds = new Credentials()
+    kafkaTokenProvider.obtainDelegationTokens(hadoopConf, sparkConf, creds)
+
+    creds.getAllTokens.size should be (0)
+  }
+
   test("SPARK-23209: obtain tokens when Hive classes are not available") {
     // This test needs a custom class loader to hide Hive classes which are in the classpath.
     // Because the manager code loads the Hive provider directly instead of using reflection, we

external/kafka-0-10-sql/src/main/scala/org/apache/spark/sql/kafka010/KafkaSecurityHelper.scala

@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.sql.kafka010
+
+import org.apache.hadoop.security.UserGroupInformation
+import org.apache.hadoop.security.token.{Token, TokenIdentifier}
+
+import org.apache.spark.SparkConf
+import org.apache.spark.internal.Logging
+import org.apache.spark.internal.config._
+
+private[kafka010] object KafkaSecurityHelper extends Logging {
+  def getKeytabJaasParams(sparkConf: SparkConf): Option[String] = {
+    if (sparkConf.get(KEYTAB).nonEmpty) {
+      Some(getKrbJaasParams(sparkConf))
+    } else {
+      None
+    }
+  }
+
+  def getKrbJaasParams(sparkConf: SparkConf): String = {
+    val serviceName = sparkConf.get(KAFKA_KERBEROS_SERVICE_NAME)
+    require(serviceName.nonEmpty, "Kerberos service name must be defined")
+    val keytab = sparkConf.get(KEYTAB)
+    require(keytab.nonEmpty, "Keytab must be defined")
+    val principal = sparkConf.get(PRINCIPAL)
+    require(principal.nonEmpty, "Principal must be defined")
+
+    val params =
+      s"""
+      |com.sun.security.auth.module.Krb5LoginModule required
+      | useKeyTab=true
+      | serviceName="${serviceName.get}"
+      | keyTab="${keytab.get}"
+      | principal="${principal.get}";
+      """.stripMargin.replace("\n", "")
+    logInfo(s"Krb JAAS params: $params")
+
+    params
+  }
+
+  def getTokenJaasParams(sparkConf: SparkConf): Option[String] = {
+    val token = UserGroupInformation.getCurrentUser().getCredentials.getToken(
+      TokenUtil.TOKEN_SERVICE)
+    if (token != null) {
+      Some(getScramJaasParams(sparkConf, token))
+    } else {
+      None
+    }
+  }
+
+  private def getScramJaasParams(
+      sparkConf: SparkConf, token: Token[_ <: TokenIdentifier]): String = {
+    val serviceName = sparkConf.get(KAFKA_KERBEROS_SERVICE_NAME)
+    require(serviceName.nonEmpty, "Kerberos service name must be defined")
+    val username = new String(token.getIdentifier)
+    val password = new String(token.getPassword)
+
+    val params =
+      s"""
+      |org.apache.kafka.common.security.scram.ScramLoginModule required
+      | tokenauth=true
+      | serviceName="${serviceName.get}"
+      | username="$username"
+      | password="$password";
+      """.stripMargin.replace("\n", "")
+    logInfo(s"Scram JAAS params: ${params.replaceAll("password=\".*\"", "password=\"[hidden]\"")}")
+
+    params
+  }
+}