Move the new logic into specialized classes. Add cleanup for old credentials files.

Author: harishreedharan

core/src/main/scala/org/apache/spark/deploy/ExecutorDelegationTokenUpdater.scala

@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.deploy
+
+import java.util.concurrent.{Executors, TimeUnit}
+import java.util.{Comparator, Arrays}
+
+import com.google.common.primitives.Longs
+import org.apache.hadoop.conf.Configuration
+import org.apache.hadoop.fs.{PathFilter, FileStatus, Path, FileSystem}
+import org.apache.hadoop.security.{Credentials, UserGroupInformation}
+
+import org.apache.spark.util.Utils
+import org.apache.spark.{Logging, SparkConf}
+
+private[spark] class ExecutorDelegationTokenUpdater(
+    sparkConf: SparkConf,
+    hadoopConf: Configuration) extends Logging {
+
+  @volatile private var lastCredentialsFileSuffix = 0
+
+  private lazy val delegationTokenRenewer =
+    Executors.newSingleThreadScheduledExecutor(
+      Utils.namedThreadFactory("Delegation Token Refresh Thread"))
+
+  // On the executor, this thread wakes up and picks up new tokens from HDFS, if any.
+  private lazy val executorUpdaterRunnable =
+    new Runnable {
+      override def run(): Unit = Utils.logUncaughtExceptions(updateCredentialsIfRequired())
+    }
+
+  def updateCredentialsIfRequired(): Unit = {
+    try {
+      sparkConf.getOption("spark.yarn.credentials.file").foreach { credentialsFile =>
+        val credentials = UserGroupInformation.getCurrentUser.getCredentials
+        val credentialsFilePath = new Path(credentialsFile)
+        val remoteFs = FileSystem.get(hadoopConf)
+        SparkHadoopUtil.get.listFilesSorted(
+          remoteFs, credentialsFilePath.getParent, credentialsFilePath.getName, ".tmp")
+          .lastOption.foreach { credentialsStatus =>
+          val suffix = getSuffixForCredentialsPath(credentialsStatus)
+          if (suffix > lastCredentialsFileSuffix) {
+            logInfo("Reading new delegation tokens from " + credentialsStatus.getPath)
+            val newCredentials = getCredentialsFromHDFSFile(remoteFs, credentialsStatus.getPath)
+            lastCredentialsFileSuffix = suffix
+            UserGroupInformation.getCurrentUser.addCredentials(newCredentials)
+            val totalValidity = SparkHadoopUtil.get.getLatestTokenValidity(credentials) -
+              credentialsStatus.getModificationTime
+            val timeToRunRenewal =
+              credentialsStatus.getModificationTime + (0.8 * totalValidity).toLong
+            val timeFromNowToRenewal = timeToRunRenewal - System.currentTimeMillis()
+            logInfo("Updated delegation tokens, will check for new tokens in " +
+              timeFromNowToRenewal + " millis")
+            delegationTokenRenewer.schedule(
+              executorUpdaterRunnable, timeFromNowToRenewal, TimeUnit.MILLISECONDS)
+          } else {
+            // Check every hour to see if new credentials arrived.
+            logInfo("Updated delegation tokens were expected, but the driver has not updated the " +
+              "tokens yet, will check again in an hour.")
+            delegationTokenRenewer.schedule(executorUpdaterRunnable, 1, TimeUnit.HOURS)
+          }
+        }
+      }
+    } catch {
+      // Since the file may get deleted while we are reading it, catch the Exception and come
+      // back in an hour to try again
+      case e: Exception =>
+        logWarning("Error while trying to update credentials, will try again in 1 hour", e)
+        delegationTokenRenewer.schedule(executorUpdaterRunnable, 1, TimeUnit.HOURS)
+    }
+  }
+
+  private def getCredentialsFromHDFSFile(
+    remoteFs: FileSystem,
+    tokenPath: Path): Credentials = {
+    val stream = remoteFs.open(tokenPath)
+    try {
+      val newCredentials = new Credentials()
+      newCredentials.readFields(stream)
+      newCredentials
+    } finally {
+      stream.close()
+    }
+  }
+
+  def stop(): Unit = {
+    delegationTokenRenewer.shutdown()
+  }
+
+  private def getSuffixForCredentialsPath(credentialsStatus: FileStatus): Int = {
+    val fileName = credentialsStatus.getPath.getName
+    fileName.substring(fileName.lastIndexOf("-") + 1).toInt
+  }
+}

core/src/main/scala/org/apache/spark/deploy/SparkHadoopUtil.scala

@@ -17,20 +17,24 @@
 
 package org.apache.spark.deploy
 
+import java.io.{ByteArrayInputStream, DataInputStream}
 import java.lang.reflect.Method
 import java.security.PrivilegedExceptionAction
+import java.util.{Comparator, Arrays}
 
+import com.google.common.primitives.Longs
 import org.apache.hadoop.conf.Configuration
-import org.apache.hadoop.fs.{FileStatus, FileSystem, Path}
+import org.apache.hadoop.fs.{PathFilter, FileStatus, FileSystem, Path}
 import org.apache.hadoop.fs.FileSystem.Statistics
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier
 import org.apache.hadoop.mapred.JobConf
 import org.apache.hadoop.mapreduce.JobContext
 import org.apache.hadoop.security.Credentials
 import org.apache.hadoop.security.UserGroupInformation
 
 import org.apache.spark._
 import org.apache.spark.annotation.DeveloperApi
-import org.apache.spark.util.{SerializableBuffer, Utils}
+import org.apache.spark.util.Utils
 
 import scala.collection.JavaConversions._
 
@@ -40,7 +44,7 @@ import scala.collection.JavaConversions._
  */
 @DeveloperApi
 class SparkHadoopUtil extends Logging {
-  protected val sparkConf = new SparkConf() // YarnSparkHadoopUtil requires this
+  val sparkConf = new SparkConf()
   val conf: Configuration = newConfiguration(sparkConf)
   UserGroupInformation.setConfiguration(conf)
 
@@ -55,16 +59,13 @@ class SparkHadoopUtil extends Logging {
   def runAsSparkUser(func: () => Unit) {
     val user = Utils.getCurrentUserName()
     logDebug("running as user: " + user)
-    updateCredentialsIfRequired()
     val ugi = UserGroupInformation.createRemoteUser(user)
     transferCredentials(UserGroupInformation.getCurrentUser(), ugi)
     ugi.doAs(new PrivilegedExceptionAction[Unit] {
       def run: Unit = func()
     })
   }
 
-  def updateCredentialsIfRequired(): Unit = {}
-
   def transferCredentials(source: UserGroupInformation, dest: UserGroupInformation) {
     for (token <- source.getTokens()) {
       dest.addToken(token)
@@ -125,14 +126,6 @@ class SparkHadoopUtil extends Logging {
     UserGroupInformation.loginUserFromKeytab(principalName, keytabFilename)
   }
 
-  /**
-   * Schedule a login from the keytab and principal set using the --principal and --keytab
-   * arguments to spark-submit. This login happens only when the credentials of the current user
-   * are about to expire. This method reads SPARK_PRINCIPAL and SPARK_KEYTAB from the environment
-   * to do the login. This method is a no-op in non-YARN mode.
-   */
-  private[spark] def scheduleLoginFromKeytab(): Unit = {}
-
   /**
    * Returns a function that can be called to find Hadoop FileSystem bytes read. If
    * getFSBytesReadOnThreadCallback is called from thread r at time t, the returned callback will
@@ -213,6 +206,49 @@ class SparkHadoopUtil extends Logging {
     val baseStatus = fs.getFileStatus(basePath)
     if (baseStatus.isDir) recurse(basePath) else Array(baseStatus)
   }
+
+  /**
+   * Lists all the files in a directory with the specified prefix, and does not end with the
+   * given suffix.
+   * @param remoteFs
+   * @param prefix
+   * @return
+   */
+
+  def listFilesSorted(
+      remoteFs: FileSystem,
+      dir: Path,
+      prefix: String,
+      exclusionSuffix: String): Array[FileStatus] = {
+    val fileStatuses = remoteFs.listStatus(dir,
+      new PathFilter {
+        override def accept(path: Path): Boolean = {
+          val name = path.getName
+          name.startsWith(prefix) && !name.endsWith(exclusionSuffix)
+        }
+      })
+    Arrays.sort(fileStatuses, new Comparator[FileStatus] {
+      override def compare(o1: FileStatus, o2: FileStatus): Int = {
+        Longs.compare(o1.getModificationTime, o2.getModificationTime)
+      }
+    })
+    fileStatuses
+  }
+
+  /**
+   * Get the latest validity of the HDFS token in the Credentials object.
+   * @param credentials
+   * @return
+   */
+  def getLatestTokenValidity(credentials: Credentials): Long = {
+    credentials.getAllTokens.filter(_.getKind == DelegationTokenIdentifier.HDFS_DELEGATION_KIND)
+      .map { t =>
+      val identifier = new DelegationTokenIdentifier()
+      identifier.readFields(new DataInputStream(new ByteArrayInputStream(t.getIdentifier)))
+      identifier.getMaxDate
+    }.foldLeft(0L)(math.max)
+  }
+
 }
 
 object SparkHadoopUtil {

core/src/main/scala/org/apache/spark/executor/CoarseGrainedExecutorBackend.scala

@@ -29,7 +29,7 @@ import akka.remote.{RemotingLifecycleEvent, DisassociatedEvent}
 
 import org.apache.spark.{Logging, SecurityManager, SparkConf, SparkEnv}
 import org.apache.spark.TaskState.TaskState
-import org.apache.spark.deploy.SparkHadoopUtil
+import org.apache.spark.deploy.{ExecutorDelegationTokenUpdater, SparkHadoopUtil}
 import org.apache.spark.deploy.worker.WorkerWatcher
 import org.apache.spark.scheduler.TaskDescription
 import org.apache.spark.scheduler.cluster.CoarseGrainedClusterMessages._
@@ -155,6 +155,9 @@ private[spark] object CoarseGrainedExecutorBackend extends Logging {
           driverConf.set(key, value)
         }
       }
+      // Periodically update the credentials for this user to ensure HDFS tokens get updated.
+      val tokenUpdater = new ExecutorDelegationTokenUpdater(driverConf, SparkHadoopUtil.get.conf)
+      tokenUpdater.updateCredentialsIfRequired()
       val env = SparkEnv.createExecutorEnv(
         driverConf, executorId, hostname, port, cores, isLocal = false)
 
@@ -172,6 +175,7 @@ private[spark] object CoarseGrainedExecutorBackend extends Logging {
         env.actorSystem.actorOf(Props(classOf[WorkerWatcher], url), name = "WorkerWatcher")
       }
       env.actorSystem.awaitTermination()
+      tokenUpdater.stop()
     }
   }
 

core/src/main/scala/org/apache/spark/scheduler/cluster/CoarseGrainedSchedulerBackend.scala

@@ -241,9 +241,6 @@ class CoarseGrainedSchedulerBackend(scheduler: TaskSchedulerImpl, val actorSyste
     driverActor = actorSystem.actorOf(
       Props(new DriverActor(properties)), name = CoarseGrainedSchedulerBackend.ACTOR_NAME)
 
-    // If a principal and keytab have been set, use that to create new credentials for executors
-    // periodically
-    SparkHadoopUtil.get.scheduleLoginFromKeytab()
   }
 
   def stopExecutors() {