Major Description
Spark uses Kafka as source and sink in secure cluster. The test creates a JAAS file like this:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useKeyTab=true
storeKey=true
keyTab="/xxx/keytabs/systest.keytab"
useTicketCache=false
serviceName="kafka"
principal="systest@GCE.EXAMPLE.COM";
};
As one can see serviceName is set properly.
Then the test pass the JAAS file to Spark's driver + executor as well:
"--conf \"spark.driver.extraJavaOptions=-Djava.security.auth.login.config=./kafka_source_jaas.conf..." "--conf \"spark.executor.extraJavaOptions=-Djava.security.auth.login.config=./kafka_source_jaas.conf..."
Later on SAC + atlas makes some magic in the background with the Jvm JAAS configuration. As a result Spark is not able to create consumer for processing data:
Caused by: java.lang.IllegalArgumentException: No serviceName defined in either JAAS or Kafka config
When I've turned off SAC then all the problem gone away.
Atlas replaces the JVM global JAAS configuration with InMemoryJAASConfiguration once Atlas configuration is initialized. InMemoryJAASConfiguration has an old JAAS config as "parent" but Atlas config takes precedence which is unexpected.
We never want to let Atlas to overwrite existing JAAS configuration if there's a conflict. (I believe most endpoints using Atlas client as a library would agree with this.) This may be achieved via swapping precedence for "parent" vs "Atlas config" in InMemoryJAASConfiguration, but I have no idea the change would be safe to Atlas side. In any way, Atlas should at least provide a config to let "parent" take precedence for the conflict.
Attachments
Issue Links
- links to
