[SPARK-49300][CORE] Fix Hadoop delegation token leak when tokenRenewalInterval is not set. #47800
Conversation
…Interval is not set.
| val interval = newExpiration - getIssueDate(tokenKind, identifier) | ||
| logInfo(log"Renewal interval is ${MDC(TOTAL_TIME, interval)} for" + | ||
| log" token ${MDC(TOKEN_KIND, tokenKind)}") | ||
| token.cancel(hadoopConf) |
There was a problem hiding this comment.
have you tested it? it requires some time to propagate the new token from driver to executors, I think such a change may cause auth failures on the executor side
There was a problem hiding this comment.
Thanks for your review! These tokens have not actually been used. The tokens that are truly distributed to each executor are obtained at Line57:
|
Not sure why there is one method named |
@Hexiaoqiao I believe it gets explained in L135-L137
Well, for non-YARN mode, e.g.(K8s mode), we do have a chance to save one fetchDelegationTokens call. |
|
Well, Got it. If that I think @zhangshuyan0 's PR should be one direct solution. Thanks again. |
|
Looks reasonable. |
|
Hi All, any progress here? Thanks. |
| val interval = newExpiration - getIssueDate(tokenKind, identifier) | ||
| logInfo(log"Renewal interval is ${MDC(TOTAL_TIME, interval)} for" + | ||
| log" token ${MDC(TOKEN_KIND, tokenKind)}") | ||
| token.cancel(hadoopConf) |
There was a problem hiding this comment.
nit: could you add some comments here just to make it easier to understand in future?
There was a problem hiding this comment.
Thanks for your suggestion! I have added it.
|
+CC @attilapiros, @tgravescs |
sunchao
changed the title
|
Thanks! Merged to master |
|
@zhangshuyan0 do you think we should backport this to branch-3.5 too? if so, feel free to create another PR for the backport. (I tried to just cherry-pick this commit but there are some conflicts) |
I think so. I'll create another PR for it. |
|
@sunchao, if there are additionally folks tagged for review, it would be good to give them a chance to get to the PR - given Apache Spark has a distributed community. |
|
@mridulm I'm sorry. I didn't know you tagged them for review. Feel free to leave any comments on the PR. We can always address them in follow-ups. |
6 participants
When
tokenRenewalIntervalis not set, HadoopFSDelegationTokenProvider#getTokenRenewalInterval will fetch some tokens and renew them to get a interval value.spark/core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
Lines 60 to 64 in dd259b0
These tokens do not call cancel(), resulting in a large number of existing tokens on HDFS not being cleared in a timely manner, causing additional pressure on the HDFS server.