mesos security configurable (apache#141)

* mesos security configurable

* principal secret order bug

* getoption

* [skip ci] update CHANGELOG.md

Author: jlopezmalla

CHANGELOG.md

@@ -8,6 +8,7 @@
 * Removed mesos security from History Server and unified environment variable VAULT_HOSTS
 * Secret folder path configurable
 * Changed log format according to Stratio standards
+* Mesos Role no longer obtain mesos pricipal and mesos secret from vault in Spark jobs
 
 ## 2.2.0.4 (January 11, 2018)
 

core/src/main/scala/org/apache/spark/security/ConfigSecurity.scala

@@ -138,6 +138,8 @@ object ConfigSecurity extends Logging {
           SSLConfig.prepareEnvironment(SSLConfig.sslTypeDataStore, options)
       case ("db", options) =>
         DBConfig.prepareEnvironment(options)
+      case ("mesos", options) =>
+        MesosConfig.prepareEnvironment(options)
       case _ => Map.empty[String, String]
     }
 }

core/src/main/scala/org/apache/spark/security/MesosConfig.scala

@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.security
+
+object MesosConfig {
+  def prepareEnvironment(options: Map[String, String]): Map[String, String] = {
+    options.filter(_._1.endsWith("MESOS_VAULT_PATH")).flatMap{case (_, path) =>
+      val (pass, user) = VaultHelper.getPassPrincipalFromVault(path)
+      Seq(("spark.mesos.principal", user), ("spark.mesos.secret", pass))
+    }
+  }
+}

core/src/main/scala/org/apache/spark/security/VaultHelper.scala

@@ -18,8 +18,6 @@ package org.apache.spark.security
 
 import org.apache.spark.internal.Logging
 
-import scala.util.Try
-
 object VaultHelper extends Logging {
 
 
@@ -78,11 +76,6 @@ object VaultHelper extends Logging {
     (keytab64, principal)
   }
 
-  // TODO refactor these two functions into one
-  def getMesosPrincipalAndSecret(instanceName: String): (String, String) = {
-    getPassPrincipalFromVault(s"/v1/userland/passwords/$instanceName/mesos")
-  }
-
   def getPassPrincipalFromVault(vaultPath: String): (String, String) = {
     val requestUrl = s"${ConfigSecurity.vaultURI.get}/$vaultPath"
     logDebug(s"Requesting user and pass: $requestUrl")

resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosSchedulerUtils.scala

@@ -79,16 +79,15 @@ trait MesosSchedulerUtils extends Logging {
     fwInfoBuilder.setHostname(Option(conf.getenv("SPARK_PUBLIC_DNS")).getOrElse(
       conf.get(DRIVER_HOST_ADDRESS)))
 
-    if(ConfigSecurity.vaultURI.isDefined && conf.getOption("spark.mesos.role").isDefined) {
+    if(ConfigSecurity.vaultURI.isDefined &&
+      conf.getOption("spark.mesos.principal").isDefined &&
+      conf.getOption("spark.mesos.secret").isDefined) {
 
-      val(mSecret, mPrincipal) =
-        VaultHelper.getMesosPrincipalAndSecret(conf.getOption("spark.mesos.role").get)
+      val(mPrincipal, mSecret) = (conf.get("spark.mesos.principal"), conf.get("spark.mesos.secret"))
 
-      conf.set("spark.mesos.principal", mPrincipal)
       fwInfoBuilder.setPrincipal(mPrincipal)
       credBuilder.setPrincipal(mPrincipal)
 
-      conf.set("spark.mesos.secret", mSecret)
       credBuilder.setSecret(mSecret)
 
     }