[SPARK-35747][CORE] Avoid printing full Exception stack trace, if Hbase/Kafka/Hive services are not running in a secure cluster

### What changes were proposed in this pull request? In a secure Yarn cluster, even though HBase or Kafka, or Hive services are not used in the user application, yarn client unnecessarily trying to generate Delegations token from these services. This will add additional delays while submitting spark application in a yarn cluster Also during HBase delegation token generation step in the application submit stage, HBaseDelegationTokenProvider prints a full Exception Stack trace and it causes a noisy warning. Apart from printing exception stack trace, Application submission taking more time as it retries connection to HBase master multiple times before it gives up. So, if HBase is not used in the user Applications, it is better to suggest User disable HBase Delegation Token generation. This PR aims to avoid printing full Exception Stack by just printing just Exception name and also add a suggestion message to disable `Delegation Token generation` if service is not used in the Spark Application. eg: `If HBase is not used, set spark.security.credentials.hbase.enabled to false` ### Why are the changes needed? To avoid printing full Exception stack trace in WARN log #### Before the fix ---------------- ``` spark-shell --master yarn ....... ....... 21/06/12 14:29:41 WARN security.HBaseDelegationTokenProvider: Failed to get token from service hbase java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.spark.deploy.security.HBaseDelegationTokenProvider.obtainDelegationTokensWithHBaseConn(HBaseDelegationT okenProvider.scala:93) at org.apache.spark.deploy.security.HBaseDelegationTokenProvider.obtainDelegationTokens(HBaseDelegationTokenProvider. scala:60) at org.apache.spark.deploy.security.HadoopDelegationTokenManager$$anonfun$6.apply(HadoopDelegationTokenManager.scala: 166) at org.apache.spark.deploy.security.HadoopDelegationTokenManager$$anonfun$6.apply(HadoopDelegationTokenManager.scala: 164) at scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:241) at scala.collection.TraversableLike$$anonfun$flatMap$1.apply(TraversableLike.scala:241) at scala.collection.Iterator$class.foreach(Iterator.scala:891) at scala.collection.AbstractIterator.foreach(Iterator.scala:1334) at scala.collection.MapLike$DefaultValuesIterable.foreach(MapLike.scala:206) at scala.collection.TraversableLike$class.flatMap(TraversableLike.scala:241) at scala.collection.AbstractTraversable.flatMap(Traversable.scala:104) at org.apache.spark.deploy.security.HadoopDelegationTokenManager.obtainDelegationTokens(HadoopDelegationTokenManager. scala:164) ``` #### After the fix ------------ ``` spark-shell --master yarn Setting default log level to "WARN". To adjust logging level use sc.setLogLevel(newLevel). For SparkR, use setLogLevel(newLevel). 21/06/13 02:10:02 WARN security.HBaseDelegationTokenProvider: Failed to get token from service hbase due to java.lang.reflect.InvocationTargetException Retrying to fetch HBase security token with hbase connection parameter. 21/06/13 02:10:40 WARN security.HBaseDelegationTokenProvider: Failed to get token from service hbase java.lang.reflect.InvocationTargetException. If HBase is not used, set spark.security.credentials.hbase.enabled to false 21/06/13 02:10:47 WARN cluster.YarnSchedulerBackend$YarnSchedulerEndpoint: Attempted to request executors before the AM has registered! ``` ### Does this PR introduce _any_ user-facing change? Yes, in the log, it avoids printing full Exception stack trace. Instread prints this. **WARN security.HBaseDelegationTokenProvider: Failed to get token from service hbase java.lang.reflect.InvocationTargetException. If HBase is not used, set spark.security.credentials.hbase.enabled to false** ### How was this patch tested? Tested manually as it can be verified only in a secure cluster Closes #32894 from vinodkc/br_fix_Hbase_DT_Exception_stack_printing. Authored-by: Vinod KC <vinod.kc.in@gmail.com> Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
2021-06-23 23:12:02 -07:00 · 2021-06-23 23:12:02 -07:00 · 4dabba8f76
parent 490ae8f4d6
commit 4dabba8f76
4 changed files with 14 additions and 6 deletions
--- a/core/src/main/scala/org/apache/spark/deploy/security/HBaseDelegationTokenProvider.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/security/HBaseDelegationTokenProvider.scala
@ -53,8 +53,8 @@ private[security] class HBaseDelegationTokenProvider
      creds.addToken(token.getService, token)
    } catch {
      case NonFatal(e) =>
-        logWarning(s"Failed to get token from service $serviceName due to  " + e +
-          s" Retrying to fetch HBase security token with hbase connection parameter.")
+        logWarning(Utils.createFailedToGetTokenMessage(serviceName, e) +
+          s" Retrying to fetch HBase security token with $serviceName connection parameter.")
        // Seems to be spark is trying to get the token from HBase 2.x.x  version or above where the
        // obtainToken(Configuration conf) API has been removed. Lets try obtaining the token from
        // another compatible API of HBase service.
@ -97,7 +97,7 @@ private[security] class HBaseDelegationTokenProvider
      creds.addToken(token.getService, token)
    } catch {
      case NonFatal(e) =>
-        logWarning(s"Failed to get token from service $serviceName", e)
+        logWarning(Utils.createFailedToGetTokenMessage(serviceName, e))
    } finally {
      if (null != hbaseConnection) {
        hbaseConnection.close()
--- a/core/src/main/scala/org/apache/spark/util/Utils.scala
+++ b/core/src/main/scala/org/apache/spark/util/Utils.scala
@ -3114,6 +3114,13 @@ private[spark] object Utils extends Logging {
    conf.get(config.STORAGE_BLOCKMANAGER_HEARTBEAT_TIMEOUT)
      .getOrElse(Utils.timeStringAsMs(s"${conf.get(Network.NETWORK_TIMEOUT)}s"))
  }
+
+  /** Returns a string message about delegation token generation failure */
+  def createFailedToGetTokenMessage(serviceName: String, e: scala.Throwable): String = {
+    val message = "Failed to get token from service %s due to %s. " +
+      "If %s is not used, set spark.security.credentials.%s.enabled to false."
+    message.format(serviceName, e, serviceName, serviceName)
+  }
 }

 private[util] object CallerContext extends Logging {
--- a/external/kafka-0-10-token-provider/src/main/scala/org/apache/spark/kafka010/KafkaDelegationTokenProvider.scala
+++ b/external/kafka-0-10-token-provider/src/main/scala/org/apache/spark/kafka010/KafkaDelegationTokenProvider.scala
@ -54,8 +54,9 @@ private[spark] class KafkaDelegationTokenProvider
          }
        } catch {
          case NonFatal(e) =>
-            logWarning(s"Failed to get token from service: $serviceName " +
-              s"cluster: ${clusterConf.identifier}", e)
+            logWarning(s"Failed to get token from service: $serviceName due to $e on " +
+              s"cluster: ${clusterConf.identifier}. If $serviceName is not used, " +
+              s"set spark.security.credentials.$serviceName.enabled to false")
        }
      }
    } catch {
--- a/sql/hive/src/main/scala/org/apache/spark/sql/hive/security/HiveDelegationTokenProvider.scala
+++ b/sql/hive/src/main/scala/org/apache/spark/sql/hive/security/HiveDelegationTokenProvider.scala
@ -111,7 +111,7 @@ private[spark] class HiveDelegationTokenProvider
      None
    } catch {
      case NonFatal(e) =>
-        logWarning(s"Failed to get token from service $serviceName", e)
+        logWarning(Utils.createFailedToGetTokenMessage(serviceName, e))
        None
      case e: NoClassDefFoundError =>
        logWarning(classNotFoundErrorStr)