def install(self) -> Dict[str, Any]:
if sdk_marathon.app_exists(self.app_definition["id"]):
if self._persist:
log.info("Found installed KDC app, reusing it")
return _get_kdc_task(self.app_definition["id"])
log.info("Found installed KDC app, destroying it first")
sdk_marathon.destroy_app(self.app_definition["id"])
# (re-)create a service account for the KDC service
sdk_security.create_service_account(
service_account_name=KDC_SERVICE_ACCOUNT,
service_account_secret=KDC_SERVICE_ACCOUNT_SECRET,
)
sdk_security._grant(
KDC_SERVICE_ACCOUNT,
"dcos:secrets:default:%252F*",
"Create any secret in the root path",
"create",
)
sdk_security._grant(
KDC_SERVICE_ACCOUNT,
"dcos:secrets:default:%252F*",
"Update any secret in the root path",
"update",
)
log.info("Installing KDC Marathon app")
sdk_marathon.install_app(self.app_definition)
log.info("KDC app installed successfully")
log.info("Waiting for KDC web API endpoint to become available")
self.__wait_for_kdc_api()
log.info("KDC web API is now available")
return _get_kdc_task(self.app_definition["id"])
def grant_launch_task_permission(service_name, service_account_name=SPARK_SERVICE_ACCOUNT):
log.info(f"Granting launch task permission to service account: {service_account_name}, service: {service_name}")
app_id = _escape_service_name(service_name)
sdk_security._grant(service_account_name,
"dcos:mesos:master:task:app_id:{}".format(app_id),
description="Spark drivers may execute Mesos tasks",
action="create")
def grant_driver_permission(service_account_name, service_name):
app_id = "/{}".format(service_name.lstrip("/"))
# double-encoded (why?)
app_id = urllib.parse.quote(urllib.parse.quote(app_id, safe=''),
safe='')
sdk_security._grant(
service_account_name,
"dcos:mesos:master:task:app_id:{}".format(app_id),
description="Spark drivers may execute Mesos tasks",
action="create")
def setup_spark_security(service_name: str,
drivers_role: str,
executors_role: str,
service_account_info: typing.Dict):
"""
In strict mode, additional permissions are required for Spark.
Add the permissions for the specified service account.
"""
if not sdk_utils.is_strict_mode():
return
log.info("Adding spark specific permissions")
linux_user = service_account_info.get("linux_user", "nobody")
service_account = service_account_info["name"]
for role_name in [drivers_role, executors_role]:
sdk_security.grant_permissions(
linux_user=linux_user,
role_name=role_name,
service_account_name=service_account,
)
# TODO: Is this required?
app_id = "/{}".format(service_name)
app_id = urllib.parse.quote(
urllib.parse.quote(app_id, safe=''),
safe=''
)
sdk_security._grant(service_account_info["name"],
"dcos:mesos:master:task:app_id:{}".format(app_id),
description="Spark drivers may execute Mesos tasks",
action="create")
if linux_user == "root":
log.info("Marathon must be able to launch tasks as root")
sdk_security._grant("dcos_marathon",
"dcos:mesos:master:task:user:root",
description="Root Marathon may launch tasks as root",
action="create")
return