[SPARK-29957][TEST] Reset MiniKDC's default enctypes to fit jdk8/jdk11

[AngersZhuuuu]

What changes were proposed in this pull request?

Hadoop jira: https://issues.apache.org/jira/browse/HADOOP-12911
In this jira, the author said to replace origin Apache Directory project which is not maintained (but not said it won't work well in jdk11) to Apache Kerby which is java binding(fit java version).

And in Flink: apache/flink#9622
Author show the reason why hadoop-2.7.2's MminiKdc failed with jdk11.
Because new encryption types of es128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192 (for Kerberos 5) enabled by default were added in Java 11.
Spark with hadoop-2.7's MiniKdcdoes not support these encryption types and does not work well when these encryption types are enabled, which results in the authentication failure.

And when I test hadoop-2.7.2's minikdc in local, the kerberos 's debug error message is read message stream failed, message can't match.

Why are the changes needed?

Support jdk11 with hadoop-2.7

Does this PR introduce any user-facing change?

NO

How was this patch tested?

Existed UT

[AngersZhuuuu]

cc @wangyum @dongjoon-hyun
This way can fix error happened in #26533 (comment)

[wangyum]

Thank you @AngersZhuuuu

[wangyum]

ok to test

[SparkQA]

Test build #114072 has finished for PR 26594 at commit e9ef3ba.

• This patch fails due to an unknown error code, -9.
• This patch merges cleanly.
• This patch adds no public classes.

[wangyum]

retest this please

[SparkQA]

Test build #114083 has finished for PR 26594 at commit e9ef3ba.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds no public classes.

[AngersZhuuuu]

strange..I can run these failed UT in local with jdk8/jdk11 success. But failed in Jenkines...

[dongjoon-hyun]

Retest this please.

[AngersZhuuuu]

Retest this please.

For this. I can pass failed UT by run it alone, but will failed when run all UT together.
Seems unit tests affect each other in terms of environment variables. I am checking on this.

[dongjoon-hyun]

@AngersZhuuuu . I also tested your PR locally.
That's the reason I re-trigger this. If this fails on my local environment, I didn't trigger an useless run. 😄

BTW, the first failure was KafkaDelegationTokenSuite at last Jenkins run.

[dongjoon-hyun]

BTW, if you can find a corresponding Apache Hadoop JIRA issue, that will be more persuasive
for this PR.

[dongjoon-hyun]

BTW, miniKdc -> minikdc. As you see, Spark-introduced properties are not camelcase like codahale and htmlunit. If needed, we may use -, but I prefer minikdc here in this case.

[AngersZhuuuu]

BTW, miniKdc -> minikdc. As you see, Spark-introduced properties are are camelcase like codahale and htmlunit. If needed, we may use -, but I prefer minikdc here in this case.

Thank you for your careful explanation. Updated.

[AngersZhuuuu]

BTW, if you can find a corresponding Apache Hadoop JIRA issue, that will be more persuasive
for this PR.

Hadoop jira: https://issues.apache.org/jira/browse/HADOOP-12911
In this jira, the author said to replace origin Apache Directory project which is not maintained (but not said it won't work well in jdk11) to Apache kerby which is java binding(fit all java version).

And in Flink: apache/flink#9622
Author show the reason why hadoop-2.7.2's MminiKdcfailed with jdk11. Because new encryption types ofes128-cts-hmac-sha256-128andaes256-cts-hmac-sha384-192` (for Kerberos 5) enabled by default were added in Java 11.

And when I test hadoop-2.7.2's minikdc in local, the kerberos 's debug error message is read message stream failed, message can't match.

[dongjoon-hyun]

Please summarize them into the PR description~

[AngersZhuuuu]

Please summarize them into the PR description~

Done

[dongjoon-hyun]

Hmm. It seems that KafkaDelegationTokenSuite fails again in Jenkins.

[info] org.apache.spark.sql.kafka010.KafkaDelegationTokenSuite *** ABORTED *** (189 milliseconds)
[info]   java.io.IOException: Could not configure server because SASL configuration did not allow the  ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: kerberos.example.com: Name or service not known

I tested this only at Mac with AdoptOpenJDK8 and 11. How about your environment? I'm wondering if we need to validate this in the linux or not because of the following error message.

javax.security.auth.login.LoginException:
kerberos.example.com: Name or service not known

[SparkQA]

Test build #114327 has finished for PR 26594 at commit e9ef3ba.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds no public classes.

[AngersZhuuuu]

I tested this only at Mac with AdoptOpenJDK8 and 11. How about your environment? I'm wondering if we need to validate this in the linux or not because of the following error message.

I test this in Mac with Oracle Jdk8 and jdk11. I can pass this UT when run it alone.
I can test this in Debian.

My guess is that there were other tests that affected the environment variables

[dongjoon-hyun]

Ya. Let me know if you find the root cause. Thanks.

[SparkQA]

Test build #114329 has finished for PR 26594 at commit 3ec2891.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #114339 has finished for PR 26594 at commit 2e282f2.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #114340 has finished for PR 26594 at commit a224fad.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #114658 has finished for PR 26594 at commit 476d60e.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[wangyum]

retest this please

[SparkQA]

Test build #114677 has finished for PR 26594 at commit 476d60e.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[gaborgsomogyi]

I think the test comment is not yet resolved: https://github.com/apache/spark/pull/26594/files#r350680194

[AngersZhuuuu]

@gaborgsomogyi @wangyum How about current way ?
If don't have a libdefaults section , we add one at krb5.conf's header

[SparkQA]

Test build #114848 has finished for PR 26594 at commit b782e99.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #114850 has finished for PR 26594 at commit 10a0006.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #114851 has finished for PR 26594 at commit 03f7fb1.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[gaborgsomogyi]

The approach looks good, there are still no tests...

[AngersZhuuuu]

The approach looks good, there are still no tests...

Here is in UT ..., I really don't know how to add UT for this, so handle it in if condition when there are no libdefaults in krb5.conf

[SparkQA]

Test build #114884 has finished for PR 26594 at commit e252dd0.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[dongjoon-hyun]

Shall we use Files.write(content, file, StandardCharsets.UTF_8) instead of println?

[dongjoon-hyun]

-    val writer = new PrintWriter(kdc.getKrb5conf)
-    // scalastyle:off println
-    writer.println(krb5confStr)
-    // scalastyle:on println
-    writer.close()
+    Files.write(krb5confStr, kdc.getKrb5conf, StandardCharsets.UTF_8)

[AngersZhuuuu]

Shall we use Files.write(content, file, StandardCharsets.UTF_8) instead of println?

Done thanks.

[SparkQA]

Test build #114926 has finished for PR 26594 at commit 223533f.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[dongjoon-hyun]

+1, LGTM. Merged to master. Thank you, @AngersZhuuuu and all.

[gatorsmile]

Thanks, everyone! This is a great fix!