From 95706947753ba575e5c924028a870895ba95a811 Mon Sep 17 00:00:00 2001
From: s4mukka <meninosam197@gmail.com>
Date: Thu, 14 Sep 2023 12:10:45 -0300
Subject: [PATCH] feat: Add options to mutual authentication (#1320)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
---
 enterprise_gateway/services/processproxies/yarn.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/enterprise_gateway/services/processproxies/yarn.py b/enterprise_gateway/services/processproxies/yarn.py
index 6271ef74..3981a515 100644
--- a/enterprise_gateway/services/processproxies/yarn.py
+++ b/enterprise_gateway/services/processproxies/yarn.py
@@ -35,6 +35,7 @@
 #            whether we verify the server's TLS certificate in yarn-api-client.
 #            Or a string, in which case it must be a path to a CA bundle(.pem file) to use.
 cert_path = os.getenv("EG_YARN_CERT_BUNDLE", True)
+mutual_authentication = os.getenv("EG_YARN_MUTUAL_AUTHENTICATION", "REQUIRED")
 
 
 class YarnClusterProcessProxy(RemoteProcessProxy):
@@ -91,9 +92,15 @@ def _initialize_resource_manager(self, **kwargs: dict[str, Any] | None) -> None:
                 endpoints.append(self.alt_yarn_endpoint)
 
         if self.yarn_endpoint_security_enabled:
-            from requests_kerberos import HTTPKerberosAuth
-
-            auth = HTTPKerberosAuth()
+            from requests_kerberos import DISABLED, OPTIONAL, REQUIRED, HTTPKerberosAuth
+
+            auth = HTTPKerberosAuth(
+                mutual_authentication={
+                    "REQUIRED": REQUIRED,
+                    "OPTIONAL": OPTIONAL,
+                    "DISABLED": DISABLED,
+                }.get(mutual_authentication.upper())
+            )
         else:
             # If we have the appropriate version of yarn-api-client, use its SimpleAuth class.
             # This allows EG to continue to issue requests against the YARN api when anonymous