[FLINK-8286][Security] Fix kerberos security configuration for YarnTaskExecutor

[suez1224]

What is the purpose of the change

Fix broken YARN kerberos integration for flip-6.

Brief change log

• Fix kerberos onfigurations.
• Refactor code.
• Add unittest.

Verifying this change

This change added tests and can be verified as follows:

• *Added test that validates kerberos credentials are set correctly *

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): (no)
• The public API, i.e., is any changed class annotated with @Public(Evolving): ( no)
• The serializers: (no)
• The runtime per-record code paths (performance sensitive): (no)
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: (no )
• The S3 file system connector: (no)

Documentation

• Does this pull request introduce a new feature? (no)
• If yes, how is the feature documented? (not applicable)

[aljoscha]

Why is this exception being swallowed?

[suez1224]

Good point. Added exceptions to method signature and let caller handle it.

[aljoscha]

Is the only change really that we always do this instead of having the check on remoteKeytabPath, as the old code had?

The old code had this on line 120:

if (remoteKeytabPath != null) {
	File f = new File(currDir, Utils.KEYTAB_FILE_NAME);
	keytabPath = f.getAbsolutePath();
	LOG.info("keytab path: {}", keytabPath);
}

[suez1224]

No, this is a refactoring becaust that part of code is kinda redundant.

The real change is moving this code block below before the call to "new SecurityConfiguration()":

configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, f.getAbsolutePath());
configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);

[aljoscha]

I see, could you maybe split this PR in two commits then? One that does the refactoring and one that does the actual fix. This way, it's clearer what exactly the fix is.

[suez1224]

@aljoscha done, please take another look. Thanks.

[suez1224]

@aljoscha thanks for the review. I've replied to the comments, could you please take another look?

[suez1224]

Good point. Added exceptions to method signature and let caller handle it.

[suez1224]

No, this is a refactoring becaust that part of code is kinda redundant.

The real change is moving this code block below before the call to "new SecurityConfiguration()":

configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, f.getAbsolutePath());
configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);

[aljoscha]

@suez1224 I'll now merge the actual fix, but I'm not 100 % sure the refactoring is correct.

After the fix, we have roughly this path through the code:

if (keytabPath != null && remoteKeytabPrincipal != null) {
	configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
	configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
}

SecurityConfiguration sc = new SecurityConfiguration(configuration);

SecurityUtils.install(sc);

SecurityUtils.getInstalledContext().runSecured(new Callable<Void>() {
	@Override
	public Void call() throws Exception {
		TaskManagerRunner.runTaskManager(configuration, new ResourceID(containerId));
		return null;
	}
});

after the fix, that becomes

// in main()
SecurityUtils.getInstalledContext().runSecured(
   YarnTaskExecutorRunnerFactory.create(System.getenv()));

// in YarnTaskExecutorRunnerFactory.create()
if (keytabPath != null && remoteKeytabPrincipal != null) {
	configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
	configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
}

SecurityConfiguration sc = new SecurityConfiguration(configuration);

SecurityUtils.install(sc);

return new Runner()

Meaning, that if someone messes with how things are called it can happen that SecurityUtils.getInstalledContext() is called before SecurityUtils.install(sc) is called in YarnTaskExecutorRunnerFactory.create. I think this can potentially lead to problems and the old path is much clearer. What do you think?

[aljoscha]

Merged, could you please close the PR after discussion of the refactoring?

[suez1224]

@aljoscha that's a very good catch. I added another commit to make sure the call order is always correct (1298b04). Could you please let me know what you think? I think we should have the unittest in place since this is the second time it breaks. I can create another PR for the refactoring commit.

[EronWright]

This PR seems to obfuscate the fix. The issue was with the interpretation of the keytab path, right? But the bulk of the change was to clarify the ordering of context installation vs use?

[aljoscha]

@EronWright the fix is really one this: ba3e271 But I haven't yet managed to reproduce a failure on my system without the fix. Still working on it.

[aljoscha]

@suez1224 Did you rebase on master? I think that krb5-specific could should not be there anymore.

[rmetzger]

@aljoscha @suez1224 This PR appears to be a stale open PR, even though it seem to contain something merged.
I propose to close this PR, and file a JIRA ticket for the refactoring?

[tillrohrmann]

Closing this PR as it seems to be abandoned.