New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FLINK-8286][Security] Fix kerberos security configuration for YarnTaskExecutor #5896
Conversation
FileSystem.initialize(configuration); | ||
} catch (Throwable t) { | ||
LOG.error(t.getMessage(), t); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this exception being swallowed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Added exceptions to method signature and let caller handle it.
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); | ||
|
||
LOG.info("YARN daemon is running as: {} Yarn client user obtainer: {}", | ||
currentUser.getShortUserName(), yarnClientUsername); | ||
|
||
File f = new File(currDir, Utils.KEYTAB_FILE_NAME); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the only change really that we always do this instead of having the check on remoteKeytabPath
, as the old code had?
The old code had this on line 120:
if (remoteKeytabPath != null) {
File f = new File(currDir, Utils.KEYTAB_FILE_NAME);
keytabPath = f.getAbsolutePath();
LOG.info("keytab path: {}", keytabPath);
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this is a refactoring becaust that part of code is kinda redundant.
The real change is moving this code block below before the call to "new SecurityConfiguration()":
configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, f.getAbsolutePath());
configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, could you maybe split this PR in two commits then? One that does the refactoring and one that does the actual fix. This way, it's clearer what exactly the fix is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aljoscha done, please take another look. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aljoscha thanks for the review. I've replied to the comments, could you please take another look?
FileSystem.initialize(configuration); | ||
} catch (Throwable t) { | ||
LOG.error(t.getMessage(), t); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Added exceptions to method signature and let caller handle it.
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); | ||
|
||
LOG.info("YARN daemon is running as: {} Yarn client user obtainer: {}", | ||
currentUser.getShortUserName(), yarnClientUsername); | ||
|
||
File f = new File(currDir, Utils.KEYTAB_FILE_NAME); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this is a refactoring becaust that part of code is kinda redundant.
The real change is moving this code block below before the call to "new SecurityConfiguration()":
configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, f.getAbsolutePath());
configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
@suez1224 I'll now merge the actual fix, but I'm not 100 % sure the refactoring is correct. After the fix, we have roughly this path through the code:
after the fix, that becomes
Meaning, that if someone messes with how things are called it can happen that |
Merged, could you please close the PR after discussion of the refactoring? |
…urityUtils.install()
This PR seems to obfuscate the fix. The issue was with the interpretation of the keytab path, right? But the bulk of the change was to clarify the ordering of context installation vs use? |
@EronWright the fix is really one this: ba3e271 But I haven't yet managed to reproduce a failure on my system without the fix. Still working on it. |
@suez1224 Did you rebase on master? I think that krb5-specific could should not be there anymore. |
Closing this PR as it seems to be abandoned. |
What is the purpose of the change
Fix broken YARN kerberos integration for flip-6.
Brief change log
Verifying this change
This change added tests and can be verified as follows:
Does this pull request potentially affect one of the following parts:
@Public(Evolving)
: ( no)Documentation