You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by GitBox <gi...@apache.org> on 2022/06/10 14:14:14 UTC
[GitHub] [flink] gaborgsomogyi commented on a diff in pull request #19933: [FLINK-28000][runtime][security] Throw exception when principal is set in the configuration without keytab
gaborgsomogyi commented on code in PR #19933:
URL: https://github.com/apache/flink/pull/19933#discussion_r894579264
##########
flink-runtime/src/main/java/org/apache/flink/runtime/security/SecurityConfiguration.java:
##########
@@ -138,25 +141,20 @@ public String getZooKeeperLoginContextName() {
}
private void validate() {
- if (!StringUtils.isBlank(keytab)) {
- // principal is required
- if (StringUtils.isBlank(principal)) {
- throw new IllegalConfigurationException(
- "Kerberos login configuration is invalid: keytab requires a principal.");
- }
+ if (StringUtils.isBlank(keytab) != StringUtils.isBlank(principal)) {
+ throw new IllegalConfigurationException(
+ KERBEROS_CONFIG_ERROR_PREFIX
+ + "either both keytab and principal must be defined, or neither.");
+ }
- // check the keytab is readable
+ if (!StringUtils.isBlank(keytab)) {
File keytabFile = new File(keytab);
if (!keytabFile.exists() || !keytabFile.isFile()) {
throw new IllegalConfigurationException(
- "Kerberos login configuration is invalid: keytab ["
- + keytab
- + "] doesn't exist!");
+ KERBEROS_CONFIG_ERROR_PREFIX + "keytab [" + keytab + "] doesn't exist!");
} else if (!keytabFile.canRead()) {
Review Comment:
FYI `canRead` is not tested because on some OS it's not implemented properly: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=6203387
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org