You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by GitBox <gi...@apache.org> on 2022/10/25 07:42:25 UTC
[GitHub] [flink] gaborgsomogyi opened a new pull request, #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
gaborgsomogyi opened a new pull request, #21147:
URL: https://github.com/apache/flink/pull/21147
## Brief change log
Since the new delegation token framework works (it obtains/re-obtains/distributes tokens to task managers) it's time to remove the old code snippet which is only able to obtain tokens only at the initial phase. In this PR I've removed that code part.
## Brief change log
* Removed old token fetch code
* `KerberosDelegationTokenManager` must only start in YARN when user provided valid credentials fix
## Verifying this change
* Existing unit tests
* Manually on YARN and K8S (please see an example [here](https://gist.github.com/gaborgsomogyi/ac4f71ead8494da2f5c35265bcb1e885))
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): no
- The public API, i.e., is any changed class annotated with `@Public(Evolving)`: no
- The serializers: no
- The runtime per-record code paths (performance sensitive): no
- Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
- The S3 file system connector: no
## Documentation
- Does this pull request introduce a new feature? no
- If yes, how is the feature documented? not applicable
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] gaborgsomogyi commented on pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
gaborgsomogyi commented on PR #21147:
URL: https://github.com/apache/flink/pull/21147#issuecomment-1291543594
@flinkbot run azure
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] gaborgsomogyi commented on pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
gaborgsomogyi commented on PR #21147:
URL: https://github.com/apache/flink/pull/21147#issuecomment-1290128650
cc @mbalassi
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] flinkbot commented on pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
flinkbot commented on PR #21147:
URL: https://github.com/apache/flink/pull/21147#issuecomment-1290143356
<!--
Meta data
{
"version" : 1,
"metaDataEntries" : [ {
"hash" : "a64fef13a0e6c6b0d42859cd397167c60b3c87d5",
"status" : "UNKNOWN",
"url" : "TBD",
"triggerID" : "a64fef13a0e6c6b0d42859cd397167c60b3c87d5",
"triggerType" : "PUSH"
} ]
}-->
## CI report:
* a64fef13a0e6c6b0d42859cd397167c60b3c87d5 UNKNOWN
<details>
<summary>Bot commands</summary>
The @flinkbot bot supports the following commands:
- `@flinkbot run azure` re-run the last Azure build
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] gaborgsomogyi commented on pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
gaborgsomogyi commented on PR #21147:
URL: https://github.com/apache/flink/pull/21147#issuecomment-1293897838
@flinkbot run azure
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] mbalassi merged pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
mbalassi merged PR #21147:
URL: https://github.com/apache/flink/pull/21147
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] mbalassi commented on a diff in pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
mbalassi commented on code in PR #21147:
URL: https://github.com/apache/flink/pull/21147#discussion_r1020951099
##########
flink-yarn/src/main/java/org/apache/flink/yarn/YarnClusterDescriptor.java:
##########
@@ -1150,26 +1150,14 @@ private ApplicationReport startAppMaster(
final ContainerLaunchContext amContainer =
setupApplicationMasterContainer(yarnClusterEntrypoint, hasKrb5, processSpec);
- // New delegation token framework
if (configuration.getBoolean(SecurityOptions.KERBEROS_FETCH_DELEGATION_TOKEN)) {
- setTokensFor(amContainer);
- }
- // Old delegation token framework
- if (UserGroupInformation.isSecurityEnabled()) {
- LOG.info("Adding delegation token to the AM container.");
- final List<Path> pathsToObtainToken = new ArrayList<>();
- boolean fetchToken =
- configuration.getBoolean(SecurityOptions.KERBEROS_FETCH_DELEGATION_TOKEN);
- if (fetchToken) {
- List<Path> yarnAccessList =
- ConfigUtils.decodeListFromConfig(
- configuration,
- SecurityOptions.KERBEROS_HADOOP_FILESYSTEMS_TO_ACCESS,
- Path::new);
- pathsToObtainToken.addAll(yarnAccessList);
- pathsToObtainToken.addAll(fileUploader.getRemotePaths());
+ KerberosLoginProvider kerberosLoginProvider = new KerberosLoginProvider(configuration);
+ if (kerberosLoginProvider.isLoginPossible()) {
+ setTokensFor(amContainer);
+ } else {
+ LOG.info(
+ "Cannot use kerberos delegation token manager no valid kerberos credentials provided.");
Review Comment:
nit: token manager`,` no valid
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] mbalassi commented on pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
mbalassi commented on PR #21147:
URL: https://github.com/apache/flink/pull/21147#issuecomment-1313937515
@gaborgsomogyi verified locally via the k8s operator. Will fix the typo and merge.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] gaborgsomogyi commented on pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
gaborgsomogyi commented on PR #21147:
URL: https://github.com/apache/flink/pull/21147#issuecomment-1305213040
@flinkbot run azure
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] gaborgsomogyi commented on pull request #21147: [FLINK-28330][runtime][security] Remove old delegation token framework code
Posted by GitBox <gi...@apache.org>.
gaborgsomogyi commented on PR #21147:
URL: https://github.com/apache/flink/pull/21147#issuecomment-1303207353
@flinkbot run azure
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org