You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by tz...@apache.org on 2017/01/20 15:51:36 UTC

flink git commit: [FLINK-5580] [security] Fix path setting of shipped Kerberos keytabs in YARN mode

Repository: flink
Updated Branches:
  refs/heads/release-1.2 3b5882afa -> 5cbaf796d


[FLINK-5580] [security] Fix path setting of shipped Kerberos keytabs in YARN mode

This closes #3177.


Project: http://git-wip-us.apache.org/repos/asf/flink/repo
Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/5cbaf796
Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/5cbaf796
Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/5cbaf796

Branch: refs/heads/release-1.2
Commit: 5cbaf796d2e40db26ccdcfc458f5f1baf0230bb6
Parents: 3b5882a
Author: Tzu-Li (Gordon) Tai <tz...@apache.org>
Authored: Fri Jan 20 01:41:05 2017 +0100
Committer: Tzu-Li (Gordon) Tai <tz...@apache.org>
Committed: Fri Jan 20 16:50:55 2017 +0100

----------------------------------------------------------------------
 .../flink/yarn/YarnApplicationMasterRunner.java    |  4 +++-
 .../apache/flink/yarn/YarnTaskManagerRunner.java   | 17 +++++++++--------
 2 files changed, 12 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/flink/blob/5cbaf796/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
----------------------------------------------------------------------
diff --git a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
index e4027d4..ad9bc10 100644
--- a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
+++ b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
@@ -169,7 +169,9 @@ public class YarnApplicationMasterRunner {
 			LOG.debug("YARN dynamic properties: {}", dynamicProperties);
 
 			final Configuration flinkConfig = createConfiguration(currDir, dynamicProperties);
-			if(keytabPath != null && remoteKeytabPrincipal != null) {
+
+			// set keytab principal and replace path with the local path of the shipped keytab file in NodeManager
+			if (keytabPath != null && remoteKeytabPrincipal != null) {
 				flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
 				flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
 			}

http://git-wip-us.apache.org/repos/asf/flink/blob/5cbaf796/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
----------------------------------------------------------------------
diff --git a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
index 059f1aa..e41869a 100644
--- a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
+++ b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
@@ -93,11 +93,11 @@ public class YarnTaskManagerRunner {
 		// tell akka to die in case of an error
 		configuration.setBoolean(ConfigConstants.AKKA_JVM_EXIT_ON_FATAL_ERROR, true);
 
-		String keytabPath = null;
+		String localKeytabPath = null;
 		if(remoteKeytabPath != null) {
 			File f = new File(currDir, Utils.KEYTAB_FILE_NAME);
-			keytabPath = f.getAbsolutePath();
-			LOG.info("keytabPath: {}", keytabPath);
+			localKeytabPath = f.getAbsolutePath();
+			LOG.info("localKeytabPath: {}", localKeytabPath);
 		}
 
 		UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
@@ -124,6 +124,12 @@ public class YarnTaskManagerRunner {
 				hadoopConfiguration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, "true");
 			}
 
+			// set keytab principal and replace path with the local path of the shipped keytab file in NodeManager
+			if (localKeytabPath != null && remoteKeytabPrincipal != null) {
+				configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, localKeytabPath);
+				configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
+			}
+
 			SecurityUtils.SecurityConfiguration sc;
 			if(hadoopConfiguration != null) {
 				sc = new SecurityUtils.SecurityConfiguration(configuration, hadoopConfiguration);
@@ -131,11 +137,6 @@ public class YarnTaskManagerRunner {
 				sc = new SecurityUtils.SecurityConfiguration(configuration);
 			}
 
-			if(keytabPath != null && remoteKeytabPrincipal != null) {
-				configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
-				configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
-			}
-
 			SecurityUtils.install(sc);
 
 			SecurityUtils.getInstalledContext().runSecured(new Callable<Object>() {