You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by tz...@apache.org on 2017/01/20 15:51:36 UTC
flink git commit: [FLINK-5580] [security] Fix path setting of shipped
Kerberos keytabs in YARN mode
Repository: flink
Updated Branches:
refs/heads/release-1.2 3b5882afa -> 5cbaf796d
[FLINK-5580] [security] Fix path setting of shipped Kerberos keytabs in YARN mode
This closes #3177.
Project: http://git-wip-us.apache.org/repos/asf/flink/repo
Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/5cbaf796
Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/5cbaf796
Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/5cbaf796
Branch: refs/heads/release-1.2
Commit: 5cbaf796d2e40db26ccdcfc458f5f1baf0230bb6
Parents: 3b5882a
Author: Tzu-Li (Gordon) Tai <tz...@apache.org>
Authored: Fri Jan 20 01:41:05 2017 +0100
Committer: Tzu-Li (Gordon) Tai <tz...@apache.org>
Committed: Fri Jan 20 16:50:55 2017 +0100
----------------------------------------------------------------------
.../flink/yarn/YarnApplicationMasterRunner.java | 4 +++-
.../apache/flink/yarn/YarnTaskManagerRunner.java | 17 +++++++++--------
2 files changed, 12 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/flink/blob/5cbaf796/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
----------------------------------------------------------------------
diff --git a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
index e4027d4..ad9bc10 100644
--- a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
+++ b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
@@ -169,7 +169,9 @@ public class YarnApplicationMasterRunner {
LOG.debug("YARN dynamic properties: {}", dynamicProperties);
final Configuration flinkConfig = createConfiguration(currDir, dynamicProperties);
- if(keytabPath != null && remoteKeytabPrincipal != null) {
+
+ // set keytab principal and replace path with the local path of the shipped keytab file in NodeManager
+ if (keytabPath != null && remoteKeytabPrincipal != null) {
flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
}
http://git-wip-us.apache.org/repos/asf/flink/blob/5cbaf796/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
----------------------------------------------------------------------
diff --git a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
index 059f1aa..e41869a 100644
--- a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
+++ b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
@@ -93,11 +93,11 @@ public class YarnTaskManagerRunner {
// tell akka to die in case of an error
configuration.setBoolean(ConfigConstants.AKKA_JVM_EXIT_ON_FATAL_ERROR, true);
- String keytabPath = null;
+ String localKeytabPath = null;
if(remoteKeytabPath != null) {
File f = new File(currDir, Utils.KEYTAB_FILE_NAME);
- keytabPath = f.getAbsolutePath();
- LOG.info("keytabPath: {}", keytabPath);
+ localKeytabPath = f.getAbsolutePath();
+ LOG.info("localKeytabPath: {}", localKeytabPath);
}
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
@@ -124,6 +124,12 @@ public class YarnTaskManagerRunner {
hadoopConfiguration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, "true");
}
+ // set keytab principal and replace path with the local path of the shipped keytab file in NodeManager
+ if (localKeytabPath != null && remoteKeytabPrincipal != null) {
+ configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, localKeytabPath);
+ configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
+ }
+
SecurityUtils.SecurityConfiguration sc;
if(hadoopConfiguration != null) {
sc = new SecurityUtils.SecurityConfiguration(configuration, hadoopConfiguration);
@@ -131,11 +137,6 @@ public class YarnTaskManagerRunner {
sc = new SecurityUtils.SecurityConfiguration(configuration);
}
- if(keytabPath != null && remoteKeytabPrincipal != null) {
- configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
- configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
- }
-
SecurityUtils.install(sc);
SecurityUtils.getInstalledContext().runSecured(new Callable<Object>() {