You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by GitBox <gi...@apache.org> on 2022/06/09 08:39:02 UTC
[GitHub] [flink] gyfora commented on a diff in pull request #19825: [FLINK-27171][runtime][security] Add periodic kerberos delegation token obtain possibility to DelegationTokenManager

gyfora commented on code in PR #19825:
URL: https://github.com/apache/flink/pull/19825#discussion_r893220794


##########
flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java:
##########
@@ -132,6 +132,22 @@ public class SecurityOptions {
                     .withDescription(
                             "The time period when keytab login happens automatically in order to always have a valid TGT.");
 
+    @Documentation.Section(Documentation.Sections.SECURITY_AUTH_KERBEROS)
+    public static final ConfigOption<Duration> KERBEROS_TOKENS_RETRY_WAIT =
+            key("security.kerberos.tokens.retry-wait")

Review Comment:
   I think a better name would be `security.kerberos.tokens.obtain.retry.backoff` or `security.kerberos.tokens.retry.backoff`



##########
flink-runtime/src/main/java/org/apache/flink/runtime/security/token/KerberosDelegationTokenManager.java:
##########
@@ -127,8 +170,62 @@ boolean isProviderLoaded(String serviceName) {
      * Obtains new tokens in a one-time fashion and leaves it up to the caller to distribute them.
      */
     @Override
-    public void obtainDelegationTokens(Credentials credentials) {
+    public void obtainDelegationTokens(Credentials credentials) throws Exception {
         LOG.info("Obtaining delegation tokens");
+
+        // Delegation tokens can only be obtained if the real user has Kerberos credentials, so
+        // skip creation when those are not available.
+        if (kerberosLoginProvider.isLoginPossible()) {
+            UserGroupInformation freshUGI = kerberosLoginProvider.doLogin();
+            freshUGI.doAs(
+                    (PrivilegedExceptionAction<Void>)
+                            () -> {
+                                obtainDelegationTokensAndGetNextRenewal(credentials);
+                                return null;
+                            });
+            LOG.info("Delegation tokens obtained successfully");
+        } else {
+            LOG.info("Real user has no kerberos credentials so no tokens obtained");
+        }
+    }
+
+    protected long obtainDelegationTokensAndGetNextRenewal(Credentials credentials) {
+        AtomicLong nextRenewal = new AtomicLong(Long.MAX_VALUE);
+
+        delegationTokenProviders
+                .values()
+                .forEach(

Review Comment:
   You could use a stream, flatmap -> renewal time, and min to get rid of the AtomicLong based min logic



##########
flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java:
##########
@@ -132,6 +132,22 @@ public class SecurityOptions {
                     .withDescription(
                             "The time period when keytab login happens automatically in order to always have a valid TGT.");
 
+    @Documentation.Section(Documentation.Sections.SECURITY_AUTH_KERBEROS)
+    public static final ConfigOption<Duration> KERBEROS_TOKENS_RETRY_WAIT =
+            key("security.kerberos.tokens.retry-wait")
+                    .durationType()
+                    .defaultValue(Duration.ofHours(1))
+                    .withDescription(
+                            "The time period how long to wait before retrying to obtain new delegation tokens after a failure.");
+
+    @Documentation.Section(Documentation.Sections.SECURITY_AUTH_KERBEROS)
+    public static final ConfigOption<Double> KERBEROS_TOKENS_RENEWAL_RATIO =
+            key("security.kerberos.tokens.renewal-ratio")

Review Comment:
   A clearer name would be `security.kerberos.tokens.renewal.time-ratio`



##########
flink-runtime/src/main/java/org/apache/flink/runtime/security/token/KerberosDelegationTokenManager.java:
##########
@@ -127,8 +170,62 @@ boolean isProviderLoaded(String serviceName) {
      * Obtains new tokens in a one-time fashion and leaves it up to the caller to distribute them.
      */
     @Override
-    public void obtainDelegationTokens(Credentials credentials) {
+    public void obtainDelegationTokens(Credentials credentials) throws Exception {
         LOG.info("Obtaining delegation tokens");
+
+        // Delegation tokens can only be obtained if the real user has Kerberos credentials, so
+        // skip creation when those are not available.
+        if (kerberosLoginProvider.isLoginPossible()) {
+            UserGroupInformation freshUGI = kerberosLoginProvider.doLogin();
+            freshUGI.doAs(
+                    (PrivilegedExceptionAction<Void>)
+                            () -> {
+                                obtainDelegationTokensAndGetNextRenewal(credentials);
+                                return null;
+                            });
+            LOG.info("Delegation tokens obtained successfully");
+        } else {
+            LOG.info("Real user has no kerberos credentials so no tokens obtained");
+        }
+    }
+
+    protected long obtainDelegationTokensAndGetNextRenewal(Credentials credentials) {

Review Comment:
   Could return Optional<Long> instead to make this more explicit



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org