[FLINK-5580] [security] Fix path setting of shipped Kerberos keytabs in YARN mode
This closes #3177. Project: http://git-wip-us.apache.org/repos/asf/flink/repo Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/640a149e Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/640a149e Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/640a149e Branch: refs/heads/master Commit: 640a149ea69c0fc2314c6d5b422500c6c9587f43 Parents: b380bd3 Author: Tzu-Li (Gordon) Tai <[email protected]> Authored: Fri Jan 20 01:41:05 2017 +0100 Committer: Tzu-Li (Gordon) Tai <[email protected]> Committed: Fri Jan 20 16:30:52 2017 +0100 ---------------------------------------------------------------------- .../flink/yarn/YarnApplicationMasterRunner.java | 2 ++ .../apache/flink/yarn/YarnTaskManagerRunner.java | 17 +++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/flink/blob/640a149e/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java ---------------------------------------------------------------------- diff --git a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java index 71be589..2193174 100644 --- a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java +++ b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java @@ -169,6 +169,8 @@ public class YarnApplicationMasterRunner { LOG.debug("YARN dynamic properties: {}", dynamicProperties); final Configuration flinkConfig = createConfiguration(currDir, dynamicProperties); + + // set keytab principal and replace path with the local path of the shipped keytab file in NodeManager if (keytabPath != null && remoteKeytabPrincipal != null) { flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath); flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal); http://git-wip-us.apache.org/repos/asf/flink/blob/640a149e/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java ---------------------------------------------------------------------- diff --git a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java index 4a780e0..849a8a6 100644 --- a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java +++ b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java @@ -93,11 +93,11 @@ public class YarnTaskManagerRunner { // tell akka to die in case of an error configuration.setBoolean(ConfigConstants.AKKA_JVM_EXIT_ON_FATAL_ERROR, true); - String keytabPath = null; + String localKeytabPath = null; if(remoteKeytabPath != null) { File f = new File(currDir, Utils.KEYTAB_FILE_NAME); - keytabPath = f.getAbsolutePath(); - LOG.info("keytabPath: {}", keytabPath); + localKeytabPath = f.getAbsolutePath(); + LOG.info("localKeytabPath: {}", localKeytabPath); } UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); @@ -124,6 +124,12 @@ public class YarnTaskManagerRunner { hadoopConfiguration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, "true"); } + // set keytab principal and replace path with the local path of the shipped keytab file in NodeManager + if (localKeytabPath != null && remoteKeytabPrincipal != null) { + configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, localKeytabPath); + configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal); + } + SecurityUtils.SecurityConfiguration sc; if (hadoopConfiguration != null) { sc = new SecurityUtils.SecurityConfiguration(configuration, hadoopConfiguration); @@ -131,11 +137,6 @@ public class YarnTaskManagerRunner { sc = new SecurityUtils.SecurityConfiguration(configuration); } - if (keytabPath != null && remoteKeytabPrincipal != null) { - configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath); - configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal); - } - SecurityUtils.install(sc); SecurityUtils.getInstalledContext().runSecured(new Callable<Object>() {
