flink git commit: [FLINK-5580] [security] Fix path setting of shipped Kerberos keytabs in YARN mode

Fri, 20 Jan 2017 07:51:56 -0800 

Repository: flink
Updated Branches:
  refs/heads/release-1.2 3b5882afa -> 5cbaf796d


[FLINK-5580] [security] Fix path setting of shipped Kerberos keytabs in YARN 
mode

This closes #3177.


Project: http://git-wip-us.apache.org/repos/asf/flink/repo
Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/5cbaf796
Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/5cbaf796
Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/5cbaf796

Branch: refs/heads/release-1.2
Commit: 5cbaf796d2e40db26ccdcfc458f5f1baf0230bb6
Parents: 3b5882a
Author: Tzu-Li (Gordon) Tai <[email protected]>
Authored: Fri Jan 20 01:41:05 2017 +0100
Committer: Tzu-Li (Gordon) Tai <[email protected]>
Committed: Fri Jan 20 16:50:55 2017 +0100

----------------------------------------------------------------------
 .../flink/yarn/YarnApplicationMasterRunner.java    |  4 +++-
 .../apache/flink/yarn/YarnTaskManagerRunner.java   | 17 +++++++++--------
 2 files changed, 12 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/flink/blob/5cbaf796/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
----------------------------------------------------------------------
diff --git 
a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
 
b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
index e4027d4..ad9bc10 100644
--- 
a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
+++ 
b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnApplicationMasterRunner.java
@@ -169,7 +169,9 @@ public class YarnApplicationMasterRunner {
                        LOG.debug("YARN dynamic properties: {}", 
dynamicProperties);
 
                        final Configuration flinkConfig = 
createConfiguration(currDir, dynamicProperties);
-                       if(keytabPath != null && remoteKeytabPrincipal != null) 
{
+
+                       // set keytab principal and replace path with the local 
path of the shipped keytab file in NodeManager
+                       if (keytabPath != null && remoteKeytabPrincipal != 
null) {
                                
flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
                                
flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, 
remoteKeytabPrincipal);
                        }

http://git-wip-us.apache.org/repos/asf/flink/blob/5cbaf796/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
----------------------------------------------------------------------
diff --git 
a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java 
b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
index 059f1aa..e41869a 100644
--- a/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
+++ b/flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java
@@ -93,11 +93,11 @@ public class YarnTaskManagerRunner {
                // tell akka to die in case of an error
                
configuration.setBoolean(ConfigConstants.AKKA_JVM_EXIT_ON_FATAL_ERROR, true);
 
-               String keytabPath = null;
+               String localKeytabPath = null;
                if(remoteKeytabPath != null) {
                        File f = new File(currDir, Utils.KEYTAB_FILE_NAME);
-                       keytabPath = f.getAbsolutePath();
-                       LOG.info("keytabPath: {}", keytabPath);
+                       localKeytabPath = f.getAbsolutePath();
+                       LOG.info("localKeytabPath: {}", localKeytabPath);
                }
 
                UserGroupInformation currentUser = 
UserGroupInformation.getCurrentUser();
@@ -124,6 +124,12 @@ public class YarnTaskManagerRunner {
                                
hadoopConfiguration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
 "true");
                        }
 
+                       // set keytab principal and replace path with the local 
path of the shipped keytab file in NodeManager
+                       if (localKeytabPath != null && remoteKeytabPrincipal != 
null) {
+                               
configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, localKeytabPath);
+                               
configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, 
remoteKeytabPrincipal);
+                       }
+
                        SecurityUtils.SecurityConfiguration sc;
                        if(hadoopConfiguration != null) {
                                sc = new 
SecurityUtils.SecurityConfiguration(configuration, hadoopConfiguration);
@@ -131,11 +137,6 @@ public class YarnTaskManagerRunner {
                                sc = new 
SecurityUtils.SecurityConfiguration(configuration);
                        }
 
-                       if(keytabPath != null && remoteKeytabPrincipal != null) 
{
-                               
configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
-                               
configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, 
remoteKeytabPrincipal);
-                       }
-
                        SecurityUtils.install(sc);
 
                        SecurityUtils.getInstalledContext().runSecured(new 
Callable<Object>() {

Reply via email to