Github user aljoscha commented on the issue:
https://github.com/apache/flink/pull/5896
@suez1224 I'll now merge the actual fix, but I'm not 100 % sure the
refactoring is correct.
After the fix, we have roughly this path through the code:
```
if (keytabPath != null && remoteKeytabPrincipal != null) {
configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB,
keytabPath);
configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL,
remoteKeytabPrincipal);
}
SecurityConfiguration sc = new SecurityConfiguration(configuration);
SecurityUtils.install(sc);
SecurityUtils.getInstalledContext().runSecured(new Callable<Void>() {
@Override
public Void call() throws Exception {
TaskManagerRunner.runTaskManager(configuration, new
ResourceID(containerId));
return null;
}
});
```
after the fix, that becomes
```
// in main()
SecurityUtils.getInstalledContext().runSecured(
YarnTaskExecutorRunnerFactory.create(System.getenv()));
// in YarnTaskExecutorRunnerFactory.create()
if (keytabPath != null && remoteKeytabPrincipal != null) {
configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB,
keytabPath);
configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL,
remoteKeytabPrincipal);
}
SecurityConfiguration sc = new SecurityConfiguration(configuration);
SecurityUtils.install(sc);
return new Runner()
```
Meaning, that if someone messes with how things are called it can happen
that `SecurityUtils.getInstalledContext()` is called before
`SecurityUtils.install(sc)` is called in
`YarnTaskExecutorRunnerFactory.create`. I think this can potentially lead to
problems and the old path is much clearer. What do you think?
---
