walterddr commented on a change in pull request #12462:
URL: https://github.com/apache/flink/pull/12462#discussion_r435924414
##########
File path:
flink-filesystems/flink-hadoop-fs/src/main/java/org/apache/flink/runtime/util/HadoopUtils.java
##########
@@ -112,11 +112,12 @@ public static Configuration
getHadoopConfiguration(org.apache.flink.configuratio
return result;
}
- public static boolean isCredentialsConfigured(UserGroupInformation ugi,
boolean useTicketCache) throws Exception {
- if (UserGroupInformation.isSecurityEnabled()) {
+ public static boolean
isKerberosCredentialsConfigured(UserGroupInformation ugi, boolean
useTicketCache) {
+ if (UserGroupInformation.isSecurityEnabled()
+ && ugi.getAuthenticationMethod() ==
UserGroupInformation.AuthenticationMethod.KERBEROS) {
if (useTicketCache && !ugi.hasKerberosCredentials()) {
// a delegation token is an adequate substitute
in most cases
- if (!HadoopUtils.hasHDFSDelegationToken()) {
+ if (!HadoopUtils.hasHDFSDelegationToken(ugi)) {
Review comment:
This change actually causes the problem: The `ugi` passed into the
Kerberos credential check is not necessarily the once for delegation token
check.
Specifically in Flink, credentials are checked against the `loginUser` and
the delegation token always check against `currentUser` in the case of a
delegation or proxy user impersonation.
See:
[HadoopModule.java#L137](https://github.com/apache/flink/blob/master/flink-runtime/src/main/java/org/apache/flink/runtime/security/modules/HadoopModule.java#L137)
I think this is the reason why the CI test fails @tillrohrmann but I can't
be sure. @krasinski can you revert this piece of change and try again?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
