[GitHub] [flink] XComp commented on a change in pull request #15131: [FLINK-21700][yarn]Allow to disable fetching Hadoop delegation token on Yarn

Mon, 15 Mar 2021 01:04:28 -0700 


XComp commented on a change in pull request #15131:
URL: https://github.com/apache/flink/pull/15131#discussion_r594109522



##########
File path: docs/layouts/shortcodes/generated/yarn_config_configuration.html
##########
@@ -140,6 +140,12 @@
             <td>List&lt;String&gt;</td>
             <td>A comma-separated list of additional Kerberos-secured Hadoop 
filesystems Flink is going to access. For example, 
yarn.security.kerberos.additionalFileSystems=hdfs://namenode2:9002,hdfs://namenode3:9003.
 The client submitting to YARN needs to have access to these file systems to 
retrieve the security tokens.</td>
         </tr>
+        <tr>
+            
<td><h5>yarn.security.kerberos.fetch.delegationToken.enabled</h5></td>
+            <td style="word-wrap: break-word;">true</td>
+            <td>Boolean</td>
+            <td>When this is true Flink will fetch HDFS/HBase delegation token 
injected into AM container.</td>

Review comment:
       We might want to elaborate a bit more on what's necessary to do when 
this flag is disabled.

##########
File path: flink-yarn/src/main/java/org/apache/flink/yarn/Utils.java
##########
@@ -213,9 +213,9 @@ public static void setTokensFor(
 
         Collection<Token<? extends TokenIdentifier>> usrTok = 
currUsr.getTokens();
         for (Token<? extends TokenIdentifier> token : usrTok) {
-            final Text id = new Text(token.getIdentifier());
-            LOG.info("Adding user token " + id + " with " + token);
-            credentials.addToken(id, token);
+            final Text alias = new Text(token.getService());
+            LOG.info("Adding user token " + alias + " with " + token);
+            credentials.addToken(alias, token);

Review comment:
       Looks like the token fetching for HBase is also relying on the service 
name instead of the identifier to add the token. I don't understand your 
argument, though: In what situation would the identifier not be unique. 
...considering that you called the `identifier` not being the only unique id. 
Could you elaborate a bit more.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to