[ https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15456282#comment-15456282 ]
ASF GitHub Bot commented on FLINK-3930: --------------------------------------- Github user vijikarthi commented on a diff in the pull request: https://github.com/apache/flink/pull/2425#discussion_r77230955 --- Diff: flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java --- @@ -682,6 +774,91 @@ public static File getYarnPropertiesLocation(Configuration conf) { return new File(propertiesFileLocation, YARN_PROPERTIES_FILE + currentUser); } + public static void persistAppState(String appId, String cookie) { + if(appId == null || cookie == null) { return; } + String path = System.getProperty("user.home") + File.separator + fileName; + LOG.debug("Going to persist cookie for the appID: {} in {} ", appId, path); + try { + File f = new File(path); + if(!f.exists()) { + f.createNewFile(); + } + HierarchicalINIConfiguration config = new HierarchicalINIConfiguration(path); + SubnodeConfiguration subNode = config.getSection(appId); + if (subNode.containsKey(cookieKey)) { + String errorMessage = "Secure Cookie is already found in "+ path + " for the appID: "+ appId; + LOG.error(errorMessage); + throw new RuntimeException(errorMessage); + } + subNode.addProperty(cookieKey, cookie); + config.save(); + LOG.debug("Persisted cookie for the appID: {}", appId); + } catch(Exception e) { + LOG.error("Exception occurred while persisting app state for app id: {}. Exception: {}", appId, e); + throw new RuntimeException(e); + } + } + + public static String getAppSecureCookie(String appId) { + if(appId == null) { + String errorMessage = "Application ID cannot be null"; + LOG.error(errorMessage); + throw new RuntimeException(errorMessage); + } + + String cookieFromFile; + String path = System.getProperty("user.home") + File.separator + fileName; + LOG.debug("Going to fetch cookie for the appID: {} from {}", appId, path); + + try { + File f = new File(path); + if (!f.exists()) { + String errorMessage = "Could not find the file: " + path + " in user home directory"; + LOG.error(errorMessage); + throw new RuntimeException(errorMessage); + } + HierarchicalINIConfiguration config = new HierarchicalINIConfiguration(path); + SubnodeConfiguration subNode = config.getSection(appId); + if (!subNode.containsKey(cookieKey)) { + String errorMessage = "Could not find the app ID section in "+ path + " for the appID: "+ appId; + LOG.error(errorMessage); + throw new RuntimeException(errorMessage); + } + cookieFromFile = subNode.getString(cookieKey, ""); + if(cookieFromFile.length() == 0) { + String errorMessage = "Could not find cookie in "+ path + " for the appID: "+ appId; + LOG.error(errorMessage); + throw new RuntimeException(errorMessage); + } + } catch(Exception e) { + LOG.error("Exception occurred while fetching cookie for app id: {} Exception: {}", appId, e); + throw new RuntimeException(e); + } + + LOG.debug("Found cookie for the appID: {}", appId); + return cookieFromFile; + } + + public static void removeAppState(String appId) { + if(appId == null) { return; } + String path = System.getProperty("user.home") + File.separator + fileName; + LOG.debug("Going to remove the reference for the appId: {} from {}", appId, path); + try { + File f = new File(path); + if (!f.exists()) { + String errorMessage = "Could not find the file: " + path + " in user home directory"; + LOG.warn(errorMessage); + return; + } + HierarchicalINIConfiguration config = new HierarchicalINIConfiguration(path); + config.clearTree(appId); + config.save(); + LOG.debug("Removed the reference for the appId: {} from {}", appId, path); + } catch(Exception e) { + LOG.warn("Exception occurred while fetching cookie for app id: {} Exception: {}", appId, e); + } + } + --- End diff -- We don't set any additional permissions since the file is managed in the user home directory. > Implement Service-Level Authorization > ------------------------------------- > > Key: FLINK-3930 > URL: https://issues.apache.org/jira/browse/FLINK-3930 > Project: Flink > Issue Type: New Feature > Components: Security > Reporter: Eron Wright > Assignee: Vijay Srinivasaraghavan > Labels: security > Original Estimate: 672h > Remaining Estimate: 672h > > _This issue is part of a series of improvements detailed in the [Secure Data > Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing] > design doc._ > Service-level authorization is the initial authorization mechanism to ensure > clients (or servers) connecting to the Flink cluster are authorized to do so. > The purpose is to prevent a cluster from being used by an unauthorized > user, whether to execute jobs, disrupt cluster functionality, or gain access > to secrets stored within the cluster. > Implement service-level authorization as described in the design doc. > - Introduce a shared secret cookie > - Enable Akka security cookie > - Implement data transfer authentication > - Secure the web dashboard -- This message was sent by Atlassian JIRA (v6.3.4#6332)