[
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15458082#comment-15458082
]
ASF GitHub Bot commented on FLINK-3930:
---------------------------------------
Github user rmetzger commented on a diff in the pull request:
https://github.com/apache/flink/pull/2425#discussion_r77320960
--- Diff:
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -682,6 +774,91 @@ public static File
getYarnPropertiesLocation(Configuration conf) {
return new File(propertiesFileLocation, YARN_PROPERTIES_FILE +
currentUser);
}
+ public static void persistAppState(String appId, String cookie) {
+ if(appId == null || cookie == null) { return; }
+ String path = System.getProperty("user.home") + File.separator
+ fileName;
+ LOG.debug("Going to persist cookie for the appID: {} in {} ",
appId, path);
+ try {
+ File f = new File(path);
+ if(!f.exists()) {
+ f.createNewFile();
+ }
+ HierarchicalINIConfiguration config = new
HierarchicalINIConfiguration(path);
+ SubnodeConfiguration subNode = config.getSection(appId);
+ if (subNode.containsKey(cookieKey)) {
+ String errorMessage = "Secure Cookie is already
found in "+ path + " for the appID: "+ appId;
+ LOG.error(errorMessage);
+ throw new RuntimeException(errorMessage);
+ }
+ subNode.addProperty(cookieKey, cookie);
+ config.save();
+ LOG.debug("Persisted cookie for the appID: {}", appId);
+ } catch(Exception e) {
+ LOG.error("Exception occurred while persisting app
state for app id: {}. Exception: {}", appId, e);
+ throw new RuntimeException(e);
+ }
+ }
+
+ public static String getAppSecureCookie(String appId) {
+ if(appId == null) {
+ String errorMessage = "Application ID cannot be null";
+ LOG.error(errorMessage);
+ throw new RuntimeException(errorMessage);
+ }
+
+ String cookieFromFile;
+ String path = System.getProperty("user.home") + File.separator
+ fileName;
+ LOG.debug("Going to fetch cookie for the appID: {} from {}",
appId, path);
+
+ try {
+ File f = new File(path);
+ if (!f.exists()) {
+ String errorMessage = "Could not find the file:
" + path + " in user home directory";
+ LOG.error(errorMessage);
+ throw new RuntimeException(errorMessage);
+ }
+ HierarchicalINIConfiguration config = new
HierarchicalINIConfiguration(path);
+ SubnodeConfiguration subNode = config.getSection(appId);
+ if (!subNode.containsKey(cookieKey)) {
+ String errorMessage = "Could not find the app
ID section in "+ path + " for the appID: "+ appId;
+ LOG.error(errorMessage);
+ throw new RuntimeException(errorMessage);
+ }
+ cookieFromFile = subNode.getString(cookieKey, "");
+ if(cookieFromFile.length() == 0) {
+ String errorMessage = "Could not find cookie
in "+ path + " for the appID: "+ appId;
+ LOG.error(errorMessage);
+ throw new RuntimeException(errorMessage);
+ }
+ } catch(Exception e) {
+ LOG.error("Exception occurred while fetching cookie for
app id: {} Exception: {}", appId, e);
+ throw new RuntimeException(e);
+ }
+
+ LOG.debug("Found cookie for the appID: {}", appId);
+ return cookieFromFile;
+ }
+
+ public static void removeAppState(String appId) {
+ if(appId == null) { return; }
+ String path = System.getProperty("user.home") + File.separator
+ fileName;
+ LOG.debug("Going to remove the reference for the appId: {} from
{}", appId, path);
+ try {
+ File f = new File(path);
+ if (!f.exists()) {
+ String errorMessage = "Could not find the file:
" + path + " in user home directory";
+ LOG.warn(errorMessage);
+ return;
+ }
+ HierarchicalINIConfiguration config = new
HierarchicalINIConfiguration(path);
+ config.clearTree(appId);
+ config.save();
+ LOG.debug("Removed the reference for the appId: {} from
{}", appId, path);
+ } catch(Exception e) {
+ LOG.warn("Exception occurred while fetching cookie for
app id: {} Exception: {}", appId, e);
+ }
+ }
+
--- End diff --
Okay, it'll rely on the default `umask` of the home directory.
I think it would make sense to change the permissions so that only the user
can read/write the file, using this method:
http://docs.oracle.com/javase/7/docs/api/java/nio/file/Files.html#setPosixFilePermissions%28java.nio.file.Path,%20java.util.Set%29
> Implement Service-Level Authorization
> -------------------------------------
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
> Issue Type: New Feature
> Components: Security
> Reporter: Eron Wright
> Assignee: Vijay Srinivasaraghavan
> Labels: security
> Original Estimate: 672h
> Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
> design doc._
> Service-level authorization is the initial authorization mechanism to ensure
> clients (or servers) connecting to the Flink cluster are authorized to do so.
> The purpose is to prevent a cluster from being used by an unauthorized
> user, whether to execute jobs, disrupt cluster functionality, or gain access
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
