gaborgsomogyi commented on code in PR #21160:
URL: https://github.com/apache/flink/pull/21160#discussion_r1005428465
##########
flink-runtime/src/main/java/org/apache/flink/runtime/security/modules/HadoopModule.java:
##########
@@ -69,71 +60,34 @@ public void install() throws SecurityInstallException {
UserGroupInformation loginUser;
try {
- if (UserGroupInformation.isSecurityEnabled()
- && !StringUtils.isBlank(securityConfig.getKeytab())
- && !StringUtils.isBlank(securityConfig.getPrincipal())) {
- String keytabPath = (new
File(securityConfig.getKeytab())).getAbsolutePath();
-
-
UserGroupInformation.loginUserFromKeytab(securityConfig.getPrincipal(),
keytabPath);
-
- loginUser = UserGroupInformation.getLoginUser();
-
- // supplement with any available tokens
- String fileLocation =
-
System.getenv(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION);
- if (fileLocation != null) {
- Credentials credentialsFromTokenStorageFile =
- Credentials.readTokenStorageFile(
- new File(fileLocation),
hadoopConfiguration);
-
- // if UGI uses Kerberos keytabs for login, do not load
HDFS delegation token
- // since
- // the UGI would prefer the delegation token instead,
which eventually expires
- // and does not fallback to using Kerberos tickets
- Credentials credentialsToBeAdded = new Credentials();
- final Text hdfsDelegationTokenKind = new
Text("HDFS_DELEGATION_TOKEN");
- final Text hbaseDelegationTokenKind = new
Text("HBASE_AUTH_TOKEN");
- Collection<Token<? extends TokenIdentifier>> usrTok =
- credentialsFromTokenStorageFile.getAllTokens();
- // If UGI use keytab for login, do not load HDFS/HBase
delegation token.
- for (Token<? extends TokenIdentifier> token : usrTok) {
- if (!token.getKind().equals(hdfsDelegationTokenKind)
- &&
!token.getKind().equals(hbaseDelegationTokenKind)) {
- credentialsToBeAdded.addToken(token.getService(),
token);
- }
+ KerberosLoginProvider kerberosLoginProvider = new
KerberosLoginProvider(securityConfig);
+ if (kerberosLoginProvider.isLoginPossible()) {
+ loginUser = kerberosLoginProvider.doLogin();
+
+ if (loginUser.isFromKeytab()) {
+ String fileLocation =
+
System.getenv(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION);
+ if (fileLocation != null) {
+ Credentials credentials =
+ Credentials.readTokenStorageFile(
+ new File(fileLocation),
hadoopConfiguration);
+ loginUser.addCredentials(credentials);
}
-
- loginUser.addCredentials(credentialsToBeAdded);
- }
- } else {
- // login with current user credentials (e.g. ticket cache, OS
login)
- // note that the stored tokens are read automatically
- try {
- // Use reflection API to get the login user object
- // UserGroupInformation.loginUserFromSubject(null);
- Method loginUserFromSubjectMethod =
- UserGroupInformation.class.getMethod(
- "loginUserFromSubject", Subject.class);
- loginUserFromSubjectMethod.invoke(null, (Subject) null);
Review Comment:
@steveloughran here is another similar question:
AFAIK `UserGroupInformation.loginUserFromSubject` does the same just like
```
ugi = UserGroupInformation.getUGIFromTicketCache
UserGroupInformation.setLoginUser(ugi);
```
right?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
