[GitHub] [flink] becketqin commented on a diff in pull request #22509: [FLINK-31983] Add yarn Acls capability to Flink containers

Thu, 08 Jun 2023 06:33:52 -0700 


becketqin commented on code in PR #22509:
URL: https://github.com/apache/flink/pull/22509#discussion_r1223048306


##########
flink-yarn/src/main/java/org/apache/flink/yarn/Utils.java:
##########
@@ -620,4 +626,38 @@ public static YarnConfiguration getYarnConfiguration(
 
         return yarnConfig;
     }
+
+    /**
+     * Sets the application ACLs for the given ContainerLaunchContext based on 
the values specified
+     * in the given Flink configuration. Only ApplicationAccessType.VIEW_APP 
and
+     * ApplicationAccessType.MODIFY_APP ACLs are set, and only if they are 
configured in the Flink
+     * configuration. If the viewAcls or modifyAcls string contains the 
WILDCARD_ACL constant, it
+     * will replace the entire string with the WILDCARD_ACL. The resulting map 
is then set as the
+     * application acls for the given container launch context.
+     *
+     * @param amContainer the ContainerLaunchContext to set the ACLs for
+     * @param flinkConfig the Flink configuration to read the ACL values from
+     */
+    public static void setAclsFor(
+            ContainerLaunchContext amContainer,
+            org.apache.flink.configuration.Configuration flinkConfig) {
+        Map<ApplicationAccessType, String> acls = new HashMap<>();
+        String viewAcls = 
flinkConfig.getString(YarnConfigOptions.APPLICATION_VIEW_ACLS, null);
+        String modifyAcls = 
flinkConfig.getString(YarnConfigOptions.APPLICATION_MODIFY_ACLS, null);
+        if (viewAcls != null) {
+            if (viewAcls.contains(WILDCARD_ACL)) {

Review Comment:
   Will this lead to unexpected behavior? For example, users may provide an acl 
like:
   ```
   user1,user2,user_prefix_*
   ```
   In this case, they might think the user_prefix_* are parse correctly as a 
regex, while we silently replaced the entire ACL with a `*`. It seems that if 
we do not support such case, an exception should be thrown.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to