[ 
https://issues.apache.org/jira/browse/FLINK-5364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15805609#comment-15805609
 ] 

ASF GitHub Bot commented on FLINK-5364:
---------------------------------------

Github user StephanEwen commented on a diff in the pull request:

    https://github.com/apache/flink/pull/3057#discussion_r95003470
  
    --- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/security/DynamicConfiguration.java
 ---
    @@ -0,0 +1,112 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.flink.runtime.security;
    +
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +import scala.Array;
    +
    +import javax.annotation.Nullable;
    +import javax.security.auth.login.AppConfigurationEntry;
    +import javax.security.auth.login.Configuration;
    +import java.util.Arrays;
    +import java.util.HashMap;
    +import java.util.Map;
    +
    +
    +/**
    + * A dynamic JAAS configuration.
    + *
    + * Makes it possible to define Application Configuration Entries (ACEs) at 
runtime, building upon
    + * an (optional) underlying configuration.   Entries from the underlying 
configuration take
    + * precedence over dynamic entries.
    + */
    +public class DynamicConfiguration extends Configuration {
    +
    +   protected static final Logger LOG = 
LoggerFactory.getLogger(DynamicConfiguration.class);
    +
    +   private final Configuration delegate;
    +
    +   private final Map<String,AppConfigurationEntry[]> dynamicEntries = new 
HashMap<>();
    +
    +   /**
    +    * Create a dynamic configuration.
    +    * @param delegate an underlying configuration to delegate to, or null.
    +     */
    +   public DynamicConfiguration(@Nullable Configuration delegate) {
    +           this.delegate = delegate;
    +   }
    +
    +   /**
    +    * Add entries for the given application name.
    +     */
    +   public void addAppConfigurationEntry(String name, 
AppConfigurationEntry... entry) {
    +           final AppConfigurationEntry[] existing = 
dynamicEntries.get(name);
    +           final AppConfigurationEntry[] updated;
    +           if(existing == null) {
    +                   updated = Arrays.copyOf(entry, entry.length);
    +           }
    +           else {
    +                   updated = merge(existing, entry);
    +           }
    +           dynamicEntries.put(name, updated);
    +   }
    +
    +   /**
    +    * Retrieve the AppConfigurationEntries for the specified <i>name</i>
    +    * from this Configuration.
    +    *
    +    * <p>
    +    *
    +    * @param name the name used to index the Configuration.
    +    *
    +    * @return an array of AppConfigurationEntries for the specified 
<i>name</i>
    +    *          from this Configuration, or null if there are no entries
    +    *          for the specified <i>name</i>
    +    */
    +   @Override
    +   public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
    +           AppConfigurationEntry[] entry = null;
    +           if(delegate != null) {
    +                   entry = delegate.getAppConfigurationEntry(name);
    +           }
    +           final AppConfigurationEntry[] existing = 
dynamicEntries.get(name);
    +           if(existing != null) {
    +                   if(entry != null) {
    +                           entry = merge(entry, existing);
    +                   }
    +                   else {
    +                           entry = Arrays.copyOf(existing, 
existing.length);
    +                   }
    +           }
    +           return entry;
    +   }
    +
    +   private static AppConfigurationEntry[] merge(AppConfigurationEntry[] a, 
AppConfigurationEntry[] b) {
    +           AppConfigurationEntry[] merged = Arrays.copyOf(a, a.length + 
b.length);
    +           Array.copy(b, 0, merged, a.length, b.length);
    --- End diff --
    
    Can we use `System.arrayCopy()` here to avoid a dependency on Scala in this 
part of the code?


> Rework JAAS configuration to support user-supplied entries
> ----------------------------------------------------------
>
>                 Key: FLINK-5364
>                 URL: https://issues.apache.org/jira/browse/FLINK-5364
>             Project: Flink
>          Issue Type: Bug
>          Components: Cluster Management
>            Reporter: Eron Wright 
>            Assignee: Eron Wright 
>            Priority: Critical
>              Labels: kerberos, security
>
> Recent issues (see linked) have brought to light a critical deficiency in the 
> handling of JAAS configuration.   
> 1. the MapR distribution relies on an explicit JAAS conf, rather than 
> in-memory conf used by stock Hadoop.
> 2. the ZK/Kafka/Hadoop security configuration is supposed to be independent 
> (one can enable each element separately) but isn't.
> Perhaps we should rework the JAAS conf code to merge any user-supplied 
> configuration with our defaults, rather than using an all-or-nothing 
> approach.   
> We should also address some recent regressions:
> 1. The HadoopSecurityContext should be installed regardless of auth mode, to 
> login with UserGroupInformation, which:
> - handles the HADOOP_USER_NAME variable.
> - installs an OS-specific user principal (from UnixLoginModule etc.) 
> unrelated to Kerberos.
> - picks up the HDFS/HBASE delegation tokens.
> 2. Fix the use of alternative authentication methods - delegation tokens and 
> Kerberos ticket cache.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to