[GitHub] [flink] gaborgsomogyi commented on a diff in pull request #22009: [FLINK-31109][yarn] Support Hadoop proxy user when delegation token f…

[via GitHub]

gaborgsomogyi commented on code in PR #22009:
URL: https://github.com/apache/flink/pull/22009#discussion_r1116617650


##########
flink-runtime/src/main/java/org/apache/flink/runtime/security/modules/HadoopModule.java:
##########
@@ -70,10 +71,22 @@ public void install() throws SecurityInstallException {
 
         try {
             KerberosLoginProvider kerberosLoginProvider = new 
KerberosLoginProvider(securityConfig);
-            if (kerberosLoginProvider.isLoginPossible()) {
-                kerberosLoginProvider.doLogin();
+            if (kerberosLoginProvider.isLoginPossible(true)) {
+                kerberosLoginProvider.doLogin(true);
                 loginUser = UserGroupInformation.getLoginUser();
 
+                if (HadoopUserUtils.isProxyUser((loginUser))

Review Comment:
   I think it's good to add this in general not to change the original 
behavior. I'm just writing down a possible future consideration so no change 
needed for now.
   
   This pointed me to an edge case where a user wants to use proxy user support 
w/ non-Hadoop delegation tokens like S3. The original implementation is not 
allowing to do this but maybe there is a need for it. I need some more time to 
consider this in-depth. Later on we might remove this check when the use-cases 
expecting that.
   



##########
flink-runtime/src/test/java/org/apache/flink/runtime/security/token/hadoop/KerberosLoginProviderITCase.java:
##########
@@ -57,7 +58,7 @@ public void isLoginPossibleMustReturnFalseByDefault() throws 
IOException {
             UserGroupInformation userGroupInformation = 
mock(UserGroupInformation.class);
             
ugi.when(UserGroupInformation::getCurrentUser).thenReturn(userGroupInformation);
 
-            assertFalse(kerberosLoginProvider.isLoginPossible());
+            assertFalse(kerberosLoginProvider.isLoginPossible(true));

Review Comment:
   Such original tests are testing the no proxy cases. I would either set the 
new boolean on all non-proxy cases to false or test both proxy and non-proxy 
cases (true + false too) to be 100% sure that the original behavior is covered. 
It's your choice. Since we're under time pressure I would vote on the first.



##########
flink-runtime/src/main/java/org/apache/flink/runtime/security/token/hadoop/KerberosLoginProvider.java:
##########
@@ -99,6 +101,8 @@ public void doLogin() throws IOException {
             LOG.info("Attempting to load user's ticket cache");
             UserGroupInformation.loginUserFromSubject(null);
             LOG.info("Loaded user's ticket cache successfully");
+        } else if (supportProxyUser) {
+            LOG.info("Delegation token fetch is managed and therefore login is 
managed");

Review Comment:
   Maybe we can say something like: `Proxy user doesn't need login since it 
must have credentials already`. I think `KerberosLoginProvider` shouldn't know 
about tokens at all.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org