flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From EronWright <...@git.apache.org>
Subject [GitHub] flink issue #5172: [FLINK-8275] [Security] fix keytab local path in YarnTask...
Date Mon, 18 Dec 2017 19:23:03 GMT
Github user EronWright commented on the issue:

    https://github.com/apache/flink/pull/5172
  
    This PR probably fixes the problem, but it would be good to address the deeper problem
that the code is confusing.   At least we could add some commentary to the code.  The specific
problems, in my view, are:
    1. A filename is transmitted from client -> AM -> TM in the env variable `_KEYTAB_PATH`
but the value doesn't appear to be used.   In effect it is a flag asserting that a keytab
named `krb5.keytab` is available.  Alternatives:
      a. Use `krb5.keytab` as the value.
      b. Eliminate the env check and simply look for the file; if present, use it.
    2. The existence of the "integration test code" has an unclear purpose.   It mutates the
Hadoop configuration, why?   Is the code active in any production scenario?
    
    Note that `YarnTaskExecutorRunner` implements this in a slightly different way, and should
be re-tested for 1.5.0 (since I don't think it is in use yet).



---

Mime
View raw message