Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id D204F200D5F for ; Mon, 18 Dec 2017 20:23:08 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id D09FF160C05; Mon, 18 Dec 2017 19:23:08 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 22C61160BFB for ; Mon, 18 Dec 2017 20:23:07 +0100 (CET) Received: (qmail 79032 invoked by uid 500); 18 Dec 2017 19:23:07 -0000 Mailing-List: contact issues-help@flink.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@flink.apache.org Delivered-To: mailing list issues@flink.apache.org Received: (qmail 79023 invoked by uid 99); 18 Dec 2017 19:23:07 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Dec 2017 19:23:07 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id D50741A03FC for ; Mon, 18 Dec 2017 19:23:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -4.021 X-Spam-Level: X-Spam-Status: No, score=-4.021 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id k1_b1v5CpMBd for ; Mon, 18 Dec 2017 19:23:04 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with SMTP id E10285F282 for ; Mon, 18 Dec 2017 19:23:03 +0000 (UTC) Received: (qmail 78388 invoked by uid 99); 18 Dec 2017 19:23:03 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Dec 2017 19:23:03 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 3F785DFFD9; Mon, 18 Dec 2017 19:23:03 +0000 (UTC) From: EronWright To: issues@flink.incubator.apache.org Reply-To: issues@flink.incubator.apache.org References: In-Reply-To: Subject: [GitHub] flink issue #5172: [FLINK-8275] [Security] fix keytab local path in YarnTask... Content-Type: text/plain Message-Id: <20171218192303.3F785DFFD9@git1-us-west.apache.org> Date: Mon, 18 Dec 2017 19:23:03 +0000 (UTC) archived-at: Mon, 18 Dec 2017 19:23:09 -0000 Github user EronWright commented on the issue: https://github.com/apache/flink/pull/5172 This PR probably fixes the problem, but it would be good to address the deeper problem that the code is confusing. At least we could add some commentary to the code. The specific problems, in my view, are: 1. A filename is transmitted from client -> AM -> TM in the env variable `_KEYTAB_PATH` but the value doesn't appear to be used. In effect it is a flag asserting that a keytab named `krb5.keytab` is available. Alternatives: a. Use `krb5.keytab` as the value. b. Eliminate the env check and simply look for the file; if present, use it. 2. The existence of the "integration test code" has an unclear purpose. It mutates the Hadoop configuration, why? Is the code active in any production scenario? Note that `YarnTaskExecutorRunner` implements this in a slightly different way, and should be re-tested for 1.5.0 (since I don't think it is in use yet). ---