[GitHub] [flink] KarmaGYZ commented on a change in pull request #15131: [FLINK-21700][yarn]Allow to disable fetching Hadoop delegation token on Yarn

Fri, 12 Mar 2021 01:39:18 -0800 


KarmaGYZ commented on a change in pull request #15131:
URL: https://github.com/apache/flink/pull/15131#discussion_r593031429



##########
File path: 
flink-yarn/src/main/java/org/apache/flink/yarn/configuration/YarnConfigOptions.java
##########
@@ -344,6 +344,13 @@
                     .withDescription(
                             "A comma-separated list of additional 
Kerberos-secured Hadoop filesystems Flink is going to access. For example, 
yarn.security.kerberos.additionalFileSystems=hdfs://namenode2:9002,hdfs://namenode3:9003.
 The client submitting to YARN needs to have access to these file systems to 
retrieve the security tokens.");
 
+    public static final ConfigOption<Boolean> YARN_SECURITY_ENABLED =
+            key("yarn.security.kerberos.fetch.delegationToken.enabled")

Review comment:
       We also need to generate the doc with `mvn clean package 
-Dgenerate-config-docs -pl flink-docs -am -nsu -DskipTests -Dcheckstyle.skip`

##########
File path: flink-yarn/src/main/java/org/apache/flink/yarn/Utils.java
##########
@@ -213,9 +213,9 @@ public static void setTokensFor(
 
         Collection<Token<? extends TokenIdentifier>> usrTok = 
currUsr.getTokens();
         for (Token<? extends TokenIdentifier> token : usrTok) {
-            final Text id = new Text(token.getIdentifier());
-            LOG.info("Adding user token " + id + " with " + token);
-            credentials.addToken(id, token);
+            final Text alias = new Text(token.getService());
+            LOG.info("Adding user token " + alias + " with " + token);
+            credentials.addToken(alias, token);

Review comment:
       Could you help me to understand why we need this and what the different 
between `token.getService()` and `token.getIdentifier()`. Thanks

##########
File path: 
flink-yarn/src/main/java/org/apache/flink/yarn/YarnClusterDescriptor.java
##########
@@ -1081,13 +1081,22 @@ private ApplicationReport startAppMaster(
         if (UserGroupInformation.isSecurityEnabled()) {
             // set HDFS delegation tokens when security is enabled
             LOG.info("Adding delegation token to the AM container.");

Review comment:
       If `yarnFetchDelegationTokenEnabled == false`, we should not print this 
log.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to