[
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15632707#comment-15632707
]
ASF GitHub Bot commented on FLINK-3930:
---------------------------------------
Github user mxm commented on a diff in the pull request:
https://github.com/apache/flink/pull/2425#discussion_r86340045
--- Diff:
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -788,75 +719,125 @@ private void logAndSysout(String message) {
}
}
- public static File getYarnPropertiesLocation(Configuration conf) {
- String defaultPropertiesFileLocation =
System.getProperty("java.io.tmpdir");
- String currentUser = System.getProperty("user.name");
- String propertiesFileLocation =
-
conf.getString(ConfigConstants.YARN_PROPERTIES_FILE_LOCATION,
defaultPropertiesFileLocation);
-
- return new File(propertiesFileLocation, YARN_PROPERTIES_FILE +
currentUser);
+ public static File getYarnPropertiesLocation() {
+ String path = System.getProperty("user.home") + File.separator
+ YARN_APP_INI;
+ File stateFile;
+ try {
+ stateFile = new File(path);
+ if(!stateFile.exists()) {
+ stateFile.createNewFile();
+ }
+ } catch(IOException e) {
+ throw new RuntimeException(e);
+ }
+ return stateFile;
}
- public static void persistAppState(String appId, String cookie) {
- if(appId == null || cookie == null) {
- return;
+ public static void persistAppState(YarnAppState appState) {
+
+ final String appId = appState.getApplicationId();
+ final String parallelism = appState.getParallelism();
+ final String dynaProps = appState.getDynamicProperties();
+ final String cookie = appState.getCookie();
+
+ if(appId == null) {
+ throw new RuntimeException("Missing application ID from
Yarn application state");
}
- String path = System.getProperty("user.home") + File.separator
+ fileName;
- LOG.debug("Going to persist cookie for the appID: {} in {} ",
appId, path);
+
+ String path = getYarnPropertiesLocation().getAbsolutePath();
+
+ LOG.debug("Going to persist Yarn application state: {} in {}",
appState,path);
+
try {
- File f = new File(path);
- if(!f.exists()) {
- f.createNewFile();
- }
HierarchicalINIConfiguration config = new
HierarchicalINIConfiguration(path);
+
SubnodeConfiguration subNode = config.getSection(appId);
- if (subNode.containsKey(cookieKey)) {
- String errorMessage = "Secure Cookie is already
found in "+ path + " for the appID: "+ appId;
- LOG.error(errorMessage);
- throw new RuntimeException(errorMessage);
+ if(!subNode.isEmpty()) {
+ throw new RuntimeException("Application with ID
" + appId + "already exists");
}
- subNode.addProperty(cookieKey, cookie);
+
+ subNode.addProperty(YARN_PROPERTIES_PARALLELISM,
parallelism);
+
subNode.addProperty(YARN_PROPERTIES_DYNAMIC_PROPERTIES_STRING, dynaProps);
+ subNode.addProperty(YARN_PROPERTIES_SECURE_COOKIE,
cookie);
+
+ //update latest entry section with the most recent APP
Id
+ config.clearTree(YARN_LATEST_ENTRY_SECTION_NAME);
+ SubnodeConfiguration activeAppSection =
config.getSection(YARN_LATEST_ENTRY_SECTION_NAME);
+ activeAppSection.addProperty(YARN_APPLICATION_ID_KEY,
appId);
+
config.save();
- LOG.debug("Persisted cookie for the appID: {}", appId);
+ LOG.debug("Persisted Yarn App state: {}", appState);
} catch(Exception e) {
- LOG.error("Exception occurred while persisting app
state for app id: {}", appId, e);
throw new RuntimeException(e);
}
}
- public static String getAppSecureCookie(String appId) {
+ public static YarnAppState retrieveMostRecentYarnApp() {
+ String path = getYarnPropertiesLocation().getAbsolutePath();
+ LOG.debug("Going to fetch app state from {}", path);
+ try {
+ HierarchicalINIConfiguration config = new
HierarchicalINIConfiguration(path);
+ SubnodeConfiguration subNode =
config.getSection(YARN_LATEST_ENTRY_SECTION_NAME);
+ String appId =
subNode.getString(YARN_APPLICATION_ID_KEY, null);
+ if(null != appId) {
+ return retrieveYarnAppState(appId);
+ }
+ } catch(Exception e) {
+ throw new RuntimeException(e);
+ }
+ return null;
+ }
+
+ public static YarnAppState retrieveYarnAppState(String appId) {
--- End diff --
You could pass the config here which would avoid re-creating it in this
method.
> Implement Service-Level Authorization
> -------------------------------------
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
> Issue Type: New Feature
> Components: Security
> Reporter: Eron Wright
> Assignee: Vijay Srinivasaraghavan
> Labels: security
> Original Estimate: 672h
> Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
> design doc._
> Service-level authorization is the initial authorization mechanism to ensure
> clients (or servers) connecting to the Flink cluster are authorized to do so.
> The purpose is to prevent a cluster from being used by an unauthorized
> user, whether to execute jobs, disrupt cluster functionality, or gain access
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
