Examples with SecurityConfiguration org.apache.flink.runtime.security.SecurityConfiguration used on opensource projects

Example 1 with SecurityConfiguration

use of org.apache.flink.runtime.security.SecurityConfiguration in project flink by apache.

the class TaskManagerRunner method runTaskManagerProcessSecurely.

public static void runTaskManagerProcessSecurely(Configuration configuration) {
    FlinkSecurityManager.setFromConfiguration(configuration);
    final PluginManager pluginManager = PluginUtils.createPluginManagerFromRootFolder(configuration);
    FileSystem.initialize(configuration, pluginManager);
    StateChangelogStorageLoader.initialize(pluginManager);
    int exitCode;
    Throwable throwable = null;
    ClusterEntrypointUtils.configureUncaughtExceptionHandler(configuration);
    try {
        SecurityUtils.install(new SecurityConfiguration(configuration));
        exitCode = SecurityUtils.getInstalledContext().runSecured(() -> runTaskManager(configuration, pluginManager));
    } catch (Throwable t) {
        throwable = ExceptionUtils.stripException(t, UndeclaredThrowableException.class);
        exitCode = FAILURE_EXIT_CODE;
    }
    if (throwable != null) {
        LOG.error("Terminating TaskManagerRunner with exit code {}.", exitCode, throwable);
    } else {
        LOG.info("Terminating TaskManagerRunner with exit code {}.", exitCode);
    }
    System.exit(exitCode);
}

Example 2 with SecurityConfiguration

use of org.apache.flink.runtime.security.SecurityConfiguration in project flink by apache.

the class YARNSessionFIFOSecuredITCase method setup.

@BeforeClass
public static void setup() {
    LOG.info("starting secure cluster environment for testing");
    YARN_CONFIGURATION.setClass(YarnConfiguration.RM_SCHEDULER, FifoScheduler.class, ResourceScheduler.class);
    YARN_CONFIGURATION.setInt(YarnConfiguration.NM_PMEM_MB, 768);
    YARN_CONFIGURATION.setInt(YarnConfiguration.RM_SCHEDULER_MINIMUM_ALLOCATION_MB, 512);
    YARN_CONFIGURATION.set(YarnTestBase.TEST_CLUSTER_NAME_KEY, "flink-yarn-tests-fifo-secured");
    SecureTestEnvironment.prepare(tmp);
    populateYarnSecureConfigurations(YARN_CONFIGURATION, SecureTestEnvironment.getHadoopServicePrincipal(), SecureTestEnvironment.getTestKeytab());
    Configuration flinkConfig = new Configuration();
    flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, SecureTestEnvironment.getTestKeytab());
    flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, SecureTestEnvironment.getHadoopServicePrincipal());
    // Setting customized security module class.
    TestHadoopModuleFactory.hadoopConfiguration = YARN_CONFIGURATION;
    flinkConfig.set(SecurityOptions.SECURITY_MODULE_FACTORY_CLASSES, Collections.singletonList("org.apache.flink.yarn.util.TestHadoopModuleFactory"));
    flinkConfig.set(SecurityOptions.SECURITY_CONTEXT_FACTORY_CLASSES, Collections.singletonList("org.apache.flink.yarn.util.TestHadoopSecurityContextFactory"));
    SecurityConfiguration securityConfig = new SecurityConfiguration(flinkConfig);
    try {
        TestingSecurityContext.install(securityConfig, SecureTestEnvironment.getClientSecurityConfigurationMap());
        // This is needed to ensure that SecurityUtils are run within a ugi.doAs section
        // Since we already logged in here in @BeforeClass, even a no-op security context will
        // still work.
        Assert.assertTrue("HadoopSecurityContext must be installed", SecurityUtils.getInstalledContext() instanceof HadoopSecurityContext);
        SecurityUtils.getInstalledContext().runSecured(new Callable<Object>() {

            @Override
            public Integer call() {
                startYARNSecureMode(YARN_CONFIGURATION, SecureTestEnvironment.getHadoopServicePrincipal(), SecureTestEnvironment.getTestKeytab());
                return null;
            }
        });
    } catch (Exception e) {
        throw new RuntimeException("Exception occurred while setting up secure test context. Reason: {}", e);
    }
}

Example 3 with SecurityConfiguration

use of org.apache.flink.runtime.security.SecurityConfiguration in project flink by apache.

the class FlinkYarnSessionCli method main.

public static void main(final String[] args) {
    final String configurationDirectory = CliFrontend.getConfigurationDirectoryFromEnv();
    final Configuration flinkConfiguration = GlobalConfiguration.loadConfiguration();
    int retCode;
    try {
        final FlinkYarnSessionCli cli = new FlinkYarnSessionCli(flinkConfiguration, configurationDirectory, "", // no prefix for the YARN session
        "");
        SecurityUtils.install(new SecurityConfiguration(flinkConfiguration));
        retCode = SecurityUtils.getInstalledContext().runSecured(() -> cli.run(args));
    } catch (CliArgsException e) {
        retCode = handleCliArgsException(e, LOG);
    } catch (Throwable t) {
        final Throwable strippedThrowable = ExceptionUtils.stripException(t, UndeclaredThrowableException.class);
        retCode = handleError(strippedThrowable, LOG);
    }
    System.exit(retCode);
}

Example 4 with SecurityConfiguration

use of org.apache.flink.runtime.security.SecurityConfiguration in project flink by apache.

the class YarnTaskExecutorRunnerTest method testPreInstallKerberosKeytabConfiguration.

@Test
public void testPreInstallKerberosKeytabConfiguration() throws Exception {
    final String resourceDirPath = Paths.get("src", "test", "resources").toAbsolutePath().toString();
    final Map<String, String> envs = new HashMap<>(2);
    envs.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "testuser1@domain");
    // Try directly resolving local path when no remote keytab path is provided.
    envs.put(YarnConfigKeys.LOCAL_KEYTAB_PATH, "src/test/resources/krb5.keytab");
    Configuration configuration = new Configuration();
    YarnTaskExecutorRunner.setupAndModifyConfiguration(configuration, resourceDirPath, envs);
    // the SecurityContext is installed on TaskManager startup
    SecurityUtils.install(new SecurityConfiguration(configuration));
    final List<SecurityModule> modules = SecurityUtils.getInstalledModules();
    Optional<SecurityModule> moduleOpt = modules.stream().filter(module -> module instanceof HadoopModule).findFirst();
    if (moduleOpt.isPresent()) {
        HadoopModule hadoopModule = (HadoopModule) moduleOpt.get();
        assertThat(hadoopModule.getSecurityConfig().getPrincipal(), is("testuser1@domain"));
        // Using containString verification as the absolute path varies depending on runtime
        // environment
        assertThat(hadoopModule.getSecurityConfig().getKeytab(), containsString("src/test/resources/krb5.keytab"));
    } else {
        fail("Can not find HadoopModule!");
    }
    assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB), containsString("src/test/resources/krb5.keytab"));
    assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("testuser1@domain"));
}

Example 5 with SecurityConfiguration

use of org.apache.flink.runtime.security.SecurityConfiguration in project flink by apache.

the class JaasModuleTest method testJaasModuleFilePath.

/**
 * Test that the jaas config file is created in the working directory.
 */
private void testJaasModuleFilePath(String workingDir) throws IOException {
    Configuration configuration = new Configuration();
    // set the string for CoreOptions.TMP_DIRS to mock the working directory.
    configuration.setString(CoreOptions.TMP_DIRS, workingDir);
    SecurityConfiguration sc = new SecurityConfiguration(configuration);
    JaasModule module = new JaasModule(sc);
    module.install();
    assertJaasFileLocateInRightDirectory(workingDir);
}