Example 1 with SecurityModule
use of org.apache.flink.runtime.security.modules.SecurityModule in project flink by apache.
the class YarnTaskExecutorRunnerTest method testPreInstallKerberosKeytabConfiguration.
@Test
public void testPreInstallKerberosKeytabConfiguration() throws Exception {
final String resourceDirPath = Paths.get("src", "test", "resources").toAbsolutePath().toString();
final Map<String, String> envs = new HashMap<>(2);
envs.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "testuser1@domain");
// Try directly resolving local path when no remote keytab path is provided.
envs.put(YarnConfigKeys.LOCAL_KEYTAB_PATH, "src/test/resources/krb5.keytab");
Configuration configuration = new Configuration();
YarnTaskExecutorRunner.setupAndModifyConfiguration(configuration, resourceDirPath, envs);
// the SecurityContext is installed on TaskManager startup
SecurityUtils.install(new SecurityConfiguration(configuration));
final List<SecurityModule> modules = SecurityUtils.getInstalledModules();
Optional<SecurityModule> moduleOpt = modules.stream().filter(module -> module instanceof HadoopModule).findFirst();
if (moduleOpt.isPresent()) {
HadoopModule hadoopModule = (HadoopModule) moduleOpt.get();
assertThat(hadoopModule.getSecurityConfig().getPrincipal(), is("testuser1@domain"));
// Using containString verification as the absolute path varies depending on runtime
// environment
assertThat(hadoopModule.getSecurityConfig().getKeytab(), containsString("src/test/resources/krb5.keytab"));
} else {
fail("Can not find HadoopModule!");
}
assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB), containsString("src/test/resources/krb5.keytab"));
assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("testuser1@domain"));
}
Also used :
SecurityOptions(org.apache.flink.configuration.SecurityOptions)
SecurityModule(org.apache.flink.runtime.security.modules.SecurityModule)
Configuration(org.apache.flink.configuration.Configuration)
Test(org.junit.Test)
HashMap(java.util.HashMap)
SecurityConfiguration(org.apache.flink.runtime.security.SecurityConfiguration)
File(java.io.File)
YarnConfigOptions(org.apache.flink.yarn.configuration.YarnConfigOptions)
HadoopModule(org.apache.flink.runtime.security.modules.HadoopModule)
Assert.assertThat(org.junit.Assert.assertThat)
List(java.util.List)
Paths(java.nio.file.Paths)
Map(java.util.Map)
SecurityUtils(org.apache.flink.runtime.security.SecurityUtils)
TestLogger(org.apache.flink.util.TestLogger)
Optional(java.util.Optional)
Matchers.is(org.hamcrest.Matchers.is)
Assert.fail(org.junit.Assert.fail)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Configuration(org.apache.flink.configuration.Configuration)
SecurityConfiguration(org.apache.flink.runtime.security.SecurityConfiguration)
HashMap(java.util.HashMap)
HadoopModule(org.apache.flink.runtime.security.modules.HadoopModule)
Matchers.containsString(org.hamcrest.Matchers.containsString)
SecurityConfiguration(org.apache.flink.runtime.security.SecurityConfiguration)
SecurityModule(org.apache.flink.runtime.security.modules.SecurityModule)
Test(org.junit.Test)
Example 2 with SecurityModule
use of org.apache.flink.runtime.security.modules.SecurityModule in project flink by apache.
the class SecurityUtils method install.
/**
* Installs a process-wide security configuration.
*
* Applies the configuration using the available security modules (i.e. Hadoop, JAAS).
*/
public static void install(SecurityConfiguration config) throws Exception {
// install the security modules
List<SecurityModule> modules = new ArrayList<>();
try {
for (Class<? extends SecurityModule> moduleClass : config.getSecurityModules()) {
SecurityModule module = moduleClass.newInstance();
module.install(config);
modules.add(module);
}
} catch (Exception ex) {
throw new Exception("unable to establish the security context", ex);
}
installedModules = modules;
// use the Hadoop login user as the subject of the installed security context
if (!(installedContext instanceof NoOpSecurityContext)) {
LOG.warn("overriding previous security context");
}
UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
installedContext = new HadoopSecurityContext(loginUser);
}
Also used :
ArrayList(java.util.ArrayList)
IllegalConfigurationException(org.apache.flink.configuration.IllegalConfigurationException)
SecurityModule(org.apache.flink.runtime.security.modules.SecurityModule)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 3 with SecurityModule
use of org.apache.flink.runtime.security.modules.SecurityModule in project flink by apache.
the class SecurityUtils method installModules.
static void installModules(SecurityConfiguration config) throws Exception {
// install the security module factories
List<SecurityModule> modules = new ArrayList<>();
for (String moduleFactoryClass : config.getSecurityModuleFactories()) {
SecurityModuleFactory moduleFactory = null;
try {
moduleFactory = SecurityFactoryServiceLoader.findModuleFactory(moduleFactoryClass);
} catch (NoMatchSecurityFactoryException ne) {
LOG.error("Unable to instantiate security module factory {}", moduleFactoryClass);
throw new IllegalArgumentException("Unable to find module factory class", ne);
}
SecurityModule module = moduleFactory.createModule(config);
// can be null if a SecurityModule is not supported in the current environment
if (module != null) {
module.install();
modules.add(module);
}
}
installedModules = modules;
}
Also used :
SecurityModuleFactory(org.apache.flink.runtime.security.modules.SecurityModuleFactory)
ArrayList(java.util.ArrayList)
SecurityModule(org.apache.flink.runtime.security.modules.SecurityModule)
Example 4 with SecurityModule
use of org.apache.flink.runtime.security.modules.SecurityModule in project flink by apache.
the class YarnTaskExecutorRunnerTest method testDefaultKerberosKeytabConfiguration.
@Test
public void testDefaultKerberosKeytabConfiguration() throws Exception {
final String resourceDirPath = Paths.get("src", "test", "resources").toAbsolutePath().toString();
final Map<String, String> envs = new HashMap<>(2);
envs.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "testuser1@domain");
envs.put(YarnConfigKeys.REMOTE_KEYTAB_PATH, resourceDirPath);
// Local keytab path will be populated from default YarnConfigOptions.LOCALIZED_KEYTAB_PATH
envs.put(YarnConfigKeys.LOCAL_KEYTAB_PATH, YarnConfigOptions.LOCALIZED_KEYTAB_PATH.defaultValue());
Configuration configuration = new Configuration();
YarnTaskExecutorRunner.setupAndModifyConfiguration(configuration, resourceDirPath, envs);
// the SecurityContext is installed on TaskManager startup
SecurityUtils.install(new SecurityConfiguration(configuration));
final List<SecurityModule> modules = SecurityUtils.getInstalledModules();
Optional<SecurityModule> moduleOpt = modules.stream().filter(module -> module instanceof HadoopModule).findFirst();
if (moduleOpt.isPresent()) {
HadoopModule hadoopModule = (HadoopModule) moduleOpt.get();
assertThat(hadoopModule.getSecurityConfig().getPrincipal(), is("testuser1@domain"));
assertThat(hadoopModule.getSecurityConfig().getKeytab(), is(new File(resourceDirPath, YarnConfigOptions.LOCALIZED_KEYTAB_PATH.defaultValue()).getAbsolutePath()));
} else {
fail("Can not find HadoopModule!");
}
assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB), is(new File(resourceDirPath, YarnConfigOptions.LOCALIZED_KEYTAB_PATH.defaultValue()).getAbsolutePath()));
assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("testuser1@domain"));
}
Also used :
SecurityOptions(org.apache.flink.configuration.SecurityOptions)
SecurityModule(org.apache.flink.runtime.security.modules.SecurityModule)
Configuration(org.apache.flink.configuration.Configuration)
Test(org.junit.Test)
HashMap(java.util.HashMap)
SecurityConfiguration(org.apache.flink.runtime.security.SecurityConfiguration)
File(java.io.File)
YarnConfigOptions(org.apache.flink.yarn.configuration.YarnConfigOptions)
HadoopModule(org.apache.flink.runtime.security.modules.HadoopModule)
Assert.assertThat(org.junit.Assert.assertThat)
List(java.util.List)
Paths(java.nio.file.Paths)
Map(java.util.Map)
SecurityUtils(org.apache.flink.runtime.security.SecurityUtils)
TestLogger(org.apache.flink.util.TestLogger)
Optional(java.util.Optional)
Matchers.is(org.hamcrest.Matchers.is)
Assert.fail(org.junit.Assert.fail)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Configuration(org.apache.flink.configuration.Configuration)
SecurityConfiguration(org.apache.flink.runtime.security.SecurityConfiguration)
HashMap(java.util.HashMap)
HadoopModule(org.apache.flink.runtime.security.modules.HadoopModule)
Matchers.containsString(org.hamcrest.Matchers.containsString)
SecurityConfiguration(org.apache.flink.runtime.security.SecurityConfiguration)
File(java.io.File)
SecurityModule(org.apache.flink.runtime.security.modules.SecurityModule)
Test(org.junit.Test)
Aggregations
SecurityModule (org.apache.flink.runtime.security.modules.SecurityModule)4
File (java.io.File)2
Paths (java.nio.file.Paths)2
ArrayList (java.util.ArrayList)2
HashMap (java.util.HashMap)2
List (java.util.List)2
Map (java.util.Map)2
Optional (java.util.Optional)2
Configuration (org.apache.flink.configuration.Configuration)2
SecurityOptions (org.apache.flink.configuration.SecurityOptions)2
SecurityConfiguration (org.apache.flink.runtime.security.SecurityConfiguration)2
SecurityUtils (org.apache.flink.runtime.security.SecurityUtils)2
HadoopModule (org.apache.flink.runtime.security.modules.HadoopModule)2
TestLogger (org.apache.flink.util.TestLogger)2
YarnConfigOptions (org.apache.flink.yarn.configuration.YarnConfigOptions)2
Matchers.containsString (org.hamcrest.Matchers.containsString)2
Matchers.is (org.hamcrest.Matchers.is)2
Assert.assertThat (org.junit.Assert.assertThat)2
Assert.fail (org.junit.Assert.fail)2
Test (org.junit.Test)2
