-
Notifications
You must be signed in to change notification settings - Fork 13.8k
[FLINK-22534] Set delegation token's service name as credential alias #15810
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you explain why we don't need the deep copy as the alias any more(or why we needed it before)?
I'd prefer to avoid such subtle changes especially since HDFS-9276 also introduced some deep copy constructor: https://issues.apache.org/jira/browse/HDFS-9276?focusedCommentId=15391195&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15391195
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lirui-apache Let me explain this a little bit.
Tokeninstance is passed to the constructor ofPrivateToken. In the view of thePrivateTokenclass, a defensive copy is certainly needed.token, along with its referencing objectusrTokandcredentialsFromTokenStorageFile, are all local variables.credentialsFromTokenStorageFilecomes from reading a file. Therefore, a deep copy is not as necessary here as it is in HDFS-9276.token.getIdentifier()returns abyte[], whiletoken.getService()returns aText. This is probably why a deep copy looks like removed in this change. The fact is that previously to this change, it didn't make a deep copy either.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @ChengbingLiu , thanks for the explanations. I'm not very familiar with this topic. So I have some follow-up questions.
"Whenever the content of token.service is changed, publicService will reflect the change. I don't think this is what we want."So I wonder whether we need to guard against similar situations. E.g. whentoken.serviceis changed, do we want it to be reflected in theCredentials::tokenMap?usrTokis indeed local inHadoopModule. However, a similar change is made inUtils::setTokensForwhereusrTokis retrieved from current UGI and therefore is not local to the method. Will that be an issue for us?Text(byte[])andText(Text)copy the byte array. So previously to this change, we do make a deep copy, no?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, we don't want that. But that should not happen with this change, explained below.
I don't think so. In
Utils::setTokensFor, all tokens retrieved from the UGI is used to construct the local variablecredentials, which is then used to be serialized intoByteBuffer securityTokens, which will not reflect the change in the UGI.Sorry for not making myself clear. I think the purpose of the previous code
new Text(token.getIdentifier())was type conversion instead of deep copy, otherwise it should look likeaddToken(new Text(...), new Token(token)).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Since
credentialsis serialized right away, I'm fine with this change.Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks my mentor @ChengbingLiu for the explanations. Thanks for @lirui-apache review.