[hotfix] Make SecurityUtils.SecurityConfiguration a toplevel class

flink-clients/src/main/java/org/apache/flink/client/CliFrontend.java

@@ -68,6 +68,7 @@
 import org.apache.flink.runtime.messages.JobManagerMessages.StoppingFailure;
 import org.apache.flink.runtime.messages.JobManagerMessages.TriggerSavepoint;
 import org.apache.flink.runtime.messages.JobManagerMessages.TriggerSavepointSuccess;
+import org.apache.flink.runtime.security.SecurityConfiguration;
 import org.apache.flink.runtime.security.SecurityUtils;
 import org.apache.flink.runtime.util.EnvironmentInformation;
 import org.apache.flink.util.Preconditions;
@@ -1127,7 +1128,7 @@ public static void main(final String[] args) {
 
  try {
  final CliFrontend cli = new CliFrontend();
- SecurityUtils.install(new SecurityUtils.SecurityConfiguration(cli.config));
+ SecurityUtils.install(new SecurityConfiguration(cli.config));
  int retCode = SecurityUtils.getInstalledContext()
  .runSecured(new Callable<Integer>() {
  @Override

flink-connectors/flink-connector-filesystem/src/test/java/org/apache/flink/streaming/connectors/fs/RollingSinkSecuredITCase.java

@@ -23,7 +23,7 @@
 import org.apache.flink.configuration.CoreOptions;
 import org.apache.flink.configuration.HighAvailabilityOptions;
 import org.apache.flink.configuration.SecurityOptions;
-import org.apache.flink.runtime.security.SecurityUtils;
+import org.apache.flink.runtime.security.SecurityConfiguration;
 import org.apache.flink.runtime.security.modules.HadoopModule;
 import org.apache.flink.streaming.util.TestStreamEnvironment;
 import org.apache.flink.test.util.SecureTestEnvironment;
@@ -126,8 +126,8 @@ public static void startSecureCluster() throws Exception {
  flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL,
  SecureTestEnvironment.getHadoopServicePrincipal());
 
- SecurityUtils.SecurityConfiguration ctx =
- new SecurityUtils.SecurityConfiguration(
+ SecurityConfiguration ctx =
+ new SecurityConfiguration(
  flinkConfig,
  Collections.singletonList(securityConfig -> new HadoopModule(securityConfig, conf)));
  try {

flink-mesos/src/main/java/org/apache/flink/mesos/entrypoint/MesosTaskExecutorRunner.java

@@ -26,6 +26,7 @@
 import org.apache.flink.mesos.runtime.clusterframework.MesosConfigKeys;
 import org.apache.flink.runtime.clusterframework.BootstrapTools;
 import org.apache.flink.runtime.clusterframework.types.ResourceID;
+import org.apache.flink.runtime.security.SecurityConfiguration;
 import org.apache.flink.runtime.security.SecurityUtils;
 import org.apache.flink.runtime.taskexecutor.TaskManagerRunner;
 import org.apache.flink.runtime.util.EnvironmentInformation;
@@ -115,7 +116,7 @@ else if (tmpDirs != null) {
  LOG.info("ResourceID assigned for this container: {}", resourceId);
 
  // Run the TM in the security context
- SecurityUtils.SecurityConfiguration sc = new SecurityUtils.SecurityConfiguration(configuration);
+ SecurityConfiguration sc = new SecurityConfiguration(configuration);
  SecurityUtils.install(sc);
 
  try {

flink-mesos/src/main/java/org/apache/flink/mesos/runtime/clusterframework/MesosApplicationMasterRunner.java

@@ -39,6 +39,7 @@
 import org.apache.flink.runtime.jobmanager.MemoryArchivist;
 import org.apache.flink.runtime.jobmaster.JobMaster;
 import org.apache.flink.runtime.process.ProcessReaper;
+import org.apache.flink.runtime.security.SecurityConfiguration;
 import org.apache.flink.runtime.security.SecurityUtils;
 import org.apache.flink.runtime.util.EnvironmentInformation;
 import org.apache.flink.runtime.util.ExecutorThreadFactory;
@@ -163,7 +164,7 @@ protected int run(final String[] args) {
  }
 
  // configure security
- SecurityUtils.SecurityConfiguration sc = new SecurityUtils.SecurityConfiguration(config);
+ SecurityConfiguration sc = new SecurityConfiguration(config);
  SecurityUtils.install(sc);
 
  // run the actual work in the installed security context

flink-mesos/src/main/java/org/apache/flink/mesos/runtime/clusterframework/MesosTaskManagerRunner.java

@@ -25,6 +25,7 @@
 import org.apache.flink.core.fs.FileSystem;
 import org.apache.flink.runtime.clusterframework.BootstrapTools;
 import org.apache.flink.runtime.clusterframework.types.ResourceID;
+import org.apache.flink.runtime.security.SecurityConfiguration;
 import org.apache.flink.runtime.security.SecurityUtils;
 import org.apache.flink.runtime.taskmanager.TaskManager;
 import org.apache.flink.runtime.util.EnvironmentInformation;
@@ -115,7 +116,7 @@ else if (tmpDirs != null) {
  LOG.info("ResourceID assigned for this container: {}", resourceId);
 
  // Run the TM in the security context
- SecurityUtils.SecurityConfiguration sc = new SecurityUtils.SecurityConfiguration(configuration);
+ SecurityConfiguration sc = new SecurityConfiguration(configuration);
  SecurityUtils.install(sc);
 
  try {

flink-runtime-web/src/main/java/org/apache/flink/runtime/webmonitor/history/HistoryServer.java

@@ -29,6 +29,7 @@
 import org.apache.flink.runtime.net.SSLUtils;
 import org.apache.flink.runtime.rest.handler.legacy.DashboardConfigHandler;
 import org.apache.flink.runtime.rest.handler.legacy.messages.DashboardConfiguration;
+import org.apache.flink.runtime.security.SecurityConfiguration;
 import org.apache.flink.runtime.security.SecurityUtils;
 import org.apache.flink.runtime.webmonitor.WebMonitorUtils;
 import org.apache.flink.runtime.webmonitor.utils.WebFrontendBootstrap;
@@ -103,7 +104,7 @@ public static void main(String[] args) throws Exception {
  final Configuration flinkConfig = GlobalConfiguration.loadConfiguration(configDir);
 
  // run the history server
- SecurityUtils.install(new SecurityUtils.SecurityConfiguration(flinkConfig));
+ SecurityUtils.install(new SecurityConfiguration(flinkConfig));
 
  try {
  SecurityUtils.getInstalledContext().runSecured(new Callable<Integer>() {

flink-runtime/src/main/java/org/apache/flink/runtime/entrypoint/ClusterEntrypoint.java

@@ -35,6 +35,7 @@
 import org.apache.flink.runtime.rpc.FatalErrorHandler;
 import org.apache.flink.runtime.rpc.RpcService;
 import org.apache.flink.runtime.rpc.akka.AkkaRpcService;
+import org.apache.flink.runtime.security.SecurityConfiguration;
 import org.apache.flink.runtime.security.SecurityContext;
 import org.apache.flink.runtime.security.SecurityUtils;
 import org.apache.flink.util.ExceptionUtils;
@@ -141,7 +142,7 @@ protected void installDefaultFileSystem(Configuration configuration) throws Exce
  protected SecurityContext installSecurityContext(Configuration configuration) throws Exception {
  LOG.info("Install security context.");
 
- SecurityUtils.install(new SecurityUtils.SecurityConfiguration(configuration));
+ SecurityUtils.install(new SecurityConfiguration(configuration));
 
  return SecurityUtils.getInstalledContext();
  }

flink-runtime/src/main/java/org/apache/flink/runtime/security/SecurityConfiguration.java

@@ -0,0 +1,154 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.flink.runtime.security;
+
+import org.apache.flink.configuration.Configuration;
+import org.apache.flink.configuration.IllegalConfigurationException;
+import org.apache.flink.configuration.SecurityOptions;
+import org.apache.flink.runtime.security.modules.HadoopModuleFactory;
+import org.apache.flink.runtime.security.modules.JaasModuleFactory;
+import org.apache.flink.runtime.security.modules.SecurityModuleFactory;
+import org.apache.flink.runtime.security.modules.ZookeeperModuleFactory;
+
+import org.apache.commons.lang3.StringUtils;
+
+import java.io.File;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import static org.apache.flink.util.Preconditions.checkNotNull;
+
+/**
+ * The global security configuration.
+ *
+ * <p>See {@link SecurityOptions} for corresponding configuration options.
+ */
+public class SecurityConfiguration {
+
+ private static final List<SecurityModuleFactory> DEFAULT_MODULES = Collections.unmodifiableList(
+ Arrays.asList(new HadoopModuleFactory(), new JaasModuleFactory(), new ZookeeperModuleFactory()));
+
+ private final List<SecurityModuleFactory> securityModuleFactories;
+
+ private final Configuration flinkConfig;
+
+ private final boolean isZkSaslDisable;
+
+ private final boolean useTicketCache;
+
+ private final String keytab;
+
+ private final String principal;
+
+ private final List<String> loginContextNames;
+
+ private final String zkServiceName;
+
+ private final String zkLoginContextName;
+
+ /**
+ * Create a security configuration from the global configuration.
+ * @param flinkConf the Flink global configuration.
+*/
+ public SecurityConfiguration(Configuration flinkConf) {
+ this(flinkConf, DEFAULT_MODULES);
+ }
+
+ /**
+ * Create a security configuration from the global configuration.
+ * @param flinkConf the Flink global configuration.
+ * @param securityModuleFactories the security modules to apply.
+ */
+ public SecurityConfiguration(Configuration flinkConf,
+ List<SecurityModuleFactory> securityModuleFactories) {
+ this.isZkSaslDisable = flinkConf.getBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE);
+ this.keytab = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
+ this.principal = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
+ this.useTicketCache = flinkConf.getBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE);
+ this.loginContextNames = parseList(flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS));
+ this.zkServiceName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_SERVICE_NAME);
+ this.zkLoginContextName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_LOGIN_CONTEXT_NAME);
+ this.securityModuleFactories = Collections.unmodifiableList(securityModuleFactories);
+ this.flinkConfig = checkNotNull(flinkConf);
+ validate();
+ }
+
+ public boolean isZkSaslDisable() {
+ return isZkSaslDisable;
+ }
+
+ public String getKeytab() {
+ return keytab;
+ }
+
+ public String getPrincipal() {
+ return principal;
+ }
+
+ public boolean useTicketCache() {
+ return useTicketCache;
+ }
+
+ public Configuration getFlinkConfig() {
+ return flinkConfig;
+ }
+
+ public List<SecurityModuleFactory> getSecurityModuleFactories() {
+ return securityModuleFactories;
+ }
+
+ public List<String> getLoginContextNames() {
+ return loginContextNames;
+ }
+
+ public String getZooKeeperServiceName() {
+ return zkServiceName;
+ }
+
+ public String getZooKeeperLoginContextName() {
+ return zkLoginContextName;
+ }
+
+ private void validate() {
+ if (!StringUtils.isBlank(keytab)) {
+ // principal is required
+ if (StringUtils.isBlank(principal)) {
+ throw new IllegalConfigurationException("Kerberos login configuration is invalid; keytab requires a principal.");
+ }
+
+ // check the keytab is readable
+ File keytabFile = new File(keytab);
+ if (!keytabFile.exists() || !keytabFile.isFile() || !keytabFile.canRead()) {
+ throw new IllegalConfigurationException("Kerberos login configuration is invalid; keytab is unreadable");
+ }
+ }
+ }
+
+ private static List<String> parseList(String value) {
+ if (value == null || value.isEmpty()) {
+ return Collections.emptyList();
+ }
+
+ return Arrays.asList(value
+ .trim()
+ .replaceAll("(\\s*,+\\s*)+", ",")
+ .split(","));
+ }
+}