Java Code Examples for org.apache.flink.configuration.SecurityOptions

@Test
public void testKerberosKeytabConfiguration() throws Exception {
	final String resourceDirPath = Paths.get("src", "test", "resources").toAbsolutePath().toString();

	final Map<String, String> envs = new HashMap<>(2);
	envs.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "[email protected]");
	envs.put(YarnConfigKeys.KEYTAB_PATH, resourceDirPath);

	Configuration configuration = new Configuration();
	YarnTaskExecutorRunner.setupConfigurationAndInstallSecurityContext(configuration, resourceDirPath, envs);

	final List<SecurityModule> modules = SecurityUtils.getInstalledModules();
	Optional<SecurityModule> moduleOpt = modules.stream().filter(module -> module instanceof HadoopModule).findFirst();

	if (moduleOpt.isPresent()) {
		HadoopModule hadoopModule = (HadoopModule) moduleOpt.get();
		assertThat(hadoopModule.getSecurityConfig().getPrincipal(), is("[email protected]"));
		assertThat(hadoopModule.getSecurityConfig().getKeytab(), is(new File(resourceDirPath, Utils.KEYTAB_FILE_NAME).getAbsolutePath()));
	} else {
		fail("Can not find HadoopModule!");
	}

	assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB), is(new File(resourceDirPath, Utils.KEYTAB_FILE_NAME).getAbsolutePath()));
	assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("[email protected]"));
}
 

@Test
public void testFailedToInitWithInvalidSslKeystoreConfigured() {
	final Configuration config = new Configuration();

	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	config.setString(SecurityOptions.SSL_KEYSTORE, "invalid.keystore");
	config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_TRUSTSTORE, "invalid.keystore");
	config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");

	try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
		fail();
	} catch (Exception e) {
		findThrowable(e, IOException.class);
		findThrowableWithMessage(e, "Failed to initialize SSL for the blob server");
	}
}
 

/**
 * Configures the overlay using the current environment (and global configuration).
 *
 * The following Flink configuration settings are used to source the keystore and truststore:
 *  - security.ssl.keystore
 *  - security.ssl.truststore
 */
public Builder fromEnvironment(Configuration globalConfiguration)  {

	String keystore = globalConfiguration.getString(SecurityOptions.SSL_KEYSTORE);
	if(keystore != null) {
		keystorePath = new File(keystore);
		if(!keystorePath.exists()) {
			throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_KEYSTORE.key());
		}
	}

	String truststore = globalConfiguration.getString(SecurityOptions.SSL_TRUSTSTORE);
	if(truststore != null) {
		truststorePath = new File(truststore);
		if(!truststorePath.exists()) {
			throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_TRUSTSTORE.key());
		}
	}

	return this;
}
 

@Test
public void testFailedToInitWithTwoProtocolsSet() {
	final Configuration config = new Configuration();

	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	config.setString(SecurityOptions.SSL_KEYSTORE,
		getClass().getResource("/local127.keystore").getPath());
	config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_TRUSTSTORE,
		getClass().getResource("/local127.truststore").getPath());

	config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_ALGORITHMS, "TLSv1,TLSv1.1");

	try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
		fail();
	} catch (Exception e) {
		findThrowable(e, IOException.class);
		findThrowableWithMessage(e, "Unable to open BLOB Server in specified port range: 0");
	}
}
 

/**
 * Creates a SSLEngineFactory to be used by internal communication client endpoints.
 */
public static SSLHandlerFactory createInternalClientSSLEngineFactory(final Configuration config) throws Exception {
	SSLContext sslContext = createInternalSSLContext(config);
	if (sslContext == null) {
		throw new IllegalConfigurationException("SSL is not enabled for internal communication.");
	}

	return new SSLHandlerFactory(
			sslContext,
			getEnabledProtocols(config),
			getEnabledCipherSuites(config),
			true,
			true,
			config.getInteger(SecurityOptions.SSL_INTERNAL_HANDSHAKE_TIMEOUT),
			config.getInteger(SecurityOptions.SSL_INTERNAL_CLOSE_NOTIFY_FLUSH_TIMEOUT));
}
 

@VisibleForTesting
static SslProvider getSSLProvider(final Configuration config) {
	checkNotNull(config, "config must not be null");
	String providerString = config.getString(SecurityOptions.SSL_PROVIDER);
	if (providerString.equalsIgnoreCase("OPENSSL")) {
		if (OpenSsl.isAvailable()) {
			return OPENSSL;
		} else {
			throw new IllegalConfigurationException("openSSL not available", OpenSsl.unavailabilityCause());
		}
	} else if (providerString.equalsIgnoreCase("JDK")) {
		return JDK;
	} else {
		throw new IllegalConfigurationException("Unknown SSL provider: %s", providerString);
	}
}
 

/**
 * Tests if SSLUtils set the right ssl version and cipher suites for SSLServerSocket.
 */
@Test
public void testSetSSLVersionAndCipherSuitesForSSLServerSocket() throws Exception {
	Configuration serverConfig = createInternalSslConfigWithKeyAndTrustStores();

	// set custom protocol and cipher suites
	serverConfig.setString(SecurityOptions.SSL_PROTOCOL, "TLSv1.1");
	serverConfig.setString(SecurityOptions.SSL_ALGORITHMS, "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256");

	try (ServerSocket socket = SSLUtils.createSSLServerSocketFactory(serverConfig).createServerSocket(0)) {
		assertTrue(socket instanceof SSLServerSocket);
		final SSLServerSocket sslSocket = (SSLServerSocket) socket;

		String[] protocols = sslSocket.getEnabledProtocols();
		String[] algorithms = sslSocket.getEnabledCipherSuites();

		assertEquals(1, protocols.length);
		assertEquals("TLSv1.1", protocols[0]);
		assertEquals(2, algorithms.length);
		assertThat(algorithms, arrayContainingInAnyOrder(
				"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256"));
	}
}
 

@Test
public void testDefaultVersionRouting() throws Exception {
	Assume.assumeFalse(
		"Ignoring SSL-enabled test to keep OkHttp usage simple.",
		config.getBoolean(SecurityOptions.SSL_REST_ENABLED));

	OkHttpClient client = new OkHttpClient();

	final Request request = new Request.Builder()
		.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
		.build();

	try (final Response response = client.newCall(request).execute()) {
		assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
	}
}
 

@Test
public void testDefaultVersionRouting() throws Exception {
	Assume.assumeFalse(
		"Ignoring SSL-enabled test to keep OkHttp usage simple.",
		config.getBoolean(SecurityOptions.SSL_REST_ENABLED));

	OkHttpClient client = new OkHttpClient();

	final Request request = new Request.Builder()
		.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
		.build();

	try (final Response response = client.newCall(request).execute()) {
		assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
	}
}
 

@Test
public void testFailedToInitWithInvalidSslKeystoreConfigured() {
	final Configuration config = new Configuration();

	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	config.setString(SecurityOptions.SSL_KEYSTORE, "invalid.keystore");
	config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_TRUSTSTORE, "invalid.keystore");
	config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");

	try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
		fail();
	} catch (Exception e) {
		findThrowable(e, IOException.class);
		findThrowableWithMessage(e, "Failed to initialize SSL for the blob server");
	}
}
 

/**
 * Tests whether activation of internal / REST SSL evaluates the config flags correctly.
 */
@SuppressWarnings("deprecation")
@Test
public void checkEnableSSL() {
	// backwards compatibility
	Configuration oldConf = new Configuration();
	oldConf.setBoolean(SecurityOptions.SSL_ENABLED, true);
	assertTrue(SSLUtils.isInternalSSLEnabled(oldConf));
	assertTrue(SSLUtils.isRestSSLEnabled(oldConf));

	// new options take precedence
	Configuration newOptions = new Configuration();
	newOptions.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	newOptions.setBoolean(SecurityOptions.SSL_REST_ENABLED, false);
	assertTrue(SSLUtils.isInternalSSLEnabled(newOptions));
	assertFalse(SSLUtils.isRestSSLEnabled(newOptions));

	// new options take precedence
	Configuration precedence = new Configuration();
	precedence.setBoolean(SecurityOptions.SSL_ENABLED, true);
	precedence.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, false);
	precedence.setBoolean(SecurityOptions.SSL_REST_ENABLED, false);
	assertFalse(SSLUtils.isInternalSSLEnabled(precedence));
	assertFalse(SSLUtils.isRestSSLEnabled(precedence));
}
 

@Parameterized.Parameters
public static Collection<Object[]> data() throws Exception {
	final Configuration config = getBaseConfig();

	final String truststorePath = getTestResource("local127.truststore").getAbsolutePath();
	final String keystorePath = getTestResource("local127.keystore").getAbsolutePath();

	final Configuration sslConfig = new Configuration(config);
	sslConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, true);
	sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE, truststorePath);
	sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "password");
	sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE, keystorePath);
	sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, "password");
	sslConfig.setString(SecurityOptions.SSL_REST_KEY_PASSWORD, "password");

	final Configuration sslRestAuthConfig = new Configuration(sslConfig);
	sslRestAuthConfig.setBoolean(SecurityOptions.SSL_REST_AUTHENTICATION_ENABLED, true);

	final Configuration sslPinningRestAuthConfig = new Configuration(sslRestAuthConfig);
	sslPinningRestAuthConfig.setString(SecurityOptions.SSL_REST_CERT_FINGERPRINT,
		SSLUtilsTest.getRestCertificateFingerprint(sslPinningRestAuthConfig, "flink.test"));

	return Arrays.asList(new Object[][]{
		{config}, {sslConfig}, {sslRestAuthConfig}, {sslPinningRestAuthConfig}
	});
}
 

@Test
public void testConfigure() throws Exception {

	File keystore = tempFolder.newFile();
	File truststore = tempFolder.newFile();
	SSLStoreOverlay overlay = new SSLStoreOverlay(keystore, truststore);

	ContainerSpecification spec = new ContainerSpecification();
	overlay.configure(spec);

	assertEquals(TARGET_KEYSTORE_PATH.getPath(), spec.getFlinkConfiguration().getString(SecurityOptions.SSL_KEYSTORE));
	checkArtifact(spec, TARGET_KEYSTORE_PATH);

	assertEquals(TARGET_TRUSTSTORE_PATH.getPath(), spec.getFlinkConfiguration().getString(SecurityOptions.SSL_TRUSTSTORE));
	checkArtifact(spec, TARGET_TRUSTSTORE_PATH);
}
 

@Parameterized.Parameters
public static Collection<Object[]> data() {
	final Configuration config = getBaseConfig();

	final String truststorePath = getTestResource("local127.truststore").getAbsolutePath();
	final String keystorePath = getTestResource("local127.keystore").getAbsolutePath();

	final Configuration sslConfig = new Configuration(config);
	sslConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, true);
	sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE, truststorePath);
	sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "password");
	sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE, keystorePath);
	sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, "password");
	sslConfig.setString(SecurityOptions.SSL_REST_KEY_PASSWORD, "password");

	final Configuration sslRestAuthConfig = new Configuration(sslConfig);
	sslRestAuthConfig.setBoolean(SecurityOptions.SSL_REST_AUTHENTICATION_ENABLED, true);

	return Arrays.asList(new Object[][]{
		{config}, {sslConfig}, {sslRestAuthConfig}
	});
}
 

@Override
public void configure(ContainerSpecification container) throws IOException {
	if(keystore != null) {
		container.getArtifacts().add(ContainerSpecification.Artifact.newBuilder()
			.setSource(keystore)
			.setDest(TARGET_KEYSTORE_PATH)
			.setCachable(false)
			.build());
		container.getFlinkConfiguration().setString(SecurityOptions.SSL_KEYSTORE, TARGET_KEYSTORE_PATH.getPath());
	}
	if(truststore != null) {
		container.getArtifacts().add(ContainerSpecification.Artifact.newBuilder()
			.setSource(truststore)
			.setDest(TARGET_TRUSTSTORE_PATH)
			.setCachable(false)
			.build());
		container.getFlinkConfiguration().setString(SecurityOptions.SSL_TRUSTSTORE, TARGET_TRUSTSTORE_PATH.getPath());
	}
}
 

/**
 * Verify failure on invalid ssl configuration.
 */
@Test
public void testInvalidSslConfiguration() throws Exception {
	NettyProtocol protocol = new NoOpProtocol();

	Configuration config = createSslConfig();
	// Modify the keystore password to an incorrect one
	config.setString(SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD, "invalidpassword");

	NettyConfig nettyConfig = createNettyConfig(config);

	NettyTestUtil.NettyServerAndClient serverAndClient = null;
	try {
		serverAndClient = NettyTestUtil.initServerAndClient(protocol, nettyConfig);
		Assert.fail("Created server and client from invalid configuration");
	} catch (Exception e) {
		// Exception should be thrown as expected
	}

	NettyTestUtil.shutdown(serverAndClient);
}
 

@Test
public void testClientUntrustedCertificate() throws Exception {
	final Configuration serverConfig = createSslConfig();
	final Configuration clientConfig = createSslConfig();

	// give the client a different keystore / certificate
	clientConfig.setString(SecurityOptions.SSL_INTERNAL_KEYSTORE, "src/test/resources/untrusted.keystore");

	final NettyConfig nettyServerConfig = createNettyConfig(serverConfig);
	final NettyConfig nettyClientConfig = createNettyConfig(clientConfig);

	final NettyBufferPool bufferPool = new NettyBufferPool(1);
	final NettyProtocol protocol = new NoOpProtocol();

	final NettyServer server = NettyTestUtil.initServer(nettyServerConfig, protocol, bufferPool);
	final NettyClient client = NettyTestUtil.initClient(nettyClientConfig, protocol, bufferPool);
	final NettyServerAndClient serverAndClient = new NettyServerAndClient(server, client);

	final Channel ch = NettyTestUtil.connect(serverAndClient);
	ch.pipeline().addLast(new StringDecoder()).addLast(new StringEncoder());

	// Attempting to write data over ssl should fail
	assertFalse(ch.writeAndFlush("test").await().isSuccess());

	NettyTestUtil.shutdown(serverAndClient);
}
 

/**
 * Create a security configuration from the global configuration.
 * @param flinkConf the Flink global configuration.
 * @param securityModuleFactories the security modules to apply.
 */
public SecurityConfiguration(Configuration flinkConf,
		List<String> securityContextFactory,
		List<String> securityModuleFactories) {
	this.isZkSaslDisable = flinkConf.getBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE);
	this.keytab = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
	this.principal = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
	this.useTicketCache = flinkConf.getBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE);
	this.loginContextNames = parseList(flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS));
	this.zkServiceName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_SERVICE_NAME);
	this.zkLoginContextName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_LOGIN_CONTEXT_NAME);
	this.securityModuleFactories = Collections.unmodifiableList(securityModuleFactories);
	this.securityContextFactory = securityContextFactory;
	this.flinkConfig = checkNotNull(flinkConf);
	validate();
}
 

/**
 * Configures the overlay using the current environment (and global configuration).
 *
 * The following Flink configuration settings are used to source the keystore and truststore:
 *  - security.ssl.keystore
 *  - security.ssl.truststore
 */
public Builder fromEnvironment(Configuration globalConfiguration)  {

	String keystore = globalConfiguration.getString(SecurityOptions.SSL_KEYSTORE);
	if(keystore != null) {
		keystorePath = new File(keystore);
		if(!keystorePath.exists()) {
			throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_KEYSTORE.key());
		}
	}

	String truststore = globalConfiguration.getString(SecurityOptions.SSL_TRUSTSTORE);
	if(truststore != null) {
		truststorePath = new File(truststore);
		if(!truststorePath.exists()) {
			throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_TRUSTSTORE.key());
		}
	}

	return this;
}
 

@Test
public void testDefaultVersionRouting() throws Exception {
	Assume.assumeFalse(
		"Ignoring SSL-enabled test to keep OkHttp usage simple.",
		config.getBoolean(SecurityOptions.SSL_REST_ENABLED));

	OkHttpClient client = new OkHttpClient();

	final Request request = new Request.Builder()
		.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
		.build();

	try (final Response response = client.newCall(request).execute()) {
		assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
	}
}
 

/**
 * Verify that we fall back to a second configuration if the first one is incompatible.
 */
@Test
public void testSecurityContextShouldFallbackToSecond() throws Exception {
	Configuration testFlinkConf = new Configuration();

	testFlinkConf.set(
			SecurityOptions.SECURITY_CONTEXT_FACTORY_CLASSES,
			Lists.newArrayList(
					IncompatibleTestSecurityContextFactory.class.getCanonicalName(),
					TestSecurityContextFactory.class.getCanonicalName()));

	SecurityConfiguration testSecurityConf = new SecurityConfiguration(testFlinkConf);

	SecurityUtils.install(testSecurityConf);
	assertEquals(
			TestSecurityContextFactory.TestSecurityContext.class,
			SecurityUtils.getInstalledContext().getClass());

	SecurityUtils.uninstall();
	assertEquals(NoOpSecurityContext.class, SecurityUtils.getInstalledContext().getClass());
}
 

private static TrustManagerFactory getTrustManagerFactory(Configuration config, boolean internal)
		throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
	String trustStoreFilePath = getAndCheckOption(
		config,
		internal ? SecurityOptions.SSL_INTERNAL_TRUSTSTORE : SecurityOptions.SSL_REST_TRUSTSTORE,
		SecurityOptions.SSL_TRUSTSTORE);

	String trustStorePassword = getAndCheckOption(
		config,
		internal ? SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD : SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD,
		SecurityOptions.SSL_TRUSTSTORE_PASSWORD);

	KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
	try (InputStream trustStoreFile = Files
		.newInputStream(new File(trustStoreFilePath).toPath())) {
		trustStore.load(trustStoreFile, trustStorePassword.toCharArray());
	}

	TrustManagerFactory tmf =
		TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
	tmf.init(trustStore);

	return tmf;
}
 

private static void setupConfigurationFromVariables(Configuration configuration, String currDir, Map<String, String> variables) throws IOException {
	final String yarnClientUsername = variables.get(YarnConfigKeys.ENV_HADOOP_USER_NAME);

	final String remoteKeytabPath = variables.get(YarnConfigKeys.KEYTAB_PATH);
	LOG.info("TM: remote keytab path obtained {}", remoteKeytabPath);

	final String remoteKeytabPrincipal = variables.get(YarnConfigKeys.KEYTAB_PRINCIPAL);
	LOG.info("TM: remote keytab principal obtained {}", remoteKeytabPrincipal);

	// tell akka to die in case of an error
	configuration.setBoolean(AkkaOptions.JVM_EXIT_ON_FATAL_ERROR, true);

	String keytabPath = null;
	if (remoteKeytabPath != null) {
		File f = new File(currDir, Utils.KEYTAB_FILE_NAME);
		keytabPath = f.getAbsolutePath();
		LOG.info("keytab path: {}", keytabPath);
	}

	UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();

	LOG.info("YARN daemon is running as: {} Yarn client user obtainer: {}",
			currentUser.getShortUserName(), yarnClientUsername);

	if (keytabPath != null && remoteKeytabPrincipal != null) {
		configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
		configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
	}

	// use the hostname passed by job manager
	final String taskExecutorHostname = variables.get(YarnResourceManager.ENV_FLINK_NODE_ID);
	if (taskExecutorHostname != null) {
		configuration.setString(TaskManagerOptions.HOST, taskExecutorHostname);
	}
}
 

@Test
public void testParsingValidKerberosEnv() throws IOException {
	final Configuration initialConfiguration = new Configuration();
	Map<String, String> env = new HashMap<>();
	File keytabFile = TEMPORARY_FOLDER.newFile();
	env.put(YarnConfigKeys.LOCAL_KEYTAB_PATH, keytabFile.getAbsolutePath());
	env.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "starlord");

	Configuration configuration = loadConfiguration(initialConfiguration, env);

	assertThat(configuration.get(SecurityOptions.KERBEROS_LOGIN_KEYTAB), is(keytabFile.getAbsolutePath()));
	assertThat(configuration.get(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("starlord"));
}
 

/**
 * Create a security configuration from the global configuration.
 * @param flinkConf the Flink global configuration.
 * @param securityModuleFactories the security modules to apply.
 */
public SecurityConfiguration(Configuration flinkConf,
		List<SecurityModuleFactory> securityModuleFactories) {
	this.isZkSaslDisable = flinkConf.getBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE);
	this.keytab = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
	this.principal = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
	this.useTicketCache = flinkConf.getBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE);
	this.loginContextNames = parseList(flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS));
	this.zkServiceName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_SERVICE_NAME);
	this.zkLoginContextName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_LOGIN_CONTEXT_NAME);
	this.securityModuleFactories = Collections.unmodifiableList(securityModuleFactories);
	this.flinkConfig = checkNotNull(flinkConf);
	validate();
}
 

@Override
public void configure(ContainerSpecification container) throws IOException {
	if(keytab != null) {
		container.getArtifacts().add(ContainerSpecification.Artifact.newBuilder()
			.setSource(keytab)
			.setDest(TARGET_PATH)
			.setCachable(false)
			.build());
		container.getDynamicConfiguration().setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, TARGET_PATH.getPath());
	}
}
 

@Test
public void testParsingKerberosEnvWithMissingKeytab() throws IOException {
	final Configuration initialConfiguration = new Configuration();
	Map<String, String> env = new HashMap<>();
	env.put(YarnConfigKeys.LOCAL_KEYTAB_PATH, "/hopefully/doesnt/exist");
	env.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "starlord");

	Configuration configuration = loadConfiguration(initialConfiguration, env);

	// both keytab and principal should be null
	assertThat(configuration.get(SecurityOptions.KERBEROS_LOGIN_KEYTAB), nullValue());
	assertThat(configuration.get(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), nullValue());
}
 

@BeforeClass
public static void startNonSSLServer() throws IOException {
	Configuration config = SSLUtilsTest.createInternalSslConfigWithKeyAndTrustStores(
		SecurityOptions.SSL_PROVIDER.defaultValue());
	config.setString(BlobServerOptions.STORAGE_DIRECTORY, temporarySslFolder.newFolder().getAbsolutePath());
	config.setBoolean(BlobServerOptions.SSL_ENABLED, false);

	blobNonSslServer = new BlobServer(config, new VoidBlobStore());
	blobNonSslServer.start();

	nonSslClientConfig = config;
}
 

public static Configuration createInternalSslConfigWithKeyAndTrustStores(String sslProvider) {
	final Configuration config = new Configuration();
	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	addSslProviderConfig(config, sslProvider);
	addInternalKeyStoreConfig(config);
	addInternalTrustStoreConfig(config);
	return config;
}
 

private Configuration createInternalSslConfigWithTrustStore() {
	final Configuration config = new Configuration();
	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	addSslProviderConfig(config, sslProvider);
	addInternalTrustStoreConfig(config);
	return config;
}