2020
2121import org .apache .flink .configuration .Configuration ;
2222import org .apache .flink .configuration .SecurityOptions ;
23+ import org .apache .flink .core .testutils .CommonTestUtils ;
2324import org .apache .flink .runtime .security .SecurityConfiguration ;
2425import org .apache .flink .runtime .security .SecurityUtils ;
2526import org .apache .flink .runtime .security .contexts .HadoopSecurityContext ;
26- import org .apache .flink .runtime .testutils .CommonTestUtils ;
2727import org .apache .flink .test .util .SecureTestEnvironment ;
2828import org .apache .flink .test .util .TestingSecurityContext ;
2929import org .apache .flink .yarn .configuration .YarnConfigOptions ;
4747import org .slf4j .Logger ;
4848import org .slf4j .LoggerFactory ;
4949
50+ import java .time .Duration ;
51+ import java .util .Arrays ;
5052import java .util .Collections ;
5153import java .util .HashMap ;
5254import java .util .List ;
@@ -156,12 +158,9 @@ void testDetachedModeSecureWithPreInstallKeytab() throws Exception {
156158 SecurityOptions .KERBEROS_LOGIN_PRINCIPAL .key (),
157159 SecureTestEnvironment .getHadoopServicePrincipal ());
158160 }
159- runDetachedModeTest (
160- securityProperties ,
161- VIEW_ACLS ,
162- MODIFY_ACLS ,
163- YARNSessionFIFOSecuredITCase ::verifyKerberosKeytabInLogs );
164- verifyTokenAndAclsInContainers (VIEW_ACLS , MODIFY_ACLS );
161+ final ApplicationId applicationId =
162+ runDetachedModeTest (securityProperties , VIEW_ACLS , MODIFY_ACLS );
163+ verifyResultContainsKerberosKeytab (applicationId , VIEW_ACLS , MODIFY_ACLS );
165164 });
166165 }
167166
@@ -181,38 +180,40 @@ void testDetachedMode() throws Exception {
181180 SecurityOptions .KERBEROS_LOGIN_PRINCIPAL .key (),
182181 SecureTestEnvironment .getHadoopServicePrincipal ());
183182 }
184- runDetachedModeTest (
185- securityProperties ,
186- VIEW_ACLS ,
187- MODIFY_ACLS ,
188- YARNSessionFIFOSecuredITCase ::verifyKerberosKeytabInLogs );
189- verifyTokenAndAclsInContainers (VIEW_ACLS , MODIFY_ACLS );
190- runDetachedModeTest (
191- securityProperties ,
192- VIEW_ACLS_WITH_WILDCARD ,
193- MODIFY_ACLS_WITH_WILDCARD ,
194- YARNSessionFIFOSecuredITCase ::verifyKerberosKeytabInLogs );
195- verifyTokenAndAclsInContainers (WILDCARD , WILDCARD );
183+ final ApplicationId applicationId =
184+ runDetachedModeTest (securityProperties , VIEW_ACLS , MODIFY_ACLS );
185+ verifyResultContainsKerberosKeytab (applicationId , VIEW_ACLS , MODIFY_ACLS );
186+ final ApplicationId applicationIdWithWildcard =
187+ runDetachedModeTest (
188+ securityProperties ,
189+ VIEW_ACLS_WITH_WILDCARD ,
190+ MODIFY_ACLS_WITH_WILDCARD );
191+ verifyResultContainsKerberosKeytab (
192+ applicationIdWithWildcard , WILDCARD , WILDCARD );
196193 });
197194 }
198195
199- /**
200- * Verifies that both the JobManager and TaskManager logged a Kerberos keytab login. The
201- * container log files are polled rather than read once, and this must run while the containers
202- * are still alive so the logs are complete. A short-lived TaskManager can otherwise be torn
203- * down before its startup log becomes durably readable.
204- */
205- private static void verifyKerberosKeytabInLogs (ApplicationId applicationId ) throws Exception {
196+ private static void verifyResultContainsKerberosKeytab (
197+ ApplicationId applicationId , String viewAcls , String modifyAcls ) throws Exception {
206198 final String [] mustHave = {"Login successful for user" , "using keytab file" };
199+ // The application has been killed by now, so all container output is flushed. A
200+ // short-lived TaskManager's startup login line can still be briefly unreadable right
201+ // after teardown (FLINK-17662), so poll each log instead of reading it once.
207202 for (final String logFile : new String [] {"jobmanager.log" , "taskmanager.log" }) {
208203 log .info ("Waiting until {} contains the Kerberos keytab login" , logFile );
209- CommonTestUtils .waitUntilCondition (
210- () -> verifyStringsInNamedLogFiles (mustHave , applicationId , logFile ), 500 );
204+ CommonTestUtils .waitUtil (
205+ () -> verifyStringsInNamedLogFiles (mustHave , applicationId , logFile ),
206+ Duration .ofSeconds (60 ),
207+ Duration .ofMillis (500 ),
208+ "Kerberos keytab login "
209+ + Arrays .toString (mustHave )
210+ + " not found in "
211+ + logFile
212+ + " for application "
213+ + applicationId
214+ + " within the timeout; inspect the uploaded container logs." );
211215 }
212- }
213216
214- private static void verifyTokenAndAclsInContainers (String viewAcls , String modifyAcls )
215- throws Exception {
216217 final List <String > amRMTokens =
217218 Lists .newArrayList (AMRMTokenIdentifier .KIND_NAME .toString ());
218219 final String jobmanagerContainerId = getContainerIdByLogName ("jobmanager.log" );
0 commit comments