gaborgsomogyi

Delegation Token Renewal Starvation on Shared cluster-io Thread Pool

Context

DefaultDelegationTokenManager periodically renews delegation tokens (Kerberos, HDFS, etc.) to keep long-running Flink jobs alive. If the renewal task is delayed too long, tokens expire and jobs fail.

---

How the Renewal Loop Works

gaborgsomogyi

Hadoop Connector Migration Plan: uc-authz-common → refactored modules

Context

The unified-authz-ext library has been refactored on the refactoredCustomSigner branch:

• uc-authz-common is gone
• Its Hadoop-free content moved to uc-authz-core
• Its Hadoop-dependent content moved to uc-authz-hadoop-common

The Flink flink-s3-fs-hadoop connector previously depended on uc-authz-common:1.0.2-66 and has been updated to use the new modules.

gaborgsomogyi

When was TLS_RSA_WITH_AES_128_CBC_SHA dropped?

Answer: January 20, 2026

JDK Version	Release Date	TLS_RSA_* Status
JDK 11.0.29 and earlier	Before Jan 20, 2026	✅ Available
JDK 11.0.30+	January 20, 2026	❌ DISABLED
JDK 17.0.17 and earlier	Before Jan 20, 2026	✅ Available
JDK 17.0.18+	January 20, 2026	❌ DISABLED
JDK 21.0.9 and earlier	Before Jan 20, 2026	✅ Available

gaborgsomogyi

Flink State Serialization and Deserialization: TypeInformation and Serializers

Table of Contents

1. Overview
2. TypeInformation: The Foundation
3. TypeSerializer: The Workhorse
4. The Complete Flow
5. Detailed Example Walkthrough
6. State Evolution and Migration
7. Architecture Insights

gaborgsomogyi

Tasks

• Tokens must be tracked per service, only updated tokens must be sent to task managers
• Dynamic token initialization from user code must be added

  package org.apache.flink.api.common.security;

  /**
   * Manager for obtaining delegation tokens dynamically at runtime.
   * This allows user code to request tokens for services not known at cluster startup.

gaborgsomogyi

Which version affected?

$ gpg --version
gpg (GnuPG) 2.4.8

What kind of issue is one facing with?

Simple hanging!

gaborgsomogyi

Dependency management in python

Python is not able to handle 2 different versions from the same package.

Dependency handling issue

When Pip <20.3 finds an unresolvable dependency (resolves a dependecy to 2+ versions) then would not halt the installation process. It’d successfully continue the process by installing the first matching dependency in the list of conflicts.

gaborgsomogyi

    @SuppressWarnings("unchecked")
    public static void setEnv(String key, String value) {
        try {
            Map<String, String> env = System.getenv();
            Class<?> cl = env.getClass();
            Field field = cl.getDeclaredField("m");
            field.setAccessible(true);
            Map<String, String> writableEnv = (Map<String, String>) field.get(env);
 writableEnv.put(key, value);

gaborgsomogyi

Flink version 1.16.0

Note1: types are java compatible
Note2: all strings are in UTF format

UTF format String

• short length
• byte [length]

gaborgsomogyi

Prerequisites:

• Deploy Flink k8s operator
• Install cmctl

Double check that the appropriate certificate is created

$ kubectl get cert       
NAME                          READY   SECRET                AGE
flink-operator-serving-cert   True    webhook-server-cert   91m