flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-3929) Support for Kerberos Authentication with Keytab Credential
Date Mon, 01 Aug 2016 16:56:20 GMT

    [ https://issues.apache.org/jira/browse/FLINK-3929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15402398#comment-15402398
] 

ASF GitHub Bot commented on FLINK-3929:
---------------------------------------

Github user vijikarthi commented on a diff in the pull request:

    https://github.com/apache/flink/pull/2275#discussion_r73012870
  
    --- Diff: flink-runtime/src/main/java/org/apache/flink/runtime/security/JaasConfiguration.java
---
    @@ -0,0 +1,158 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.flink.runtime.security;
    +
    +import org.apache.flink.annotation.Internal;
    +import org.apache.flink.util.Preconditions;
    +import org.apache.hadoop.security.authentication.util.KerberosUtil;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import javax.security.auth.login.AppConfigurationEntry;
    +import javax.security.auth.login.Configuration;
    +import java.io.File;
    +import java.util.HashMap;
    +import java.util.Map;
    +
    +/**
    + *
    + * JAAS configuration provider object that provides default LoginModule for various connectors
that supports
    + * JAAS/SASL based Kerberos authentication. The implementation is inspired from Hadoop
UGI class.
    + *
    + * Different connectors uses different login module name to implement JAAS based authentication
support.
    + * For example, Kafka expects the login module name to be "kafkaClient" whereas ZooKeeper
expect the
    + * name to be "client". This sets onus on the Flink cluster administrator to configure/provide
right
    + * JAAS config entries. To simplify this requirement, we have introduced this abstraction
that provides
    + * a standard lookup to get the login module entry for the JAAS based authentication
to work.
    + *
    + * HDFS connector will not be impacted with this configuration since it uses UGI based
mechanism to authenticate.
    + *
    + * <a href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/Configuration.html">Configuration</a>
    + *
    + */
    +
    +@Internal
    +public class JaasConfiguration extends Configuration {
    +
    +	private static final Logger LOG = LoggerFactory.getLogger(JaasConfiguration.class);
    +
    +	public static final String JAVA_VENDOR_NAME = System.getProperty("java.vendor");
    +
    +	public static final boolean IBM_JAVA;
    +
    +	static {
    +		IBM_JAVA = JAVA_VENDOR_NAME.contains("IBM");
    +	}
    +
    +	public JaasConfiguration(String keytab, String principal) {
    +
    +		LOG.info("Initializing JAAS configuration instance. Parameters: {}, {}", keytab, principal);
    +
    +		if(!Preconditions.isNullOrEmpty(keytab) && !Preconditions.isNullOrEmpty(principal))
{
    +
    +			if(IBM_JAVA) {
    +				keytabKerberosOptions.put("useKeytab", prependFileUri(keytab));
    +				keytabKerberosOptions.put("credsType", "both");
    +			} else {
    +				keytabKerberosOptions.put("keyTab", keytab);
    +				keytabKerberosOptions.put("doNotPrompt", "true");
    +				keytabKerberosOptions.put("useKeyTab", "true");
    +				keytabKerberosOptions.put("storeKey", "true");
    +			}
    +
    +			keytabKerberosOptions.put("principal", principal);
    +			keytabKerberosOptions.put("refreshKrb5Config", "true");
    +			keytabKerberosOptions.putAll(debugOptions);
    +
    +			keytabKerberosAce = new AppConfigurationEntry(
    +					KerberosUtil.getKrb5LoginModuleName(),
    +					AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
    +					keytabKerberosOptions);
    +		}
    +	}
    +
    +	private static final Map<String, String> debugOptions = new HashMap<>();
    +
    +	private static final Map<String, String> kerberosCacheOptions = new HashMap<>();
    +
    +	private static final Map<String, String> keytabKerberosOptions = new HashMap<>();
    +
    +	private static final AppConfigurationEntry userKerberosAce;
    +
    +	private AppConfigurationEntry keytabKerberosAce = null;
    +
    +	public static Map<String, String> getKeytabKerberosOptions() {
    +		return keytabKerberosOptions;
    +	}
    +
    +	private static String prependFileUri(String keytabPath) {
    +		File f = new File(keytabPath);
    +		return f.toURI().toString();
    +	}
    +
    +	static {
    --- End diff --
    
    Didn't realized that. Yes, will be combined


> Support for Kerberos Authentication with Keytab Credential
> ----------------------------------------------------------
>
>                 Key: FLINK-3929
>                 URL: https://issues.apache.org/jira/browse/FLINK-3929
>             Project: Flink
>          Issue Type: New Feature
>            Reporter: Eron Wright 
>            Assignee: Vijay Srinivasaraghavan
>              Labels: kerberos, security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
design doc._
> Add support for a keytab credential to be associated with the Flink cluster, to facilitate:
> - Kerberos-authenticated data access for connectors
> - Kerberos-authenticated ZooKeeper access
> Support both the standalone and YARN deployment modes.
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message