flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-3929) Support for Kerberos Authentication with Keytab Credential
Date Tue, 02 Aug 2016 13:56:20 GMT

    [ https://issues.apache.org/jira/browse/FLINK-3929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15403999#comment-15403999
] 

ASF GitHub Bot commented on FLINK-3929:
---------------------------------------

Github user mxm commented on a diff in the pull request:

    https://github.com/apache/flink/pull/2275#discussion_r73158919
  
    --- Diff: flink-runtime/src/main/java/org/apache/flink/runtime/security/JaasConfiguration.java
---
    @@ -0,0 +1,158 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.flink.runtime.security;
    +
    +import org.apache.flink.annotation.Internal;
    +import org.apache.flink.util.Preconditions;
    +import org.apache.hadoop.security.authentication.util.KerberosUtil;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import javax.security.auth.login.AppConfigurationEntry;
    +import javax.security.auth.login.Configuration;
    +import java.io.File;
    +import java.util.HashMap;
    +import java.util.Map;
    +
    +/**
    + *
    + * JAAS configuration provider object that provides default LoginModule for various connectors
that supports
    + * JAAS/SASL based Kerberos authentication. The implementation is inspired from Hadoop
UGI class.
    + *
    + * Different connectors uses different login module name to implement JAAS based authentication
support.
    + * For example, Kafka expects the login module name to be "kafkaClient" whereas ZooKeeper
expect the
    + * name to be "client". This sets onus on the Flink cluster administrator to configure/provide
right
    + * JAAS config entries. To simplify this requirement, we have introduced this abstraction
that provides
    + * a standard lookup to get the login module entry for the JAAS based authentication
to work.
    + *
    + * HDFS connector will not be impacted with this configuration since it uses UGI based
mechanism to authenticate.
    + *
    + * <a href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/Configuration.html">Configuration</a>
    + *
    + */
    +
    +@Internal
    +public class JaasConfiguration extends Configuration {
    +
    +	private static final Logger LOG = LoggerFactory.getLogger(JaasConfiguration.class);
    +
    +	public static final String JAVA_VENDOR_NAME = System.getProperty("java.vendor");
    +
    +	public static final boolean IBM_JAVA;
    +
    +	static {
    +		IBM_JAVA = JAVA_VENDOR_NAME.contains("IBM");
    +	}
    +
    +	public JaasConfiguration(String keytab, String principal) {
    --- End diff --
    
    Then making it protected should work.


> Support for Kerberos Authentication with Keytab Credential
> ----------------------------------------------------------
>
>                 Key: FLINK-3929
>                 URL: https://issues.apache.org/jira/browse/FLINK-3929
>             Project: Flink
>          Issue Type: New Feature
>            Reporter: Eron Wright 
>            Assignee: Vijay Srinivasaraghavan
>              Labels: kerberos, security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
design doc._
> Add support for a keytab credential to be associated with the Flink cluster, to facilitate:
> - Kerberos-authenticated data access for connectors
> - Kerberos-authenticated ZooKeeper access
> Support both the standalone and YARN deployment modes.
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message