flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-5055) Security feature crashes JM for certain Hadoop versions even though using no Kerberos
Date Thu, 24 Nov 2016 17:19:59 GMT

    [ https://issues.apache.org/jira/browse/FLINK-5055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15693816#comment-15693816
] 

ASF GitHub Bot commented on FLINK-5055:
---------------------------------------

GitHub user mxm opened a pull request:

    https://github.com/apache/flink/pull/2864

    [FLINK-5055][security] skip Hadoop UGI login if unsecured

    The new Kerberos authentication code in Flink assumed that it's running against vanilla
Hadoop. Original Hadoop's behavior is to skip a secure login if security is not configured.
This is different for other distributions, e.g. the MapR Hadoop distribution of Hadoop.
    
    Thus, we need to make sure we don't perform any login action if security is not configured.
    
    This also performs minor code cleanup.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mxm/flink FLINK-5055

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flink/pull/2864.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2864
    
----
commit 8193024a6451dd2594348ac0f001ed39b80f7302
Author: Maximilian Michels <mxm@apache.org>
Date:   2016-11-24T16:12:39Z

    [FLINK-5055][security] skip Hadoop UGI login if unsecured
    
    The new Kerberos authentication code in Flink assumed that it's running
    against vanilla Hadoop. Original Hadoop's behavior is to skip a secure
    login if security is not configured. This is different for other
    distributions, e.g. the MapR Hadoop distribution of Hadoop.
    
    Thus, we need to make sure we don't perform any login action if security
    is not configured.
    
    This also performs minor code cleanup.

----


> Security feature crashes JM for certain Hadoop versions even though using no Kerberos
> -------------------------------------------------------------------------------------
>
>                 Key: FLINK-5055
>                 URL: https://issues.apache.org/jira/browse/FLINK-5055
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.2.0
>            Reporter: Till Rohrmann
>            Assignee: Maximilian Michels
>            Priority: Critical
>             Fix For: 1.2.0
>
>
> A user reported [1] that the {{JobManager}} does not start when using Flink with Hadoop-2.7.0-mapr-1607
and no security activated because of 
> {code}
> javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
>         at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
>         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
>         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> {code}
> It seems that this Hadoop version always tries to login via Kerberos even though the
user did not activate it and, thus, should use {{AuthenticationMode.SIMPLE}}.
> I'm not really familiar with the security feature, but my understanding is that it should
not have any effect on Flink when not activated. I might be wrong here, but if not, then we
should fix this problem for 1.2.0 because it prevents people from using Flink.
> [1] http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/Flink-using-Yarn-on-MapR-td14484.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message