Return-Path: <issues-return-80711-archive-asf-public=cust-asf.ponee.io@flink.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 87324200BCB
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 24 Nov 2016 18:20:01 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 85C72160B1E; Thu, 24 Nov 2016 17:20:01 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id CBA1B160AFB
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 24 Nov 2016 18:20:00 +0100 (CET)
Received: (qmail 95849 invoked by uid 500); 24 Nov 2016 17:20:00 -0000
Mailing-List: contact issues-help@flink.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@flink.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@flink.apache.org>
List-Post: <mailto:issues@flink.apache.org>
List-Id: <issues.flink.apache.org>
Reply-To: dev@flink.apache.org
Delivered-To: mailing list issues@flink.apache.org
Received: (qmail 95819 invoked by uid 99); 24 Nov 2016 17:20:00 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Nov 2016 17:20:00 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id CA0EC2C0079
	for <issues@flink.apache.org>; Thu, 24 Nov 2016 17:19:59 +0000 (UTC)
Date: Thu, 24 Nov 2016 17:19:59 +0000 (UTC)
From: "ASF GitHub Bot (JIRA)" <jira@apache.org>
To: issues@flink.apache.org
Message-ID: <JIRA.13020111.1478872261000.362639.1480007999823@Atlassian.JIRA>
In-Reply-To: <JIRA.13020111.1478872261000@Atlassian.JIRA>
References: <JIRA.13020111.1478872261000@Atlassian.JIRA> <JIRA.13020111.1478872261265@arcas>
Subject: [jira] [Commented] (FLINK-5055) Security feature crashes JM for
 certain Hadoop versions even though using no Kerberos
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 24 Nov 2016 17:20:01 -0000


    [ https://issues.apache.org/jira/browse/FLINK-5055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15693816#comment-15693816 ] 

ASF GitHub Bot commented on FLINK-5055:
---------------------------------------

GitHub user mxm opened a pull request:

    https://github.com/apache/flink/pull/2864

    [FLINK-5055][security] skip Hadoop UGI login if unsecured

    The new Kerberos authentication code in Flink assumed that it's running against vanilla Hadoop. Original Hadoop's behavior is to skip a secure login if security is not configured. This is different for other distributions, e.g. the MapR Hadoop distribution of Hadoop.
    
    Thus, we need to make sure we don't perform any login action if security is not configured.
    
    This also performs minor code cleanup.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mxm/flink FLINK-5055

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flink/pull/2864.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2864
    
----
commit 8193024a6451dd2594348ac0f001ed39b80f7302
Author: Maximilian Michels <mxm@apache.org>
Date:   2016-11-24T16:12:39Z

    [FLINK-5055][security] skip Hadoop UGI login if unsecured
    
    The new Kerberos authentication code in Flink assumed that it's running
    against vanilla Hadoop. Original Hadoop's behavior is to skip a secure
    login if security is not configured. This is different for other
    distributions, e.g. the MapR Hadoop distribution of Hadoop.
    
    Thus, we need to make sure we don't perform any login action if security
    is not configured.
    
    This also performs minor code cleanup.

----


> Security feature crashes JM for certain Hadoop versions even though using no Kerberos
> -------------------------------------------------------------------------------------
>
>                 Key: FLINK-5055
>                 URL: https://issues.apache.org/jira/browse/FLINK-5055
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.2.0
>            Reporter: Till Rohrmann
>            Assignee: Maximilian Michels
>            Priority: Critical
>             Fix For: 1.2.0
>
>
> A user reported [1] that the {{JobManager}} does not start when using Flink with Hadoop-2.7.0-mapr-1607 and no security activated because of 
> {code}
> javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
>         at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
>         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
>         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> {code}
> It seems that this Hadoop version always tries to login via Kerberos even though the user did not activate it and, thus, should use {{AuthenticationMode.SIMPLE}}.
> I'm not really familiar with the security feature, but my understanding is that it should not have any effect on Flink when not activated. I might be wrong here, but if not, then we should fix this problem for 1.2.0 because it prevents people from using Flink.
> [1] http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/Flink-using-Yarn-on-MapR-td14484.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)