flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From EronWright <...@git.apache.org>
Subject [GitHub] flink issue #2864: [FLINK-5055][security] skip Hadoop UGI login if unsecured
Date Sat, 17 Dec 2016 22:50:41 GMT
Github user EronWright commented on the issue:

    https://github.com/apache/flink/pull/2864
  
    @mxm I think the root cause was incorrectly diagnosed here, and as a result this PR did
the wrong thing.   It is incorrect to bypass the UGI login methods when in 'SIMPLE' auth mode.
    
    For example, Flink uses the `HADOOP_USER_NAME` envvar to pass the client's username from
CLI to AppMaster to TaskManager; the HadoopSecurityContext must be used to apply it.    This
PR wrecks havoc on scenarios like this.
    
    I think the root cause in the MapR case is that MapR seems to rely on an [actual JAAS
config file](https://community.mapr.com/thread/9240), rather than on stock Hadoop's in-memory
JAAS configuration.   The true solution may be to merge the user-supplied JAAS with our in-memory
defaults, thus obtaining the `hadoop_simple` entry from `maps.login.conf`.
    
    CC @tillrohrmann @vijikarthi 



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message