flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eron Wright (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (FLINK-5364) Rework JAAS configuration to support user-supplied entries
Date Mon, 19 Dec 2016 18:33:58 GMT

     [ https://issues.apache.org/jira/browse/FLINK-5364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eron Wright  updated FLINK-5364:
--------------------------------
    Description: 
Recent issues (see linked) have brought to light a critical deficiency in the handling of
JAAS configuration.   

1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory conf used
by stock Hadoop.
2. the ZK/Kafka/Hadoop security configuration is supposed to be independent (one can enable
each element separately) but isn't.

Perhaps we should rework the JAAS conf code to merge any user-supplied configuration with
our defaults, rather than using an all-or-nothing approach.   

We should also address some recent regressions:

1. The HadoopSecurityContext should be installed regardless of auth mode, to login with UserGroupInformation,
which:
- handles the HADOOP_USER_NAME variable.
- installs an OS-specific user principal (from UnixLoginModule etc.) unrelated to Kerberos.
- picks up the HDFS/HBASE delegation tokens.

2. Fix the use of alternative authentication methods - delegation tokens and Kerberos ticket
cache.




  was:
Recent issues (see linked) have brought to light a critical deficiency in the handling of
JAAS configuration.   

1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory conf used
by stock Hadoop.
2. the ZK/Kafka/Hadoop security configuration is supposed to be independent (one can enable
each element separately) but isn't.

Perhaps we should rework the JAAS conf code to merge any user-supplied configuration with
our defaults, rather than using an all-or-nothing approach.   

We should also address some recent regressions:
1. The HadoopSecurityContext should be installed regardless of auth mode, to login with UserGroupInformation,
which:
- handles the HADOOP_USER_NAME variable.
- installs an OS-specific user principal (from UnixLoginModule etc.) unrelated to Kerberos.
- picks up the HDFS/HBASE delegation tokens.
2. Fix the use of alternative authentication methods - delegation tokens and Kerberos ticket
cache.





> Rework JAAS configuration to support user-supplied entries
> ----------------------------------------------------------
>
>                 Key: FLINK-5364
>                 URL: https://issues.apache.org/jira/browse/FLINK-5364
>             Project: Flink
>          Issue Type: Bug
>          Components: Cluster Management
>            Reporter: Eron Wright 
>            Assignee: Eron Wright 
>            Priority: Critical
>              Labels: kerberos, security
>
> Recent issues (see linked) have brought to light a critical deficiency in the handling
of JAAS configuration.   
> 1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory conf
used by stock Hadoop.
> 2. the ZK/Kafka/Hadoop security configuration is supposed to be independent (one can
enable each element separately) but isn't.
> Perhaps we should rework the JAAS conf code to merge any user-supplied configuration
with our defaults, rather than using an all-or-nothing approach.   
> We should also address some recent regressions:
> 1. The HadoopSecurityContext should be installed regardless of auth mode, to login with
UserGroupInformation, which:
> - handles the HADOOP_USER_NAME variable.
> - installs an OS-specific user principal (from UnixLoginModule etc.) unrelated to Kerberos.
> - picks up the HDFS/HBASE delegation tokens.
> 2. Fix the use of alternative authentication methods - delegation tokens and Kerberos
ticket cache.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message