From issues-return-179110-archive-asf-public=cust-asf.ponee.io@flink.apache.org Fri Jul 20 13:57:05 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 79DB3180663 for ; Fri, 20 Jul 2018 13:57:04 +0200 (CEST) Received: (qmail 41108 invoked by uid 500); 20 Jul 2018 11:57:03 -0000 Mailing-List: contact issues-help@flink.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@flink.apache.org Delivered-To: mailing list issues@flink.apache.org Received: (qmail 41098 invoked by uid 99); 20 Jul 2018 11:57:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Jul 2018 11:57:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 2609F1809A9 for ; Fri, 20 Jul 2018 11:57:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.5 X-Spam-Level: X-Spam-Status: No, score=-109.5 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, KAM_SHORT=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id L41N0G325hYa for ; Fri, 20 Jul 2018 11:57:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 2DE675F300 for ; Fri, 20 Jul 2018 11:57:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 65568E00C6 for ; Fri, 20 Jul 2018 11:57:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 293BF2713C for ; Fri, 20 Jul 2018 11:57:00 +0000 (UTC) Date: Fri, 20 Jul 2018 11:57:00 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@flink.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (FLINK-8981) Add end-to-end test for running on YARN with Kerberos MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/FLINK-8981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16550699#comment-16550699 ] ASF GitHub Bot commented on FLINK-8981: --------------------------------------- Github user dawidwys commented on a diff in the pull request: https://github.com/apache/flink/pull/6377#discussion_r204020749 --- Diff: flink-end-to-end-tests/test-scripts/docker-hadoop-secure-cluster/README.md --- @@ -0,0 +1,118 @@ +# Apache Hadoop Docker image with Kerberos enabled + +This image is modified version of Knappek/docker-hadoop-secure + * Knappek/docker-hadoop-secure + +With bits and pieces added from Lewuathe/docker-hadoop-cluster to extend it to start a proper kerberized Hadoop cluster: + * Lewuathe/docker-hadoop-cluster + +And a lot of added stuff for making this an actual, properly configured, kerberized cluster with proper user/permissions structure. + +Versions +-------- + +* JDK8 +* Hadoop 2.8.3 + +Default Environment Variables +----------------------------- + +| Name | Value | Description | +| ---- | ---- | ---- | +| `KRB_REALM` | `EXAMPLE.COM` | The Kerberos Realm, more information [here](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#) | +| `DOMAIN_REALM` | `example.com` | The Kerberos Domain Realm, more information [here](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#) | +| `KERBEROS_ADMIN` | `admin/admin` | The KDC admin user | +| `KERBEROS_ADMIN_PASSWORD` | `admin` | The KDC admin password | + +You can simply define these variables in the `docker-compose.yml`. + +Run image +--------- + +Clone the [Github project](https://github.com/aljoscha/docker-hadoop-secure-cluster) and run + +``` +docker-compose up +``` + +Usage +----- + +Get the container name with `docker ps` and login to the container with + +``` +docker exec -it /bin/bash +``` + + +To obtain a Kerberos ticket, execute + +``` +kinit -kt /home/hadoop-user/hadoop-user.keytab hadoop-user +``` + +Afterwards you can use `hdfs` CLI like + +``` +hdfs dfs -ls / +``` + + +Known issues +------------ + +### Unable to obtain Kerberos password + +#### Error +docker-compose up fails for the first time with the error + +``` +Login failure for nn/hadoop.docker.com@EXAMPLE.COM from keytab /etc/security/keytabs/nn.service.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user +``` + +#### Solution + +Stop the containers with `docker-compose down` and start again with `docker-compose up -d`. + + +### JDK 8 + +Make sure you use download a JDK version that is still available. Old versions can be deprecated by Oracle and thus the download link won't be able anymore. + +Get the latest JDK8 Download URL with + +``` +curl -s https://lv.binarybabel.org/catalog-api/java/jdk8.json +``` + +### Java Keystore + +If the Keystroe has been expired, then create a new `keystore.jks`: --- End diff -- Keystroe -> Keystore Won't it be a problem in tests? Will the test start failing one day because of the keystore expired? > Add end-to-end test for running on YARN with Kerberos > ----------------------------------------------------- > > Key: FLINK-8981 > URL: https://issues.apache.org/jira/browse/FLINK-8981 > Project: Flink > Issue Type: Sub-task > Components: Security, Tests > Affects Versions: 1.5.0 > Reporter: Till Rohrmann > Assignee: Aljoscha Krettek > Priority: Blocker > Labels: pull-request-available > Fix For: 1.6.0 > > > We should add an end-to-end test which verifies Flink's integration with Kerberos security. In order to do this, we should start a Kerberos secured Hadoop, ZooKeeper and Kafka cluster. Then we should start a Flink cluster with HA enabled and run a job which reads from and writes to Kafka. We could use a simple pipe job for that purpose which has some state for checkpointing to HDFS. > See [security docs| https://ci.apache.org/projects/flink/flink-docs-master/ops/security-kerberos.html] for how more information about Flink's Kerberos integration. -- This message was sent by Atlassian JIRA (v7.6.3#76005)