flink-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tzu-Li (Gordon) Tai" <tzuli...@apache.org>
Subject Re: Flink, Yarn and MapR Kerberos issue
Date Thu, 02 Mar 2017 06:22:00 GMT
Hi Aniket,

Thanks a lot for reporting this.

I’m afraid this seems to be a bug with Flink on YARN’s Kerberos authentication. It is
incorrectly checking for Kerberos credentials even for non-Kerberos authentication methods.
I’ve filed a JIRA for this: https://issues.apache.org/jira/browse/FLINK-5949.

For the time being, I don’t think there’s a simple way to workaround it before the bug
is fixed, because the bug indicates that whatever security type is enabled, Kerberos is used.
We should probably have this fixed soon in the next bug fix release for Flink 1.2.

- Gordon


On March 2, 2017 at 7:11:02 AM, ani.desh1512 (ani.desh1512@gmail.com) wrote:

I am trying to setup Flink 1.2 using yarn on MapR (v5.2.0). The MapR cluster,  
on which, I am trying to setup this is a secure cluster. But, this cluster  
does not use Kerberos. Mapr, by default, uses some variant of ssl  
<http://maprdocs.mapr.com/home/SecurityGuide/Enable-wire-level-security.html>  
and MapR also normally has its own JAAS .conf file, which it relies on.  

When I try to run yarn-session.sh, I get the following error:  

/java.lang.RuntimeException: Hadoop security is enabled but the login user  
does not have Kerberos credentials/  
To resolve this I tried the following two things:  

1. I had seen a somewhat similar mention of this issue on JIRA  
<https://issues.apache.org/jira/browse/FLINK-5055> . The issue says that  
its resolved in 1.2 but the comments on that issue do not indicate that.  
By the way, I have added  
"-Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf" in the  
yarn-session.sh file. But I still the get the same issue.  

So, is this issue resolved? What am I missing here? Why does Flink require  
Kerberos credentials when MapR has no Kerberos setup?  

2. I also tried specifying following in flink-conf.yaml:  
security.ssl.enabled: true  
security.ssl.keystore: /opt/mapr/conf/ssl_keystore  
security.ssl.keystore-password: <>  
security.ssl.key-password: <>  
security.ssl.truststore: /opt/mapr/conf/ssl_truststore  
security.ssl.truststore-password: <>  

But, this too did not solve the problem and I get the same issue. Why is  
Flink trying to get Kerberos credentials even after ssl security is enabled?  

Thanks,  
Aniket  





--  
View this message in context: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/Flink-Yarn-and-MapR-Kerberos-issue-tp11996.html
 
Sent from the Apache Flink User Mailing List archive. mailing list archive at Nabble.com.
 

Mime
View raw message