[
https://issues.apache.org/jira/browse/FLINK-13516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16923044#comment-16923044
]
Haibo Sun edited comment on FLINK-13516 at 9/5/19 4:43 AM:
-----------------------------------------------------------
The failure of the case is due to the failure of authentication when the yarn
client requests access authorization of resource manager, and subsequent
retries lead to test timeout. New encryption types of
aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192 (for Kerberos 5)
enabled by default were added in Java 11, while the current version of MiniKdc
used by Flink does not support these encryption types and does not work well
when these encryption types are enabled, which results in the authentication
failure.
There are two solutions to fix this issue, one is to add a configuration
template named "minikdc-krb5.conf" in the test resource directory, and
explicitly set default_tkt_enctypes and default_tgs_enctypes to use
aes128-cts-hmac-sha1-96 in the template file, the other is to bump MiniKdc to
the latest version 3.2.0 (I tested that this version has solved this problem).
I've tested both solutions on my local machine, and all tests that depend on
MiniKdc work well on Java 8 and Java 11. Considering that the version of
MiniKdc will be updated sooner or later, I suggest to use the second solution.
[~Zentol], what do you think?
was (Author: sunhaibotb):
The failure of the case is due to the failure of authentication when the yarn
client requests access authorization of resource manager, and subsequent
retries lead to test timeout. New encryption types of
aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192 (for Kerberos 5)
enabled by default were added in Java 11, while the current version of MiniKdc
used by Flink does not support these encryption types and does not work well
when these encryption types are enabled, which results in the authentication
failure. There are two solutions to fix this issue, one is to add a
configuration template named "minikdc-krb5.conf" in the test resource
directory, and explicitly set default_tkt_enctypes and default_tgs_enctypes to
use aes128-cts-hmac-sha1-96 in the template file, the other is to bump MiniKdc
to the latest version 3.2.0 (I tested that this version has solved this
problem). I've tested both solutions on my local machine, and all tests that
depend on MiniKdc work well on Java 8 and Java 11. Considering that the version
of MiniKdc will be updated sooner or later, I suggest to use the second
solution. [~Zentol], what do you think?
> YARNSessionFIFOSecuredITCase fails on Java 11
> ---------------------------------------------
>
> Key: FLINK-13516
> URL: https://issues.apache.org/jira/browse/FLINK-13516
> Project: Flink
> Issue Type: Sub-task
> Components: Deployment / YARN, Tests
> Reporter: Chesnay Schepler
> Assignee: Haibo Sun
> Priority: Major
> Fix For: 1.10.0
>
>
> {{YARNSessionFIFOSecuredITCase#testDetachedMode}} times out when run on Java
> 11. This may be related to security changes in Java 11.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
