[
https://issues.apache.org/jira/browse/FLINK-13516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16923044#comment-16923044
]
Haibo Sun edited comment on FLINK-13516 at 9/5/19 4:58 AM:
-----------------------------------------------------------
The failure of the case is due to the failure of authentication when the yarn
client requests access authorization of resource manager, and subsequent
retries lead to test timeout. New encryption types of
aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192 (for Kerberos 5)
enabled by default were added in Java 11, while the current version of MiniKdc
used by Flink does not support these encryption types and does not work well
when these encryption types are enabled, which results in the authentication
failure.
Error Log:
{{DEBUG org.apache.hadoop.security.UserGroupInformation -
PrivilegedActionException as:hadoop/[email protected] (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Message stream
modified (41) - Message stream modified)]}}
There are two solutions to fix this issue, one is to add a configuration
template named "minikdc-krb5.conf" in the test resource directory, and
explicitly set default_tkt_enctypes and default_tgs_enctypes to use
aes128-cts-hmac-sha1-96 in the template file, the other is to bump MiniKdc to
the latest version 3.2.0 (I tested that this version has solved this problem).
I've tested both solutions on my local machine, and all tests that depend on
MiniKdc work well on Java 8 and Java 11. Given that the version of minikdc will
be updated sooner or later, if it runs successfully on Travis, I suggest to
use the second solution. [~Zentol], what do you think?
was (Author: sunhaibotb):
The failure of the case is due to the failure of authentication when the yarn
client requests access authorization of resource manager, and subsequent
retries lead to test timeout. New encryption types of
aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192 (for Kerberos 5)
enabled by default were added in Java 11, while the current version of MiniKdc
used by Flink does not support these encryption types and does not work well
when these encryption types are enabled, which results in the authentication
failure.
{{DEBUG org.apache.hadoop.security.UserGroupInformation -
PrivilegedActionException as:hadoop/[email protected] (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Message stream
modified (41) - Message stream modified)]}}
There are two solutions to fix this issue, one is to add a configuration
template named "minikdc-krb5.conf" in the test resource directory, and
explicitly set default_tkt_enctypes and default_tgs_enctypes to use
aes128-cts-hmac-sha1-96 in the template file, the other is to bump MiniKdc to
the latest version 3.2.0 (I tested that this version has solved this problem).
I've tested both solutions on my local machine, and all tests that depend on
MiniKdc work well on Java 8 and Java 11. Given that the version of minikdc will
be updated sooner or later, if it runs successfully on Travis, I suggest to
use the second solution. [~Zentol], what do you think?
> YARNSessionFIFOSecuredITCase fails on Java 11
> ---------------------------------------------
>
> Key: FLINK-13516
> URL: https://issues.apache.org/jira/browse/FLINK-13516
> Project: Flink
> Issue Type: Sub-task
> Components: Deployment / YARN, Tests
> Reporter: Chesnay Schepler
> Assignee: Haibo Sun
> Priority: Major
> Fix For: 1.10.0
>
>
> {{YARNSessionFIFOSecuredITCase#testDetachedMode}} times out when run on Java
> 11. This may be related to security changes in Java 11.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
