[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR

[Bart Krasinski (Jira)]

    [ 
https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17124237#comment-17124237
 ] 

Bart Krasinski commented on FLINK-18045:
----------------------------------------

Honestly at first I was thinking about simply adding that back to the if 
statement which contains _useTicketCache && !loginUser.hasKerberosCredentials_

 

 

Your proposal [~rongr] (+if I understand correctly+ entirely replacing 
_UserGroupInformation.isSecurityEnabled()_ statement with user auth method 
check) looks nice, but on the other hand Hadoop code inside 
UserGroupInformation class code often calls it like that:

 
{code:java}
if (isSecurityEnabled() && this.user.getAuthenticationMethod() == 
UserGroupInformation.AuthenticationMethod.KERBEROS /* then isKeytab or isKrbTkt 
*/ )
{code}
So it looks like it checks if any auth method was configured using the hadoop 
config, and then the auth method for the user.
And that might be another way to solve that ticket, which also looks pretty 
clean in my opinion.

 

To summarize:
 # Original proposal was to add the _{{loginUser.getAuthenticationMethod() == 
UserGroupInformation.AuthenticationMethod.KERBEROS}}_ back to the if statement 
together with _useTicketCache && !loginUser.hasKerberosCredentials_
 # The second way to go inspired by [~rongr] proposal & Hadoop code is to add 
_{{loginUser.getAuthenticationMethod() == 
UserGroupInformation.AuthenticationMethod.KERBEROS}}_ to the statement 
containing _UserGroupInformation.isSecurityEnabled()_

 

What do you think [~trohrmann], [~rongr]?

 

 

> Newest version reintroduced a bug causing not working on secured MapR
> ---------------------------------------------------------------------
>
>                 Key: FLINK-18045
>                 URL: https://issues.apache.org/jira/browse/FLINK-18045
>             Project: Flink
>          Issue Type: Bug
>          Components: Deployment / YARN
>    Affects Versions: 1.10.1, 1.11.0
>            Reporter: Bart Krasinski
>            Assignee: Bart Krasinski
>            Priority: Critical
>             Fix For: 1.11.0, 1.10.2
>
>
> I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but 
> the previous version (1.10.0) works fine.
> After some investigation it looks like during some refactoring, checking if 
> the enabled security method is kerberos was removed, effectively 
> reintroducing https://issues.apache.org/jira/browse/FLINK-5949
>  
> Refactoring commit: 
> [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137]
>  
> My proposal would be to bring back the kerberos check:
> {code:java}
> loginUser.getAuthenticationMethod() == 
> UserGroupInformation.AuthenticationMethod.KERBEROS
> {code}
> and add an unit test for that case to prevent it from happening again
> I'm happy to prepare a PR after reaching consensus



--
This message was sent by Atlassian Jira
(v8.3.4#803005)