[
https://issues.apache.org/jira/browse/FLINK-32465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17738124#comment-17738124
]
Gabor Somogyi commented on FLINK-32465:
---------------------------------------
e33875e on master
> KerberosLoginProvider.isLoginPossible does accidental login with keytab
> -----------------------------------------------------------------------
>
> Key: FLINK-32465
> URL: https://issues.apache.org/jira/browse/FLINK-32465
> Project: Flink
> Issue Type: Bug
> Components: API / Core
> Affects Versions: 1.18.0, 1.17.2
> Reporter: Gabor Somogyi
> Assignee: Gabor Somogyi
> Priority: Major
> Labels: pull-request-available
>
> In KerberosLoginProvider.isLoginPossible there is a call to
> UserGroupInformation.getCurrentUser() before principal check (keytab usage).
> This triggers an accidental login with either kerberos credentials if
> available, or as the local OS user, based on security settings. This is not
> problematic most of the time since KerberosLoginProvider.doLogin overwrites
> the credentials with keytab. The problem hurts however when login fails for
> whatever reason. Such case the workload is just not starting.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
