[
https://issues.apache.org/jira/browse/FLINK-5055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15693816#comment-15693816
]
ASF GitHub Bot commented on FLINK-5055:
---------------------------------------
GitHub user mxm opened a pull request:
https://github.com/apache/flink/pull/2864
[FLINK-5055][security] skip Hadoop UGI login if unsecured
The new Kerberos authentication code in Flink assumed that it's running
against vanilla Hadoop. Original Hadoop's behavior is to skip a secure login if
security is not configured. This is different for other distributions, e.g. the
MapR Hadoop distribution of Hadoop.
Thus, we need to make sure we don't perform any login action if security is
not configured.
This also performs minor code cleanup.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mxm/flink FLINK-5055
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flink/pull/2864.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2864
----
commit 8193024a6451dd2594348ac0f001ed39b80f7302
Author: Maximilian Michels <[email protected]>
Date: 2016-11-24T16:12:39Z
[FLINK-5055][security] skip Hadoop UGI login if unsecured
The new Kerberos authentication code in Flink assumed that it's running
against vanilla Hadoop. Original Hadoop's behavior is to skip a secure
login if security is not configured. This is different for other
distributions, e.g. the MapR Hadoop distribution of Hadoop.
Thus, we need to make sure we don't perform any login action if security
is not configured.
This also performs minor code cleanup.
----
> Security feature crashes JM for certain Hadoop versions even though using no
> Kerberos
> -------------------------------------------------------------------------------------
>
> Key: FLINK-5055
> URL: https://issues.apache.org/jira/browse/FLINK-5055
> Project: Flink
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.2.0
> Reporter: Till Rohrmann
> Assignee: Maximilian Michels
> Priority: Critical
> Fix For: 1.2.0
>
>
> A user reported [1] that the {{JobManager}} does not start when using Flink
> with Hadoop-2.7.0-mapr-1607 and no security activated because of
> {code}
> javax.security.auth.login.LoginException: Unable to obtain Principal Name for
> authentication
> at
> com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
> at
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> {code}
> It seems that this Hadoop version always tries to login via Kerberos even
> though the user did not activate it and, thus, should use
> {{AuthenticationMode.SIMPLE}}.
> I'm not really familiar with the security feature, but my understanding is
> that it should not have any effect on Flink when not activated. I might be
> wrong here, but if not, then we should fix this problem for 1.2.0 because it
> prevents people from using Flink.
> [1]
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/Flink-using-Yarn-on-MapR-td14484.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
