[jira] [Commented] (FLINK-5055) Security feature crashes JM for certain Hadoop versions even though using no Kerberos

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLINK-5055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15757752#comment-15757752
 ] 

ASF GitHub Bot commented on FLINK-5055:
---------------------------------------

Github user EronWright commented on the issue:

    https://github.com/apache/flink/pull/2864
  
    @mxm I think the root cause was incorrectly diagnosed here, and as a result 
this PR did the wrong thing.   It is incorrect to bypass the UGI login methods 
when in 'SIMPLE' auth mode.
    
    For example, Flink uses the `HADOOP_USER_NAME` envvar to pass the client's 
username from CLI to AppMaster to TaskManager; the HadoopSecurityContext must 
be used to apply it.    This PR wrecks havoc on scenarios like this.
    
    I think the root cause in the MapR case is that MapR seems to rely on an 
[actual JAAS config file](https://community.mapr.com/thread/9240), rather than 
on stock Hadoop's in-memory JAAS configuration.   The true solution may be to 
merge the user-supplied JAAS with our in-memory defaults, thus obtaining the 
`hadoop_simple` entry from `maps.login.conf`.
    
    CC @tillrohrmann @vijikarthi 



> Security feature crashes JM for certain Hadoop versions even though using no 
> Kerberos
> -------------------------------------------------------------------------------------
>
>                 Key: FLINK-5055
>                 URL: https://issues.apache.org/jira/browse/FLINK-5055
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.2.0
>            Reporter: Till Rohrmann
>            Assignee: Maximilian Michels
>            Priority: Critical
>             Fix For: 1.2.0
>
>
> A user reported [1] that the {{JobManager}} does not start when using Flink 
> with Hadoop-2.7.0-mapr-1607 and no security activated because of 
> {code}
> javax.security.auth.login.LoginException: Unable to obtain Principal Name for 
> authentication
>         at 
> com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> {code}
> It seems that this Hadoop version always tries to login via Kerberos even 
> though the user did not activate it and, thus, should use 
> {{AuthenticationMode.SIMPLE}}.
> I'm not really familiar with the security feature, but my understanding is 
> that it should not have any effect on Flink when not activated. I might be 
> wrong here, but if not, then we should fix this problem for 1.2.0 because it 
> prevents people from using Flink.
> [1] 
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/Flink-using-Yarn-on-MapR-td14484.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)