[
https://issues.apache.org/jira/browse/FLINK-5364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eron Wright updated FLINK-5364:
--------------------------------
Description:
Recent issues (see linked) have brought to light a critical deficiency in the
handling of JAAS configuration.
1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory
conf used by stock Hadoop.
2. the ZK/Kafka/Hadoop security configuration is supposed to be independent
(one can enable each element separately) but isn't.
Perhaps we should rework the JAAS conf code to merge any user-supplied
configuration with our defaults, rather than using an all-or-nothing approach.
We should also address some recent regressions:
1. The HadoopSecurityContext should be installed regardless of auth mode, to
login with UserGroupInformation, which:
- handles the HADOOP_USER_NAME variable.
- installs an OS-specific user principal (from UnixLoginModule etc.) unrelated
to Kerberos.
- picks up the HDFS/HBASE delegation tokens.
2. Fix the use of alternative authentication methods - delegation tokens and
Kerberos ticket cache.
was:
Recent issues (see linked) have brought to light a critical deficiency in the
handling of JAAS configuration.
1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory
conf used by stock Hadoop.
2. the ZK/Kafka/Hadoop security configuration is supposed to be independent
(one can enable each element separately) but isn't.
Perhaps we should rework the JAAS conf code to merge any user-supplied
configuration with our defaults, rather than using an all-or-nothing approach.
We should also address some recent regressions:
1. The HadoopSecurityContext should be installed regardless of auth mode. For
example, verify the use of HADOOP_USER_NAME in 'SIMPLE' auth mode.
2. Fix the use of alternative authentication methods - delegation tokens and
Kerberos ticket cache.
> Rework JAAS configuration to support user-supplied entries
> ----------------------------------------------------------
>
> Key: FLINK-5364
> URL: https://issues.apache.org/jira/browse/FLINK-5364
> Project: Flink
> Issue Type: Bug
> Components: Cluster Management
> Reporter: Eron Wright
> Assignee: Eron Wright
> Priority: Critical
> Labels: kerberos, security
>
> Recent issues (see linked) have brought to light a critical deficiency in the
> handling of JAAS configuration.
> 1. the MapR distribution relies on an explicit JAAS conf, rather than
> in-memory conf used by stock Hadoop.
> 2. the ZK/Kafka/Hadoop security configuration is supposed to be independent
> (one can enable each element separately) but isn't.
> Perhaps we should rework the JAAS conf code to merge any user-supplied
> configuration with our defaults, rather than using an all-or-nothing
> approach.
> We should also address some recent regressions:
> 1. The HadoopSecurityContext should be installed regardless of auth mode, to
> login with UserGroupInformation, which:
> - handles the HADOOP_USER_NAME variable.
> - installs an OS-specific user principal (from UnixLoginModule etc.)
> unrelated to Kerberos.
> - picks up the HDFS/HBASE delegation tokens.
> 2. Fix the use of alternative authentication methods - delegation tokens and
> Kerberos ticket cache.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
