[ https://issues.apache.org/jira/browse/FLINK-5364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15797211#comment-15797211 ]
ASF GitHub Bot commented on FLINK-5364: --------------------------------------- GitHub user EronWright opened a pull request: https://github.com/apache/flink/pull/3057 [FLINK-5364] Rework JAAS configuration to support user-supplied entries Fixes FLINK-5364, FLINK-5361, FLINK-5350, FLINK-5055 CC @tillrohrmann You can merge this pull request into a Git repository by running: $ git pull https://github.com/EronWright/flink feature-FLINK-5364-rebase Alternatively you can review and apply these changes as the patch at: https://github.com/apache/flink/pull/3057.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #3057 ---- commit 4acf43624c16627aaa89560c8361fe4bf9a19fa6 Author: wrighe3 <eron.wri...@emc.com> Date: 2016-12-20T09:07:38Z [FLINK-5364] Rework JAAS configuration to support user-supplied entries Fixes FLINK-5364, FLINK-5361, FLINK-5350, FLINK-5055 commit 2d56de9fe1da2e0ecdfd02498b71a8477e9295b3 Author: wrighe3 <eron.wri...@emc.com> Date: 2017-01-04T05:18:12Z [FLINK-5364] Rework JAAS configuration to support user-supplied entries Minor fixes and doc changes. ---- > Rework JAAS configuration to support user-supplied entries > ---------------------------------------------------------- > > Key: FLINK-5364 > URL: https://issues.apache.org/jira/browse/FLINK-5364 > Project: Flink > Issue Type: Bug > Components: Cluster Management > Reporter: Eron Wright > Assignee: Eron Wright > Priority: Critical > Labels: kerberos, security > > Recent issues (see linked) have brought to light a critical deficiency in the > handling of JAAS configuration. > 1. the MapR distribution relies on an explicit JAAS conf, rather than > in-memory conf used by stock Hadoop. > 2. the ZK/Kafka/Hadoop security configuration is supposed to be independent > (one can enable each element separately) but isn't. > Perhaps we should rework the JAAS conf code to merge any user-supplied > configuration with our defaults, rather than using an all-or-nothing > approach. > We should also address some recent regressions: > 1. The HadoopSecurityContext should be installed regardless of auth mode, to > login with UserGroupInformation, which: > - handles the HADOOP_USER_NAME variable. > - installs an OS-specific user principal (from UnixLoginModule etc.) > unrelated to Kerberos. > - picks up the HDFS/HBASE delegation tokens. > 2. Fix the use of alternative authentication methods - delegation tokens and > Kerberos ticket cache. -- This message was sent by Atlassian JIRA (v6.3.4#6332)