[jira] [Commented] (FLINK-5949) Flink on YARN checks for Kerberos credentials for non-Kerberos authentication methods

Tue, 14 Mar 2017 00:24:08 -0700 

    [ 
https://issues.apache.org/jira/browse/FLINK-5949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15923715#comment-15923715
 ] 

ASF GitHub Bot commented on FLINK-5949:
---------------------------------------

GitHub user tzulitai opened a pull request:

    https://github.com/apache/flink/pull/3528

    [FLINK-5949] [yarn] Don't check Kerberos credentials for non-Kerberos…

    Additionally uses the `UserGroupInformation#getAuthenticationMethod()` to 
determine whether `KERBEROS` is used for authentication.
    
    This fixes issues MapR users have been bumping into, where only MapR's 
custom SSL security was enabled (no Kerberos), but the Kerberos credentials 
were still checked for. For MapR's SSL security, the 
`getAuthenticationMethod()` returns `CUSTOM` (see 
http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/Flink-Yarn-and-MapR-Kerberos-issue-td11996.html).
    
    Also tested and confirmed that the change doesn't break previous Kerberos 
with YARN behaviours for other vendors, e.g. CDH.
    
    This change should also be backported for {{release-1.2}}.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/tzulitai/flink FLINK-5949

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flink/pull/3528.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #3528
    
----
commit 738c0355476464b34f9919307f881b23e3579d4f
Author: Tzu-Li (Gordon) Tai <[email protected]>
Date:   2017-03-14T05:42:26Z

    [FLINK-5949] [yarn] Don't check Kerberos credentials for non-Kerberos 
authentication methods

----


> Flink on YARN checks for Kerberos credentials for non-Kerberos authentication 
> methods
> -------------------------------------------------------------------------------------
>
>                 Key: FLINK-5949
>                 URL: https://issues.apache.org/jira/browse/FLINK-5949
>             Project: Flink
>          Issue Type: Bug
>          Components: Security, YARN
>    Affects Versions: 1.2.0
>            Reporter: Tzu-Li (Gordon) Tai
>            Assignee: Tzu-Li (Gordon) Tai
>            Priority: Blocker
>             Fix For: 1.3.0, 1.2.1
>
>
> Reported in ML: 
> http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/Flink-Yarn-and-MapR-Kerberos-issue-td11996.html
> The problem is that the Flink on YARN client incorrectly assumes 
> {{UserGroupInformation.isSecurityEnabled()}} returns {{true}} only for 
> Kerberos authentication modes, whereas it actually returns {{true}} for other 
> kinds of authentications too.
> We could make use of {{UserGroupInformation.getAuthenticationMethod()}} to 
> check for {{KERBEROS}} only.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to