[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR

2020-06-03 Thread Bart Krasinski (Jira) 


[ 
https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17124888#comment-17124888
 ] 

Bart Krasinski commented on FLINK-18045:


I've submitted the PR

> Newest version reintroduced a bug causing not working on secured MapR
> -
>
> Key: FLINK-18045
> URL: https://issues.apache.org/jira/browse/FLINK-18045
> Project: Flink
>  Issue Type: Bug
>  Components: Deployment / YARN
>Affects Versions: 1.10.1, 1.11.0
>Reporter: Bart Krasinski
>Assignee: Bart Krasinski
>Priority: Critical
>  Labels: pull-request-available
> Fix For: 1.11.0, 1.10.2
>
>
> I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but 
> the previous version (1.10.0) works fine.
> After some investigation it looks like during some refactoring, checking if 
> the enabled security method is kerberos was removed, effectively 
> reintroducing https://issues.apache.org/jira/browse/FLINK-5949
>  
> Refactoring commit: 
> [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137]
>  
> My proposal would be to bring back the kerberos check:
> {code:java}
> loginUser.getAuthenticationMethod() == 
> UserGroupInformation.AuthenticationMethod.KERBEROS
> {code}
> and add an unit test for that case to prevent it from happening again
> I'm happy to prepare a PR after reaching consensus



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR

2020-06-02 Thread Rong Rong (Jira) 


[ 
https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17124277#comment-17124277
 ] 

Rong Rong commented on FLINK-18045:
---

yeah. that makes sense. +1 on the proposed solution #2

> Newest version reintroduced a bug causing not working on secured MapR
> -
>
> Key: FLINK-18045
> URL: https://issues.apache.org/jira/browse/FLINK-18045
> Project: Flink
>  Issue Type: Bug
>  Components: Deployment / YARN
>Affects Versions: 1.10.1, 1.11.0
>Reporter: Bart Krasinski
>Assignee: Bart Krasinski
>Priority: Critical
> Fix For: 1.11.0, 1.10.2
>
>
> I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but 
> the previous version (1.10.0) works fine.
> After some investigation it looks like during some refactoring, checking if 
> the enabled security method is kerberos was removed, effectively 
> reintroducing https://issues.apache.org/jira/browse/FLINK-5949
>  
> Refactoring commit: 
> [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137]
>  
> My proposal would be to bring back the kerberos check:
> {code:java}
> loginUser.getAuthenticationMethod() == 
> UserGroupInformation.AuthenticationMethod.KERBEROS
> {code}
> and add an unit test for that case to prevent it from happening again
> I'm happy to prepare a PR after reaching consensus



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR

2020-06-02 Thread Bart Krasinski (Jira) 


[ 
https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17124237#comment-17124237
 ] 

Bart Krasinski commented on FLINK-18045:


Honestly at first I was thinking about simply adding that back to the if 
statement which contains _useTicketCache && !loginUser.hasKerberosCredentials_

 

 

Your proposal [~rongr] (+if I understand correctly+ entirely replacing 
_UserGroupInformation.isSecurityEnabled()_ statement with user auth method 
check) looks nice, but on the other hand Hadoop code inside 
UserGroupInformation class code often calls it like that:

 
{code:java}
if (isSecurityEnabled() && this.user.getAuthenticationMethod() == 
UserGroupInformation.AuthenticationMethod.KERBEROS /* then isKeytab or isKrbTkt 
*/ )
{code}
So it looks like it checks if any auth method was configured using the hadoop 
config, and then the auth method for the user.
And that might be another way to solve that ticket, which also looks pretty 
clean in my opinion.

 

To summarize:
 # Original proposal was to add the _{{loginUser.getAuthenticationMethod() == 
UserGroupInformation.AuthenticationMethod.KERBEROS}}_ back to the if statement 
together with _useTicketCache && !loginUser.hasKerberosCredentials_
 # The second way to go inspired by [~rongr] proposal & Hadoop code is to add 
_{{loginUser.getAuthenticationMethod() == 
UserGroupInformation.AuthenticationMethod.KERBEROS}}_ to the statement 
containing _UserGroupInformation.isSecurityEnabled()_

 

What do you think [~trohrmann], [~rongr]?

 

 

> Newest version reintroduced a bug causing not working on secured MapR
> -
>
> Key: FLINK-18045
> URL: https://issues.apache.org/jira/browse/FLINK-18045
> Project: Flink
>  Issue Type: Bug
>  Components: Deployment / YARN
>Affects Versions: 1.10.1, 1.11.0
>Reporter: Bart Krasinski
>Assignee: Bart Krasinski
>Priority: Critical
> Fix For: 1.11.0, 1.10.2
>
>
> I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but 
> the previous version (1.10.0) works fine.
> After some investigation it looks like during some refactoring, checking if 
> the enabled security method is kerberos was removed, effectively 
> reintroducing https://issues.apache.org/jira/browse/FLINK-5949
>  
> Refactoring commit: 
> [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137]
>  
> My proposal would be to bring back the kerberos check:
> {code:java}
> loginUser.getAuthenticationMethod() == 
> UserGroupInformation.AuthenticationMethod.KERBEROS
> {code}
> and add an unit test for that case to prevent it from happening again
> I'm happy to prepare a PR after reaching consensus



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR

2020-06-02 Thread Rong Rong (Jira) 


[ 
https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17123885#comment-17123885
 ] 

Rong Rong commented on FLINK-18045:
---

Yes. I think specifically checking auth method as Kerberos is the right way. I 
think the proposal is to replace this line: 
https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137#diff-3648957eaf615f89c12aab6ea0611b99R116
 correct? if so I think that works 

> Newest version reintroduced a bug causing not working on secured MapR
> -
>
> Key: FLINK-18045
> URL: https://issues.apache.org/jira/browse/FLINK-18045
> Project: Flink
>  Issue Type: Bug
>  Components: Deployment / YARN
>Affects Versions: 1.10.1, 1.11.0
>Reporter: Bart Krasinski
>Assignee: Bart Krasinski
>Priority: Critical
> Fix For: 1.11.0, 1.10.2
>
>
> I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but 
> the previous version (1.10.0) works fine.
> After some investigation it looks like during some refactoring, checking if 
> the enabled security method is kerberos was removed, effectively 
> reintroducing https://issues.apache.org/jira/browse/FLINK-5949
>  
> Refactoring commit: 
> [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137]
>  
> My proposal would be to bring back the kerberos check:
> {code:java}
> loginUser.getAuthenticationMethod() == 
> UserGroupInformation.AuthenticationMethod.KERBEROS
> {code}
> and add an unit test for that case to prevent it from happening again
> I'm happy to prepare a PR after reaching consensus



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR

2020-06-02 Thread Till Rohrmann (Jira) 


[ 
https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17123595#comment-17123595
 ] 

Till Rohrmann commented on FLINK-18045:
---

Thanks for reporting this issue [~krasinski]. Your solution proposal sounds 
good to me. I just wanted to double check with [~rongr] whether there was a 
specific reason for removing {{loginUser.getAuthenticationMethod() == 
UserGroupInformation.AuthenticationMethod.KERBEROS}} from the if statement.

> Newest version reintroduced a bug causing not working on secured MapR
> -
>
> Key: FLINK-18045
> URL: https://issues.apache.org/jira/browse/FLINK-18045
> Project: Flink
>  Issue Type: Bug
>  Components: Deployment / YARN
>Affects Versions: 1.10.1, 1.11.0
>Reporter: Bart Krasinski
>Priority: Critical
>
> I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but 
> the previous version (1.10.0) works fine.
> After some investigation it looks like during some refactoring, checking if 
> the enabled security method is kerberos was removed, effectively 
> reintroducing https://issues.apache.org/jira/browse/FLINK-5949
>  
> Refactoring commit: 
> [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137]
>  
> My proposal would be to bring back the kerberos check:
> {code:java}
> loginUser.getAuthenticationMethod() == 
> UserGroupInformation.AuthenticationMethod.KERBEROS
> {code}
> and add an unit test for that case to prevent it from happening again
> I'm happy to prepare a PR after reaching consensus



--
This message was sent by Atlassian Jira
(v8.3.4#803005)