[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR
[ https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17124888#comment-17124888 ] Bart Krasinski commented on FLINK-18045: I've submitted the PR > Newest version reintroduced a bug causing not working on secured MapR > - > > Key: FLINK-18045 > URL: https://issues.apache.org/jira/browse/FLINK-18045 > Project: Flink > Issue Type: Bug > Components: Deployment / YARN >Affects Versions: 1.10.1, 1.11.0 >Reporter: Bart Krasinski >Assignee: Bart Krasinski >Priority: Critical > Labels: pull-request-available > Fix For: 1.11.0, 1.10.2 > > > I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but > the previous version (1.10.0) works fine. > After some investigation it looks like during some refactoring, checking if > the enabled security method is kerberos was removed, effectively > reintroducing https://issues.apache.org/jira/browse/FLINK-5949 > > Refactoring commit: > [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137] > > My proposal would be to bring back the kerberos check: > {code:java} > loginUser.getAuthenticationMethod() == > UserGroupInformation.AuthenticationMethod.KERBEROS > {code} > and add an unit test for that case to prevent it from happening again > I'm happy to prepare a PR after reaching consensus -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR
[ https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17124277#comment-17124277 ] Rong Rong commented on FLINK-18045: --- yeah. that makes sense. +1 on the proposed solution #2 > Newest version reintroduced a bug causing not working on secured MapR > - > > Key: FLINK-18045 > URL: https://issues.apache.org/jira/browse/FLINK-18045 > Project: Flink > Issue Type: Bug > Components: Deployment / YARN >Affects Versions: 1.10.1, 1.11.0 >Reporter: Bart Krasinski >Assignee: Bart Krasinski >Priority: Critical > Fix For: 1.11.0, 1.10.2 > > > I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but > the previous version (1.10.0) works fine. > After some investigation it looks like during some refactoring, checking if > the enabled security method is kerberos was removed, effectively > reintroducing https://issues.apache.org/jira/browse/FLINK-5949 > > Refactoring commit: > [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137] > > My proposal would be to bring back the kerberos check: > {code:java} > loginUser.getAuthenticationMethod() == > UserGroupInformation.AuthenticationMethod.KERBEROS > {code} > and add an unit test for that case to prevent it from happening again > I'm happy to prepare a PR after reaching consensus -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR
[ https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17124237#comment-17124237 ] Bart Krasinski commented on FLINK-18045: Honestly at first I was thinking about simply adding that back to the if statement which contains _useTicketCache && !loginUser.hasKerberosCredentials_ Your proposal [~rongr] (+if I understand correctly+ entirely replacing _UserGroupInformation.isSecurityEnabled()_ statement with user auth method check) looks nice, but on the other hand Hadoop code inside UserGroupInformation class code often calls it like that: {code:java} if (isSecurityEnabled() && this.user.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS /* then isKeytab or isKrbTkt */ ) {code} So it looks like it checks if any auth method was configured using the hadoop config, and then the auth method for the user. And that might be another way to solve that ticket, which also looks pretty clean in my opinion. To summarize: # Original proposal was to add the _{{loginUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS}}_ back to the if statement together with _useTicketCache && !loginUser.hasKerberosCredentials_ # The second way to go inspired by [~rongr] proposal & Hadoop code is to add _{{loginUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS}}_ to the statement containing _UserGroupInformation.isSecurityEnabled()_ What do you think [~trohrmann], [~rongr]? > Newest version reintroduced a bug causing not working on secured MapR > - > > Key: FLINK-18045 > URL: https://issues.apache.org/jira/browse/FLINK-18045 > Project: Flink > Issue Type: Bug > Components: Deployment / YARN >Affects Versions: 1.10.1, 1.11.0 >Reporter: Bart Krasinski >Assignee: Bart Krasinski >Priority: Critical > Fix For: 1.11.0, 1.10.2 > > > I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but > the previous version (1.10.0) works fine. > After some investigation it looks like during some refactoring, checking if > the enabled security method is kerberos was removed, effectively > reintroducing https://issues.apache.org/jira/browse/FLINK-5949 > > Refactoring commit: > [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137] > > My proposal would be to bring back the kerberos check: > {code:java} > loginUser.getAuthenticationMethod() == > UserGroupInformation.AuthenticationMethod.KERBEROS > {code} > and add an unit test for that case to prevent it from happening again > I'm happy to prepare a PR after reaching consensus -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR
[ https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17123885#comment-17123885 ] Rong Rong commented on FLINK-18045: --- Yes. I think specifically checking auth method as Kerberos is the right way. I think the proposal is to replace this line: https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137#diff-3648957eaf615f89c12aab6ea0611b99R116 correct? if so I think that works > Newest version reintroduced a bug causing not working on secured MapR > - > > Key: FLINK-18045 > URL: https://issues.apache.org/jira/browse/FLINK-18045 > Project: Flink > Issue Type: Bug > Components: Deployment / YARN >Affects Versions: 1.10.1, 1.11.0 >Reporter: Bart Krasinski >Assignee: Bart Krasinski >Priority: Critical > Fix For: 1.11.0, 1.10.2 > > > I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but > the previous version (1.10.0) works fine. > After some investigation it looks like during some refactoring, checking if > the enabled security method is kerberos was removed, effectively > reintroducing https://issues.apache.org/jira/browse/FLINK-5949 > > Refactoring commit: > [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137] > > My proposal would be to bring back the kerberos check: > {code:java} > loginUser.getAuthenticationMethod() == > UserGroupInformation.AuthenticationMethod.KERBEROS > {code} > and add an unit test for that case to prevent it from happening again > I'm happy to prepare a PR after reaching consensus -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FLINK-18045) Newest version reintroduced a bug causing not working on secured MapR
[ https://issues.apache.org/jira/browse/FLINK-18045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17123595#comment-17123595 ] Till Rohrmann commented on FLINK-18045: --- Thanks for reporting this issue [~krasinski]. Your solution proposal sounds good to me. I just wanted to double check with [~rongr] whether there was a specific reason for removing {{loginUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS}} from the if statement. > Newest version reintroduced a bug causing not working on secured MapR > - > > Key: FLINK-18045 > URL: https://issues.apache.org/jira/browse/FLINK-18045 > Project: Flink > Issue Type: Bug > Components: Deployment / YARN >Affects Versions: 1.10.1, 1.11.0 >Reporter: Bart Krasinski >Priority: Critical > > I was not able to run Flink 1.10.1 on YARN on a a secured MapR cluster, but > the previous version (1.10.0) works fine. > After some investigation it looks like during some refactoring, checking if > the enabled security method is kerberos was removed, effectively > reintroducing https://issues.apache.org/jira/browse/FLINK-5949 > > Refactoring commit: > [https://github.com/apache/flink/commit/8751e69037d8a9b1756b75eed62a368c3ef29137] > > My proposal would be to bring back the kerberos check: > {code:java} > loginUser.getAuthenticationMethod() == > UserGroupInformation.AuthenticationMethod.KERBEROS > {code} > and add an unit test for that case to prevent it from happening again > I'm happy to prepare a PR after reaching consensus -- This message was sent by Atlassian Jira (v8.3.4#803005)