flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-4287) Unable to access secured HBase from a yarn-session.
Date Mon, 01 Aug 2016 13:56:20 GMT

    [ https://issues.apache.org/jira/browse/FLINK-4287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15402067#comment-15402067
] 

ASF GitHub Bot commented on FLINK-4287:
---------------------------------------

Github user zentol commented on a diff in the pull request:

    https://github.com/apache/flink/pull/2317#discussion_r72981367
  
    --- Diff: flink-dist/src/main/flink-bin/yarn-bin/yarn-session.sh ---
    @@ -52,5 +52,5 @@ log_setting="-Dlog.file="$log" -Dlog4j.configuration=file:"$FLINK_CONF_DIR"/log4
     
     export FLINK_CONF_DIR
     
    -$JAVA_RUN $JVM_ARGS -classpath $CC_CLASSPATH:$HADOOP_CLASSPATH:$HADOOP_CONF_DIR:$YARN_CONF_DIR
 $log_setting org.apache.flink.yarn.cli.FlinkYarnSessionCli -j $FLINK_LIB_DIR/flink-dist*.jar
"$@"
    --- End diff --
    
    Why did you change the qualified name of the `FlinkYarnSessionCli` ?


> Unable to access secured HBase from a yarn-session.
> ---------------------------------------------------
>
>                 Key: FLINK-4287
>                 URL: https://issues.apache.org/jira/browse/FLINK-4287
>             Project: Flink
>          Issue Type: Improvement
>          Components: YARN Client
>    Affects Versions: 1.0.3
>            Reporter: Niels Basjes
>            Assignee: Niels Basjes
>
> When I start {{yarn-session.sh -n1}} against a Kerberos secured Yarn+HBase cluster I
see this in the messages:
> {quote}
> 2016-08-01 09:53:01,763 INFO  org.apache.flink.yarn.Utils                           
       - Attempting to obtain Kerberos security token for HBase
> 2016-08-01 09:53:01,763 INFO  org.apache.flink.yarn.Utils                           
       - HBase is not available (not packaged with this application): ClassNotFoundException
: "org.apache.hadoop.hbase.HBaseConfiguration".
> {quote}
> as a consequence it has become impossible to access a secured HBase from this yarn session.
> From what I see now at least two things need to be done:
> # Add all relevant HBase parts to the yarn-session.sh scripting.
> # Add an optional option to pass principle and keytab file so the session can last longer
than the time the Kerberos tickets last. (i.e pass these parameters into a call to {{UserGroupInformation.loginUserFromKeytab(user,
keytabFile);}})
> I do see that this would leave an important problem open:
> This yarnsession is accessible by everyone on the cluster and as a consequence they can
run jobs in there that can access all data I have access to. Perhaps this should be a separate
jira issue?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message