flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-5364) Rework JAAS configuration to support user-supplied entries
Date Wed, 04 Jan 2017 05:20:58 GMT

    [ https://issues.apache.org/jira/browse/FLINK-5364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15797211#comment-15797211
] 

ASF GitHub Bot commented on FLINK-5364:
---------------------------------------

GitHub user EronWright opened a pull request:

    https://github.com/apache/flink/pull/3057

    [FLINK-5364] Rework JAAS configuration to support user-supplied entries

    Fixes FLINK-5364, FLINK-5361, FLINK-5350, FLINK-5055
    
    CC @tillrohrmann 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/EronWright/flink feature-FLINK-5364-rebase

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flink/pull/3057.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #3057
    
----
commit 4acf43624c16627aaa89560c8361fe4bf9a19fa6
Author: wrighe3 <eron.wright@emc.com>
Date:   2016-12-20T09:07:38Z

    [FLINK-5364] Rework JAAS configuration to support user-supplied entries
    
    Fixes FLINK-5364, FLINK-5361, FLINK-5350, FLINK-5055

commit 2d56de9fe1da2e0ecdfd02498b71a8477e9295b3
Author: wrighe3 <eron.wright@emc.com>
Date:   2017-01-04T05:18:12Z

    [FLINK-5364] Rework JAAS configuration to support user-supplied entries
    
    Minor fixes and doc changes.

----


> Rework JAAS configuration to support user-supplied entries
> ----------------------------------------------------------
>
>                 Key: FLINK-5364
>                 URL: https://issues.apache.org/jira/browse/FLINK-5364
>             Project: Flink
>          Issue Type: Bug
>          Components: Cluster Management
>            Reporter: Eron Wright 
>            Assignee: Eron Wright 
>            Priority: Critical
>              Labels: kerberos, security
>
> Recent issues (see linked) have brought to light a critical deficiency in the handling
of JAAS configuration.   
> 1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory conf
used by stock Hadoop.
> 2. the ZK/Kafka/Hadoop security configuration is supposed to be independent (one can
enable each element separately) but isn't.
> Perhaps we should rework the JAAS conf code to merge any user-supplied configuration
with our defaults, rather than using an all-or-nothing approach.   
> We should also address some recent regressions:
> 1. The HadoopSecurityContext should be installed regardless of auth mode, to login with
UserGroupInformation, which:
> - handles the HADOOP_USER_NAME variable.
> - installs an OS-specific user principal (from UnixLoginModule etc.) unrelated to Kerberos.
> - picks up the HDFS/HBASE delegation tokens.
> 2. Fix the use of alternative authentication methods - delegation tokens and Kerberos
ticket cache.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message