Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-5350

Don't overwrite existing Jaas config property

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.2.0
    • Fix Version/s: 1.2.0, 1.3.0
    • Component/s: Security
    • Labels:
      None

      Description

      If an existing Jaas configuration has been specified via the property java.security.auth.login.config, it should be used instead of overwriting the property.

        Issue Links

          Activity

          Hide
          StephanEwen Stephan Ewen added a comment -

          Fixed in

          • 1.2.0 via 00193f7e238340cc18c57a44c7e6377432839373
          • 1.3.0 via fc3a778c0cafe1adc9efbd8796a8bd64122e4ad2
          Show
          StephanEwen Stephan Ewen added a comment - Fixed in 1.2.0 via 00193f7e238340cc18c57a44c7e6377432839373 1.3.0 via fc3a778c0cafe1adc9efbd8796a8bd64122e4ad2
          Hide
          eronwright Eron Wright added a comment - - edited

          I think we need to revisit how to accomplish this.

          Flink installs a JAAS configuration in oder to provide a default JAAS AppConfigurationEntry based on the configured keytab (and ticket cache too). The ideal design would allow the user to provide a JAAS config without losing the defaults. One approach may be to obtain the default configuration instance (which reads from the JAAS config file) then wrap the instance in a Flink configuration instance that provides default entries.

          Show
          eronwright Eron Wright added a comment - - edited I think we need to revisit how to accomplish this. Flink installs a JAAS configuration in oder to provide a default JAAS AppConfigurationEntry based on the configured keytab (and ticket cache too). The ideal design would allow the user to provide a JAAS config without losing the defaults. One approach may be to obtain the default configuration instance (which reads from the JAAS config file) then wrap the instance in a Flink configuration instance that provides default entries.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user EronWright commented on the issue:

          https://github.com/apache/flink/pull/3017

          @mxm please consider adding me as a reviewer for changes to the security subsystem in the near term. I believe this PR introduces a regression where it fails to install a Hadoop security context for "ticket cache" and "delegation token" scenarios (which don't rely on a keytab).

          Show
          githubbot ASF GitHub Bot added a comment - Github user EronWright commented on the issue: https://github.com/apache/flink/pull/3017 @mxm please consider adding me as a reviewer for changes to the security subsystem in the near term. I believe this PR introduces a regression where it fails to install a Hadoop security context for "ticket cache" and "delegation token" scenarios (which don't rely on a keytab).
          Hide
          mxm Maximilian Michels added a comment -

          Fixed with 0506a63c8a7e50a0eaf66cd0bbec42e2fac5017c

          Show
          mxm Maximilian Michels added a comment - Fixed with 0506a63c8a7e50a0eaf66cd0bbec42e2fac5017c
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/flink/pull/3017

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/flink/pull/3017
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user mxm commented on the issue:

          https://github.com/apache/flink/pull/3017

          Thank you @theomega. Merging.

          Show
          githubbot ASF GitHub Bot added a comment - Github user mxm commented on the issue: https://github.com/apache/flink/pull/3017 Thank you @theomega. Merging.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user theomega commented on the issue:

          https://github.com/apache/flink/pull/3017

          Tested: Works and fixes the underlying issue that one cannot use its own JAAS configuration file.

          Show
          githubbot ASF GitHub Bot added a comment - Github user theomega commented on the issue: https://github.com/apache/flink/pull/3017 Tested: Works and fixes the underlying issue that one cannot use its own JAAS configuration file.
          Hide
          theomega Dominik Bruhn added a comment -

          I was running into this bug because I needed to use SASL/PLAIN on my Kafka connections. Without this PR, it is not possible to provide an own JAAS config property.

          I tried out the PR works perfect and fixes the issues for me.

          Would be happy to have this merged for 1.2

          Show
          theomega Dominik Bruhn added a comment - I was running into this bug because I needed to use SASL/PLAIN on my Kafka connections. Without this PR, it is not possible to provide an own JAAS config property. I tried out the PR works perfect and fixes the issues for me. Would be happy to have this merged for 1.2
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user mxm opened a pull request:

          https://github.com/apache/flink/pull/3017

          FLINK-5350 don't overwrite an existing JAAS config

          Users may want to use SASL/PLAIN https://tools.ietf.org/html/rfc4616 without Kerberos.

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/mxm/flink FLINK-5350

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/flink/pull/3017.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #3017


          commit 67c154666779609dacca2073fc70c5b7726435b7
          Author: Maximilian Michels <mxm@apache.org>
          Date: 2016-12-15T14:29:21Z

          FLINK-5350 don't overwrite an existing JAAS config


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user mxm opened a pull request: https://github.com/apache/flink/pull/3017 FLINK-5350 don't overwrite an existing JAAS config Users may want to use SASL/PLAIN https://tools.ietf.org/html/rfc4616 without Kerberos. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mxm/flink FLINK-5350 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/flink/pull/3017.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #3017 commit 67c154666779609dacca2073fc70c5b7726435b7 Author: Maximilian Michels <mxm@apache.org> Date: 2016-12-15T14:29:21Z FLINK-5350 don't overwrite an existing JAAS config

            People

            • Assignee:
              mxm Maximilian Michels
              Reporter:
              mxm Maximilian Michels
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development