Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-5364

Rework JAAS configuration to support user-supplied entries

    Details

      Description

      Recent issues (see linked) have brought to light a critical deficiency in the handling of JAAS configuration.

      1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory conf used by stock Hadoop.
      2. the ZK/Kafka/Hadoop security configuration is supposed to be independent (one can enable each element separately) but isn't.

      Perhaps we should rework the JAAS conf code to merge any user-supplied configuration with our defaults, rather than using an all-or-nothing approach.

      We should also address some recent regressions:

      1. The HadoopSecurityContext should be installed regardless of auth mode, to login with UserGroupInformation, which:

      • handles the HADOOP_USER_NAME variable.
      • installs an OS-specific user principal (from UnixLoginModule etc.) unrelated to Kerberos.
      • picks up the HDFS/HBASE delegation tokens.

      2. Fix the use of alternative authentication methods - delegation tokens and Kerberos ticket cache.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                eronwright Eron Wright
                Reporter:
                eronwright Eron Wright
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: