Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
None
Description
Recent issues (see linked) have brought to light a critical deficiency in the handling of JAAS configuration.
1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory conf used by stock Hadoop.
2. the ZK/Kafka/Hadoop security configuration is supposed to be independent (one can enable each element separately) but isn't.
Perhaps we should rework the JAAS conf code to merge any user-supplied configuration with our defaults, rather than using an all-or-nothing approach.
We should also address some recent regressions:
1. The HadoopSecurityContext should be installed regardless of auth mode, to login with UserGroupInformation, which:
- handles the HADOOP_USER_NAME variable.
- installs an OS-specific user principal (from UnixLoginModule etc.) unrelated to Kerberos.
- picks up the HDFS/HBASE delegation tokens.
2. Fix the use of alternative authentication methods - delegation tokens and Kerberos ticket cache.
Attachments
Issue Links
- relates to
-
FLINK-5055 Security feature crashes JM for certain Hadoop versions even though using no Kerberos
- Resolved
-
FLINK-5379 Flink CliFrontend does not return when not logged in with kerberos
- Resolved
-
FLINK-5350 Don't overwrite existing Jaas config property
- Closed
-
FLINK-5361 Flink shouldn't require Kerberos credentials
- Closed
- links to