Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-5949

Flink on YARN checks for Kerberos credentials for non-Kerberos authentication methods

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.2.0
    • Fix Version/s: 1.3.0, 1.2.1
    • Component/s: Security, YARN
    • Labels:
      None

      Description

      Reported in ML: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/Flink-Yarn-and-MapR-Kerberos-issue-td11996.html

      The problem is that the Flink on YARN client incorrectly assumes UserGroupInformation.isSecurityEnabled() returns true only for Kerberos authentication modes, whereas it actually returns true for other kinds of authentications too.

      We could make use of UserGroupInformation.getAuthenticationMethod() to check for KERBEROS only.

        Issue Links

          Activity

          Hide
          till.rohrmann Till Rohrmann added a comment -

          This should also be relevant for 1.3.0, right?

          Show
          till.rohrmann Till Rohrmann added a comment - This should also be relevant for 1.3.0 , right?
          Hide
          tzulitai Tzu-Li (Gordon) Tai added a comment -

          Yes, indeed!

          Show
          tzulitai Tzu-Li (Gordon) Tai added a comment - Yes, indeed!
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user tzulitai opened a pull request:

          https://github.com/apache/flink/pull/3528

          FLINK-5949 [yarn] Don't check Kerberos credentials for non-Kerberos…

          Additionally uses the `UserGroupInformation#getAuthenticationMethod()` to determine whether `KERBEROS` is used for authentication.

          This fixes issues MapR users have been bumping into, where only MapR's custom SSL security was enabled (no Kerberos), but the Kerberos credentials were still checked for. For MapR's SSL security, the `getAuthenticationMethod()` returns `CUSTOM` (see http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/Flink-Yarn-and-MapR-Kerberos-issue-td11996.html).

          Also tested and confirmed that the change doesn't break previous Kerberos with YARN behaviours for other vendors, e.g. CDH.

          This change should also be backported for release-1.2.

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/tzulitai/flink FLINK-5949

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/flink/pull/3528.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #3528


          commit 738c0355476464b34f9919307f881b23e3579d4f
          Author: Tzu-Li (Gordon) Tai <tzulitai@apache.org>
          Date: 2017-03-14T05:42:26Z

          FLINK-5949 [yarn] Don't check Kerberos credentials for non-Kerberos authentication methods


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user tzulitai opened a pull request: https://github.com/apache/flink/pull/3528 FLINK-5949 [yarn] Don't check Kerberos credentials for non-Kerberos… Additionally uses the `UserGroupInformation#getAuthenticationMethod()` to determine whether `KERBEROS` is used for authentication. This fixes issues MapR users have been bumping into, where only MapR's custom SSL security was enabled (no Kerberos), but the Kerberos credentials were still checked for. For MapR's SSL security, the `getAuthenticationMethod()` returns `CUSTOM` (see http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/Flink-Yarn-and-MapR-Kerberos-issue-td11996.html ). Also tested and confirmed that the change doesn't break previous Kerberos with YARN behaviours for other vendors, e.g. CDH. This change should also be backported for release-1.2 . You can merge this pull request into a Git repository by running: $ git pull https://github.com/tzulitai/flink FLINK-5949 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/flink/pull/3528.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #3528 commit 738c0355476464b34f9919307f881b23e3579d4f Author: Tzu-Li (Gordon) Tai <tzulitai@apache.org> Date: 2017-03-14T05:42:26Z FLINK-5949 [yarn] Don't check Kerberos credentials for non-Kerberos authentication methods
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user rmetzger commented on the issue:

          https://github.com/apache/flink/pull/3528

          +1 to merge

          Show
          githubbot ASF GitHub Bot added a comment - Github user rmetzger commented on the issue: https://github.com/apache/flink/pull/3528 +1 to merge
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user tzulitai commented on the issue:

          https://github.com/apache/flink/pull/3528

          Thanks for the review
          Failing tests seem to be something instable with Maven.
          Merging this to `master` and `release-1.2` ..

          Show
          githubbot ASF GitHub Bot added a comment - Github user tzulitai commented on the issue: https://github.com/apache/flink/pull/3528 Thanks for the review Failing tests seem to be something instable with Maven. Merging this to `master` and `release-1.2` ..
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/flink/pull/3528

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/flink/pull/3528
          Show
          tzulitai Tzu-Li (Gordon) Tai added a comment - Fixed for 1.3.0 with http://git-wip-us.apache.org/repos/asf/flink/commit/87779ad . Fixed for 1.2.1 with http://git-wip-us.apache.org/repos/asf/flink/commit/0c532ed .

            People

            • Assignee:
              tzulitai Tzu-Li (Gordon) Tai
              Reporter:
              tzulitai Tzu-Li (Gordon) Tai
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development