[
https://issues.apache.org/jira/browse/FLINK-5364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15805599#comment-15805599
]
ASF GitHub Bot commented on FLINK-5364:
---------------------------------------
Github user EronWright commented on the issue:
https://github.com/apache/flink/pull/3057
@StephanEwen yes, this PR does the following:
1. isolate the configuration of kerberos credentials from how those
credentials are used
2. modularize the security code to reflect the independent aspects of
configuring Hadoop vs. JAAS based on the credential.
3. make explicit as to which JAAS login contexts are provided the cluster's
credential
4. incorporate the user-supplied JAAS (to satisfy the MapR scenario)
5. update `config.md` and `internals/security.md`
The main user impact is that one must explicitly share the credential with
specific contexts - the 'KafkaClient' login context, ZooKeeper 'Client'
context, etc, based on whether the corresponding service is kerberized.
Earlier we had tried to always share the credential to all JAAS contexts, but
this caused problems.
With this patch, I believe the design goal is met of allowing Kerberos to
be independently enabled for any external connection. For example, a
Kerberized Kafka + a non-Kerberized Hadoop is a valid scenario.
> Rework JAAS configuration to support user-supplied entries
> ----------------------------------------------------------
>
> Key: FLINK-5364
> URL: https://issues.apache.org/jira/browse/FLINK-5364
> Project: Flink
> Issue Type: Bug
> Components: Cluster Management
> Reporter: Eron Wright
> Assignee: Eron Wright
> Priority: Critical
> Labels: kerberos, security
>
> Recent issues (see linked) have brought to light a critical deficiency in the
> handling of JAAS configuration.
> 1. the MapR distribution relies on an explicit JAAS conf, rather than
> in-memory conf used by stock Hadoop.
> 2. the ZK/Kafka/Hadoop security configuration is supposed to be independent
> (one can enable each element separately) but isn't.
> Perhaps we should rework the JAAS conf code to merge any user-supplied
> configuration with our defaults, rather than using an all-or-nothing
> approach.
> We should also address some recent regressions:
> 1. The HadoopSecurityContext should be installed regardless of auth mode, to
> login with UserGroupInformation, which:
> - handles the HADOOP_USER_NAME variable.
> - installs an OS-specific user principal (from UnixLoginModule etc.)
> unrelated to Kerberos.
> - picks up the HDFS/HBASE delegation tokens.
> 2. Fix the use of alternative authentication methods - delegation tokens and
> Kerberos ticket cache.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)