[
https://issues.apache.org/jira/browse/FLINK-3929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15402398#comment-15402398
]
ASF GitHub Bot commented on FLINK-3929:
---------------------------------------
Github user vijikarthi commented on a diff in the pull request:
https://github.com/apache/flink/pull/2275#discussion_r73012870
--- Diff:
flink-runtime/src/main/java/org/apache/flink/runtime/security/JaasConfiguration.java
---
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.flink.runtime.security;
+
+import org.apache.flink.annotation.Internal;
+import org.apache.flink.util.Preconditions;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import java.io.File;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ *
+ * JAAS configuration provider object that provides default LoginModule
for various connectors that supports
+ * JAAS/SASL based Kerberos authentication. The implementation is inspired
from Hadoop UGI class.
+ *
+ * Different connectors uses different login module name to implement JAAS
based authentication support.
+ * For example, Kafka expects the login module name to be "kafkaClient"
whereas ZooKeeper expect the
+ * name to be "client". This sets onus on the Flink cluster administrator
to configure/provide right
+ * JAAS config entries. To simplify this requirement, we have introduced
this abstraction that provides
+ * a standard lookup to get the login module entry for the JAAS based
authentication to work.
+ *
+ * HDFS connector will not be impacted with this configuration since it
uses UGI based mechanism to authenticate.
+ *
+ * <a
href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/Configuration.html";>Configuration</a>
+ *
+ */
+
+@Internal
+public class JaasConfiguration extends Configuration {
+
+ private static final Logger LOG =
LoggerFactory.getLogger(JaasConfiguration.class);
+
+ public static final String JAVA_VENDOR_NAME =
System.getProperty("java.vendor");
+
+ public static final boolean IBM_JAVA;
+
+ static {
+ IBM_JAVA = JAVA_VENDOR_NAME.contains("IBM");
+ }
+
+ public JaasConfiguration(String keytab, String principal) {
+
+ LOG.info("Initializing JAAS configuration instance. Parameters:
{}, {}", keytab, principal);
+
+ if(!Preconditions.isNullOrEmpty(keytab) &&
!Preconditions.isNullOrEmpty(principal)) {
+
+ if(IBM_JAVA) {
+ keytabKerberosOptions.put("useKeytab",
prependFileUri(keytab));
+ keytabKerberosOptions.put("credsType", "both");
+ } else {
+ keytabKerberosOptions.put("keyTab", keytab);
+ keytabKerberosOptions.put("doNotPrompt",
"true");
+ keytabKerberosOptions.put("useKeyTab", "true");
+ keytabKerberosOptions.put("storeKey", "true");
+ }
+
+ keytabKerberosOptions.put("principal", principal);
+ keytabKerberosOptions.put("refreshKrb5Config", "true");
+ keytabKerberosOptions.putAll(debugOptions);
+
+ keytabKerberosAce = new AppConfigurationEntry(
+ KerberosUtil.getKrb5LoginModuleName(),
+
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ keytabKerberosOptions);
+ }
+ }
+
+ private static final Map<String, String> debugOptions = new HashMap<>();
+
+ private static final Map<String, String> kerberosCacheOptions = new
HashMap<>();
+
+ private static final Map<String, String> keytabKerberosOptions = new
HashMap<>();
+
+ private static final AppConfigurationEntry userKerberosAce;
+
+ private AppConfigurationEntry keytabKerberosAce = null;
+
+ public static Map<String, String> getKeytabKerberosOptions() {
+ return keytabKerberosOptions;
+ }
+
+ private static String prependFileUri(String keytabPath) {
+ File f = new File(keytabPath);
+ return f.toURI().toString();
+ }
+
+ static {
--- End diff --
Didn't realized that. Yes, will be combined
> Support for Kerberos Authentication with Keytab Credential
> ----------------------------------------------------------
>
> Key: FLINK-3929
> URL: https://issues.apache.org/jira/browse/FLINK-3929
> Project: Flink
> Issue Type: New Feature
> Reporter: Eron Wright
> Assignee: Vijay Srinivasaraghavan
> Labels: kerberos, security
> Original Estimate: 672h
> Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
> design doc._
> Add support for a keytab credential to be associated with the Flink cluster,
> to facilitate:
> - Kerberos-authenticated data access for connectors
> - Kerberos-authenticated ZooKeeper access
> Support both the standalone and YARN deployment modes.
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
