[
https://issues.apache.org/jira/browse/FLINK-3929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15496154#comment-15496154
]
ASF GitHub Bot commented on FLINK-3929:
---------------------------------------
Github user mxm commented on a diff in the pull request:
https://github.com/apache/flink/pull/2275#discussion_r79155885
--- Diff:
flink-runtime/src/main/java/org/apache/flink/runtime/security/SecurityContext.java
---
@@ -158,22 +157,37 @@ public static void install(SecurityConfiguration
config) throws Exception {
}
/*
- * This is a temporary fix to support both Kafka and ZK client libraries
- * that are expecting the system variable to determine secure cluster
+ * This method configures some of the system property that are require
for ZK and Kafka SASL authentication
+ * See:
https://github.com/apache/kafka/blob/0.9.0/clients/src/main/java/org/apache/kafka/common/security/kerberos/Login.java#L289
+ * See:
https://github.com/sgroschupf/zkclient/blob/master/src/main/java/org/I0Itec/zkclient/ZkClient.java#L900
+ * In this method, setting java.security.auth.login.config
configuration is temporary hack only to support ZK and
+ * Kafka current code behavior
*/
- private static void populateJaasConfigSystemProperty(Configuration
configuration) {
+ private static void populateSystemSecurityProperties(Configuration
configuration) {
- //hack since Kafka Login Handler explicitly looks for the
property or else it throws an exception
-
//https://github.com/apache/kafka/blob/0.9.0/clients/src/main/java/org/apache/kafka/common/security/kerberos/Login.java#L289
- if(null == configuration) {
- System.setProperty("java.security.auth.login.config",
"");
+ //required to be empty for Kafka but we will override the
property
+ //with pseudo JAAS configuration file if SASL auth is enabled
for ZK
+ System.setProperty("java.security.auth.login.config", "");
+
+ if(configuration == null) {
+ return;
+ }
+
+ boolean disableSaslClient =
configuration.getBoolean(ConfigConstants.ZOOKEEPER_SASL_DISABLE,
+ ConfigConstants.DEFAULT_ZOOKEEPER_SASL_DISABLE);
+ if(disableSaslClient) {
+ LOG.info("SASL client auth for ZK will be disabled");
+ //SASL auth is disabled by default but will be enabled
if specified in configuration
+ System.setProperty("zookeeper.sasl.client","false");
--- End diff --
This is to disable SASL with Zookeeper if a Jaas configuration is used but
Zookeeper is not configured to use it?
> Support for Kerberos Authentication with Keytab Credential
> ----------------------------------------------------------
>
> Key: FLINK-3929
> URL: https://issues.apache.org/jira/browse/FLINK-3929
> Project: Flink
> Issue Type: New Feature
> Reporter: Eron Wright
> Assignee: Vijay Srinivasaraghavan
> Labels: kerberos, security
> Original Estimate: 672h
> Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
> design doc._
> Add support for a keytab credential to be associated with the Flink cluster,
> to facilitate:
> - Kerberos-authenticated data access for connectors
> - Kerberos-authenticated ZooKeeper access
> Support both the standalone and YARN deployment modes.
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
