[jira] [Commented] (FLINK-5055) Security feature crashes JM for certain Hadoop versions even though using no Kerberos

Fri, 11 Nov 2016 06:30:48 -0800 

    [ 
https://issues.apache.org/jira/browse/FLINK-5055?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15657184#comment-15657184
 ] 

Vijay Srinivasaraghavan commented on FLINK-5055:
------------------------------------------------

Flink security context gets initialized during the application start phase. As 
part of the initialization, the UserGroupInformation (UGI) instance is 
bootstrapped using the Hadoop configuration files (read: HADOOP_CONF_DIR or 
YARN_CONF_DIR environment variable is set). If the hadoop configuration 
(core-site) enables security, then the UGI context uses JAAS module to 
load/login through Kerberos. It appears in this case, the Hadoop configurations 
that got loaded somehow has the security configurations enabled and UGI is 
trying to obtain the identity using keytab cache.

> Security feature crashes JM for certain Hadoop versions even though using no 
> Kerberos
> -------------------------------------------------------------------------------------
>
>                 Key: FLINK-5055
>                 URL: https://issues.apache.org/jira/browse/FLINK-5055
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.2.0
>            Reporter: Till Rohrmann
>            Priority: Critical
>             Fix For: 1.2.0
>
>
> A user reported [1] that the {{JobManager}} does not start when using Flink 
> with Hadoop-2.7.0-mapr-1607 and no security activated because of 
> {code}
> javax.security.auth.login.LoginException: Unable to obtain Principal Name for 
> authentication
>         at 
> com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> {code}
> It seems that this Hadoop version always tries to login via Kerberos even 
> though the user did not activate it and, thus, should use 
> {{AuthenticationMode.SIMPLE}}.
> I'm not really familiar with the security feature, but my understanding is 
> that it should not have any effect on Flink when not activated. I might be 
> wrong here, but if not, then we should fix this problem for 1.2.0 because it 
> prevents people from using Flink.
> [1] 
> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/Flink-using-Yarn-on-MapR-td14484.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to