[
https://issues.apache.org/jira/browse/FLINK-5364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15813450#comment-15813450
]
ASF GitHub Bot commented on FLINK-5364:
---------------------------------------
Github user EronWright commented on a diff in the pull request:
https://github.com/apache/flink/pull/3057#discussion_r95283348
--- Diff:
flink-runtime/src/main/java/org/apache/flink/runtime/security/modules/JaasModule.java
---
@@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.flink.runtime.security.modules;
+
+import org.apache.flink.annotation.Internal;
+import org.apache.flink.runtime.security.DynamicConfiguration;
+import org.apache.flink.runtime.security.KerberosUtils;
+import org.apache.flink.runtime.security.SecurityUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.login.AppConfigurationEntry;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
+
+/**
+ * Responsible for installing a process-wide JAAS configuration.
+ * <p>
+ * The installed configuration combines login modules based on:
+ * - the user-supplied JAAS configuration file, if any
+ * - a Kerberos keytab, if configured
+ * - any cached Kerberos credentials from the current environment
+ * <p>
+ * The module also installs a default JAAS config file (if necessary) for
+ * compatibility with ZK and Kafka. Note that the JRE actually draws on
numerous file locations.
+ * See:
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html
+ * See:
https://github.com/apache/kafka/blob/0.9.0/clients/src/main/java/org/apache/kafka/common/security/kerberos/Login.java#L289
+ */
+@Internal
+public class JaasModule implements SecurityModule {
+
+ private static final Logger LOG =
LoggerFactory.getLogger(JaasModule.class);
+
+ static final String JAVA_SECURITY_AUTH_LOGIN_CONFIG =
"java.security.auth.login.config";
+
+ static final String JAAS_CONF_RESOURCE_NAME = "flink-jaas.conf";
+
+ private String priorConfigFile;
+ private javax.security.auth.login.Configuration priorConfig;
+
+ private DynamicConfiguration currentConfig;
+
+ @Override
+ public void install(SecurityUtils.SecurityConfiguration securityConfig)
{
+
+ // ensure that a config file is always defined, for
compatibility with
+ // ZK and Kafka which check for the system property and
existence of the file
+ priorConfigFile =
System.getProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, null);
+ if (priorConfigFile == null) {
+ File configFile = generateDefaultConfigFile();
+ System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG,
configFile.getAbsolutePath());
+ }
+
+ // read the JAAS configuration file
+ priorConfig =
javax.security.auth.login.Configuration.getConfiguration();
+
+ // construct a dynamic JAAS configuration
+ currentConfig = new DynamicConfiguration(priorConfig);
+
+ // wire up the configured JAAS login contexts to use the krb5
entries
+ AppConfigurationEntry[] krb5Entries =
getAppConfigurationEntries(securityConfig);
+ if(krb5Entries != null) {
+ for (String app :
securityConfig.getLoginContextNames()) {
+ currentConfig.addAppConfigurationEntry(app,
krb5Entries);
+ }
+ }
+
+
javax.security.auth.login.Configuration.setConfiguration(currentConfig);
+ }
+
+ @Override
+ public void uninstall() {
+ if(priorConfigFile != null) {
+ System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG,
priorConfigFile);
+ } else {
+ System.clearProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG);
+ }
+
javax.security.auth.login.Configuration.setConfiguration(priorConfig);
+ }
+
+ public DynamicConfiguration getCurrentConfiguration() {
+ return currentConfig;
+ }
+
+ private static AppConfigurationEntry[]
getAppConfigurationEntries(SecurityUtils.SecurityConfiguration securityConfig) {
+
+ AppConfigurationEntry userKerberosAce = null;
+ if (securityConfig.useTicketCache()) {
+ userKerberosAce = KerberosUtils.ticketCacheEntry();
+ }
+ AppConfigurationEntry keytabKerberosAce = null;
+ if (securityConfig.getKeytab() != null) {
+ keytabKerberosAce =
KerberosUtils.keytabEntry(securityConfig.getKeytab(),
securityConfig.getPrincipal());
+ }
+
+ AppConfigurationEntry[] appConfigurationEntry;
+ if (userKerberosAce != null && keytabKerberosAce != null) {
+ appConfigurationEntry = new
AppConfigurationEntry[]{keytabKerberosAce, userKerberosAce};
+ } else if (keytabKerberosAce != null) {
+ appConfigurationEntry = new
AppConfigurationEntry[]{keytabKerberosAce};
+ } else if (userKerberosAce != null) {
+ appConfigurationEntry = new
AppConfigurationEntry[]{userKerberosAce};
+ } else {
+ return null;
+ }
+
+ return appConfigurationEntry;
+ }
+
+ /**
+ * Generate the default JAAS config file.
+ */
+ private static File generateDefaultConfigFile() {
+ // load Jaas config file to initialize SASL
+ final File jaasConfFile;
+ try {
+ Path jaasConfPath = Files.createTempFile("jaas-",
".conf");
+ try (InputStream resourceStream =
JaasModule.class.getClassLoader().getResourceAsStream(JAAS_CONF_RESOURCE_NAME))
{
+ Files.copy(resourceStream, jaasConfPath,
StandardCopyOption.REPLACE_EXISTING);
+ }
+ jaasConfFile = jaasConfPath.toFile();
+ jaasConfFile.deleteOnExit();
+ } catch (IOException e) {
+ throw new RuntimeException("unable to generate a JAAS
configuration file", e);
--- End diff --
In this case, I do consider a failure to generate the default config a
programming error; it simply extracts an in-built resource as a temp file. I
definitely agree with your general point.
> Rework JAAS configuration to support user-supplied entries
> ----------------------------------------------------------
>
> Key: FLINK-5364
> URL: https://issues.apache.org/jira/browse/FLINK-5364
> Project: Flink
> Issue Type: Bug
> Components: Cluster Management
> Reporter: Eron Wright
> Assignee: Eron Wright
> Priority: Critical
> Labels: kerberos, security
>
> Recent issues (see linked) have brought to light a critical deficiency in the
> handling of JAAS configuration.
> 1. the MapR distribution relies on an explicit JAAS conf, rather than
> in-memory conf used by stock Hadoop.
> 2. the ZK/Kafka/Hadoop security configuration is supposed to be independent
> (one can enable each element separately) but isn't.
> Perhaps we should rework the JAAS conf code to merge any user-supplied
> configuration with our defaults, rather than using an all-or-nothing
> approach.
> We should also address some recent regressions:
> 1. The HadoopSecurityContext should be installed regardless of auth mode, to
> login with UserGroupInformation, which:
> - handles the HADOOP_USER_NAME variable.
> - installs an OS-specific user principal (from UnixLoginModule etc.)
> unrelated to Kerberos.
> - picks up the HDFS/HBASE delegation tokens.
> 2. Fix the use of alternative authentication methods - delegation tokens and
> Kerberos ticket cache.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
