[
https://issues.apache.org/jira/browse/FLINK-6117?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15940665#comment-15940665
]
ASF GitHub Bot commented on FLINK-6117:
---------------------------------------
Github user EronWright commented on the issue:
https://github.com/apache/flink/pull/3600
To recap, when the ZK server is configured to use SASL, the client is
challenged accordingly. The client checks for a login entry in the JAAS config
to obtain a kerberos credential, and issues a warning if one isn't found. SASL
may be explicitly disabled on the client using the system property
`zookeeper.sasl.clientconfig`.
Flink provides a configuration setting with which to disable SASL on the
client, which causes the system property to be set. _I cannot think of why
the default value would be 'true'._ The behavior of 1.2.0 is that the default
is 'false' (because it effectively wasn't implemented). Maybe the default
should remain 'false'?
> 'zookeeper.sasl.disable' not takes effet when starting CuratorFramework
> ------------------------------------------------------------------------
>
> Key: FLINK-6117
> URL: https://issues.apache.org/jira/browse/FLINK-6117
> Project: Flink
> Issue Type: Bug
> Components: Client, JobManager
> Affects Versions: 1.2.0
> Environment: Ubuntu, non-secured
> Reporter: CanBin Zheng
> Assignee: CanBin Zheng
> Labels: security
> Original Estimate: 336h
> Remaining Estimate: 336h
>
> The value of 'zookeeper.sasl.disable' not used in the right way when starting
> CuratorFramework.
> Here are all the settings relevant to high-availability in my flink-conf.yaml:
> high-availability: zookeeper
> high-availability.zookeeper.quorum: localhost:2181
> high-availability.zookeeper.storageDir: hdfs:///flink/ha/
> Obviously, no explicit value is set for 'zookeeper.sasl.disable' so default
> value of 'true'(ConfigConstants.DEFAULT_ZOOKEEPER_SASL_DISABLE) would be
> applied. But when FlinkYarnSessionCli & FlinkApplicationMasterRunner start,
> both logs show that they attempt connecting to zookeeper in 'SASL' mode.
> logs are like this:
> 2017-03-18 23:53:10,498 INFO org.apache.zookeeper.ZooKeeper
> - Initiating client connection, connectString=localhost:2181
> sessionTimeout=60000
> watcher=org.apache.flink.shaded.org.apache.curator.ConnectionState@5949eba8
> 2017-03-18 23:53:10,498 INFO org.apache.zookeeper.ZooKeeper
> - Initiating client connection, connectString=localhost:2181
> sessionTimeout=60000
> watcher=org.apache.flink.shaded.org.apache.curator.ConnectionState@5949eba8
> 2017-03-18 23:53:10,522 WARN org.apache.zookeeper.ClientCnxn
> - SASL configuration failed:
> javax.security.auth.login.LoginException: No JAAS configuration section named
> 'Client' was found in specified JAAS configuration file:
> '/tmp/jaas-3047036396963510842.conf'. Will continue connection to Zookeeper
> server without SASL authentication, if Zookeeper server allows it.
> 2017-03-18 23:53:10,522 WARN org.apache.zookeeper.ClientCnxn
> - SASL configuration failed:
> javax.security.auth.login.LoginException: No JAAS configuration section named
> 'Client' was found in specified JAAS configuration file:
> '/tmp/jaas-3047036396963510842.conf'. Will continue connection to Zookeeper
> server without SASL authentication, if Zookeeper server allows it.
> 2017-03-18 23:53:10,530 INFO org.apache.zookeeper.ClientCnxn
> - Opening socket connection to server localhost/127.0.0.1:2181
> 2017-03-18 23:53:10,530 INFO org.apache.zookeeper.ClientCnxn
> - Opening socket connection to server localhost/127.0.0.1:2181
> 2017-03-18 23:53:10,534 ERROR
> org.apache.flink.shaded.org.apache.curator.ConnectionState -
> Authentication failed
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
