You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Tzu-Li (Gordon) Tai (JIRA)" <ji...@apache.org> on 2017/01/19 16:32:26 UTC
[jira] [Updated] (FLINK-5579) Kerberos not working for Kafka
connector using ticket cache
[ https://issues.apache.org/jira/browse/FLINK-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tzu-Li (Gordon) Tai updated FLINK-5579:
---------------------------------------
Description:
The Kerberos ticket cache doesn't seem to be picked up / sent to TaskManager containers when using the Kafka connector when deployed on YARN (when deployed using standalone, this works normally).
{code}
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:74)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:60)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:79)
at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:271)
... 23 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:804)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:675)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:588)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.apache.kafka.common.security.kerberos.Login.login(Login.java:298)
at org.apache.kafka.common.security.kerberos.Login.<init>(Login.java:104)
at org.apache.kafka.common.security.kerberos.LoginManager.<init>(LoginManager.java:44)
at org.apache.kafka.common.security.kerberos.LoginManager.acquireLoginManager(LoginManager.java:85)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:55)
... 26 more
{code}
was:
The Kerberos ticket cache doesn't seem to be picked up / sent to TaskManager containers when using the Kafka connector when deployed on YARN (when deployed using standalone, this works normally).
```
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:74)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:60)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:79)
at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:271)
... 23 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:804)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:675)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:588)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.apache.kafka.common.security.kerberos.Login.login(Login.java:298)
at org.apache.kafka.common.security.kerberos.Login.<init>(Login.java:104)
at org.apache.kafka.common.security.kerberos.LoginManager.<init>(LoginManager.java:44)
at org.apache.kafka.common.security.kerberos.LoginManager.acquireLoginManager(LoginManager.java:85)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:55)
... 26 more
```
> Kerberos not working for Kafka connector using ticket cache
> -----------------------------------------------------------
>
> Key: FLINK-5579
> URL: https://issues.apache.org/jira/browse/FLINK-5579
> Project: Flink
> Issue Type: Bug
> Components: Security, YARN
> Reporter: Tzu-Li (Gordon) Tai
> Assignee: Tzu-Li (Gordon) Tai
> Priority: Critical
>
> The Kerberos ticket cache doesn't seem to be picked up / sent to TaskManager containers when using the Kafka connector when deployed on YARN (when deployed using standalone, this works normally).
> {code}
> Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
> at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:74)
> at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:60)
> at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:79)
> at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:271)
> ... 23 more
> Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
> at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:804)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:675)
> at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:588)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
> at org.apache.kafka.common.security.kerberos.Login.login(Login.java:298)
> at org.apache.kafka.common.security.kerberos.Login.<init>(Login.java:104)
> at org.apache.kafka.common.security.kerberos.LoginManager.<init>(LoginManager.java:44)
> at org.apache.kafka.common.security.kerberos.LoginManager.acquireLoginManager(LoginManager.java:85)
> at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:55)
> ... 26 more
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)