You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@flink.apache.org by Timo Walther <tw...@apache.org> on 2018/03/26 09:35:20 UTC
Re: Issue in Flink/Zookeeper authentication via Kerberos
Hi Sarthak,
I'm not a Kerberos expert but maybe Eron or Shuyi are more familiar with
the details?
Would be great if somebody could help.
Thanks,
Timo
Am 22.03.18 um 10:16 schrieb Sahu, Sarthak 1. (Nokia - IN/Bangalore):
>
> Hi Folks,
>
> *_Environment Setup:_*
>
> 1. I have configured KDC 5 server.
> 2. Configured Kerberos in zookeeper-3.4.10 wherein I can able to
> connect ZooKeeper Server/Client via Kerberos authentication.
> 3. Now flink-1.4.0 has configured for Kerberos authentication as per
> below instruction.
>
> * https://ci.apache.org/projects/flink/flink-docs-release-1.4/ops/config.html#kerberos-based-security
> * https://ci.apache.org/projects/flink/flink-docs-release-1.4/ops/config.html#kerberos-based-security-1
>
> *_Success Scenario:_*
>
> 1. All Kerberos configuration parameter is correct and
> flink/zookeeper able to connect trough TGT.
>
> *_Problem:_*
>
> 1. Even if wrong Kerberos credentials given, flink able to connect
> ZooKeeper.*__*
>
> *__*
>
> Please find the taskmanager/jobmanger logs and flink config file for
> both scenario attached.
>
> Hoping for quick resolution.
>
> Regards
>
> Sarthak Sahu
>
Re: Issue in Flink/Zookeeper authentication via Kerberos
Posted by Shuyi Chen <su...@gmail.com>.
Hi Sarthak,
Happy to help. Could you please share the jobmanager/taskmanager log and
flink conf again?
Also, Flink 1.4.0 has a regression on kerberos security (keytab path in
TaskManager is set incorrectly) , which is fixed on 1.4.1. (see
https://issues.apache.org/jira/browse/FLINK-8275)
Shuyi
On Mon, Apr 2, 2018 at 3:44 PM, Shuyi Chen <su...@gmail.com> wrote:
> Hi Sarthak,
>
> Happy to help. Could you please share the jobmanager/taskmanager log and
> flink conf again?
>
> Also, Flink 1.4.0 has a regression on kerberos security (keytab path in
> TaskManager is set incorrectly) , which is fixed on 1.4.1. (see
> https://issues.apache.org/jira/browse/FLINK-8275)
>
> Shuyi
>
> On Mon, Mar 26, 2018 at 2:35 AM, Timo Walther <tw...@apache.org> wrote:
>
>> Hi Sarthak,
>>
>> I'm not a Kerberos expert but maybe Eron or Shuyi are more familiar with
>> the details?
>>
>> Would be great if somebody could help.
>>
>> Thanks,
>> Timo
>>
>> Am 22.03.18 um 10:16 schrieb Sahu, Sarthak 1. (Nokia - IN/Bangalore):
>>
>> Hi Folks,
>>
>>
>>
>> *Environment Setup:*
>>
>> 1. I have configured KDC 5 server.
>> 2. Configured Kerberos in zookeeper-3.4.10 wherein I can able to
>> connect ZooKeeper Server/Client via Kerberos authentication.
>> 3. Now flink-1.4.0 has configured for Kerberos authentication as per
>> below instruction.
>>
>>
>> - https://ci.apache.org/projects/flink/flink-docs-release-1.4/
>> ops/config.html#kerberos-based-security
>> <https://ci.apache.org/projects/flink/flink-docs-release-1.4/ops/config.html#kerberos-based-security>
>> - https://ci.apache.org/projects/flink/flink-docs-release-1.4/
>> ops/config.html#kerberos-based-security-1
>> <https://ci.apache.org/projects/flink/flink-docs-release-1.4/ops/config.html#kerberos-based-security-1>
>>
>> *Success Scenario:*
>>
>> 1. All Kerberos configuration parameter is correct and
>> flink/zookeeper able to connect trough TGT.
>>
>> *Problem:*
>>
>> 1. Even if wrong Kerberos credentials given, flink able to connect
>> ZooKeeper.
>>
>>
>>
>> Please find the taskmanager/jobmanger logs and flink config file for both
>> scenario attached.
>>
>>
>>
>> Hoping for quick resolution.
>>
>>
>>
>> Regards
>>
>> Sarthak Sahu
>>
>>
>>
>>
>>
>
>
> --
> "So you have to trust that the dots will somehow connect in your future."
>
--
"So you have to trust that the dots will somehow connect in your future."
Re: Issue in Flink/Zookeeper authentication via Kerberos
Posted by Eron Wright <er...@gmail.com>.
I believe that the solution here is to ensure that the znodes created by
Flink have an ACL that allows access only to the original creator. For
example, if a given Flink job has a Kerberos identity of "user1@example.com",
it should set the znode ACL appropriately to disallow access to any client
that doesn't successfully authenticate as that user. This may be
accomplished with the following Flink configuration setting:
high-availability.zookeeper.client.acl: creator
Some code links:
-
https://github.com/apache/flink/blob/release-1.4.2/flink-core/src/main/java/org/apache/flink/configuration/HighAvailabilityOptions.java#L171
-
https://github.com/apache/flink/blob/release-1.4.2/flink-runtime/src/main/java/org/apache/flink/runtime/util/ZooKeeperUtils.java#L93
Hope this helps!
Eron
On Sun, Apr 15, 2018 at 2:16 AM, Sahu, Sarthak 1. (Nokia - IN/Bangalore) <
sarthak.1.sahu@nokia.com> wrote:
> Glad to get the reply. With wrong Kerberos information I am expecting an
> ‘access denied’.
>
>
>
> As per flink log, it clear states that authentication failed due to
> Kerberos wrong information and trying to connect with zookeeper with
> unauthorised mode if zookeeper allows.
>
> And then it connected successfully!
>
>
>
> Do I missing any configuration in flink/zookeeper side.
>
> Expecting you suggestion here.
>
>
>
> Regards
>
> Sarthak Sahu
>
>
>
> *From:* Eron Wright [mailto:eronwright@gmail.com]
> *Sent:* Tuesday, April 3, 2018 3:07 AM
> *To:* Sahu, Sarthak 1. (Nokia - IN/Bangalore) <sa...@nokia.com>
> *Cc:* suez1224@gmail.com; Timo Walther <tw...@apache.org>
>
> *Subject:* Re: Issue in Flink/Zookeeper authentication via Kerberos
>
>
>
> Hello, I'm happy to help. Could you elaborate on the issue that you see?
> Are you saying that you expect to get 'access denied' but Zookeeper is
> allowing the connection anyway?
>
>
>
> My first thought is, maybe ZK allows unauthenticated connections but
> relies on the authorization layer to deny access to nodes based on the
> ACL. FLink has a configuration setting to set the 'owner' of the znode.
>
>
>
> -Eron
>
>
>
> On Mon, Apr 2, 2018 at 1:50 AM, Sahu, Sarthak 1. (Nokia - IN/Bangalore) <
> sarthak.1.sahu@nokia.com> wrote:
>
> Hi Eron/Shuyi
>
>
>
> Could you please help me on this below issue.
>
>
>
> Regards
>
> Sarthak Sahu
>
>
>
> *From:* Timo Walther [mailto:twalthr@apache.org]
> *Sent:* Monday, March 26, 2018 3:05 PM
> *To:* user@flink.apache.org
> *Cc:* eronwright@gmail.com; suez1224@gmail.com
> *Subject:* Re: Issue in Flink/Zookeeper authentication via Kerberos
>
>
>
> Hi Sarthak,
>
> I'm not a Kerberos expert but maybe Eron or Shuyi are more familiar with
> the details?
>
> Would be great if somebody could help.
>
> Thanks,
> Timo
>
> Am 22.03.18 um 10:16 schrieb Sahu, Sarthak 1. (Nokia - IN/Bangalore):
>
> Hi Folks,
>
>
>
> *Environment Setup:*
>
> 1. I have configured KDC 5 server.
> 2. Configured Kerberos in zookeeper-3.4.10 wherein I can able to
> connect ZooKeeper Server/Client via Kerberos authentication.
> 3. Now flink-1.4.0 has configured for Kerberos authentication as per
> below instruction.
>
> · https://ci.apache.org/projects/flink/flink-docs-
> release-1.4/ops/config.html#kerberos-based-security
>
> · https://ci.apache.org/projects/flink/flink-docs-
> release-1.4/ops/config.html#kerberos-based-security-1
>
> *Success Scenario:*
>
> 1. All Kerberos configuration parameter is correct and flink/zookeeper
> able to connect trough TGT.
>
> *Problem:*
>
> 1. Even if wrong Kerberos credentials given, flink able to connect
> ZooKeeper.
>
>
>
> Please find the taskmanager/jobmanger logs and flink config file for both
> scenario attached.
>
>
>
> Hoping for quick resolution.
>
>
>
> Regards
>
> Sarthak Sahu
>
>
>
>
>
>
>