You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Venkata krishnan Sowrirajan (Jira)" <ji...@apache.org> on 2023/02/16 21:24:00 UTC

[jira] [Created] (FLINK-31109) Fails with proxy user not supported even when security.kerberos.fetch.delegation-token is set to false

Venkata krishnan Sowrirajan created FLINK-31109:
---------------------------------------------------

             Summary: Fails with proxy user not supported even when security.kerberos.fetch.delegation-token is set to false
                 Key: FLINK-31109
                 URL: https://issues.apache.org/jira/browse/FLINK-31109
             Project: Flink
          Issue Type: Bug
            Reporter: Venkata krishnan Sowrirajan


With
{code:java}
security.kerberos.fetch.delegation-token: false
{code}
and delegation tokens obtained through our internal service which sets both HADOOP_TOKEN_FILE_LOCATION to pick up the DTs and also sets the HADOOP_PROXY_USER which fails with the below error
{code:java}
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/export/home/vsowrira/flink-1.18-SNAPSHOT/lib/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/export/apps/hadoop/hadoop-bin_2100503/share/hadoop/common/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
org.apache.flink.runtime.security.modules.SecurityModule$SecurityInstallException: Unable to set the Hadoop login user
	at org.apache.flink.runtime.security.modules.HadoopModule.install(HadoopModule.java:106)
	at org.apache.flink.runtime.security.SecurityUtils.installModules(SecurityUtils.java:76)
	at org.apache.flink.runtime.security.SecurityUtils.install(SecurityUtils.java:57)
	at org.apache.flink.client.cli.CliFrontend.mainInternal(CliFrontend.java:1188)
	at org.apache.flink.client.cli.CliFrontend.main(CliFrontend.java:1157)
Caused by: java.lang.UnsupportedOperationException: Proxy user is not supported
	at org.apache.flink.runtime.security.token.hadoop.KerberosLoginProvider.throwProxyUserNotSupported(KerberosLoginProvider.java:137)
	at org.apache.flink.runtime.security.token.hadoop.KerberosLoginProvider.isLoginPossible(KerberosLoginProvider.java:81)
	at org.apache.flink.runtime.security.modules.HadoopModule.install(HadoopModule.java:73)
	... 4 more
{code}

This seems to have gotten changed after [480e6edf|https://github.com/apache/flink/commit/] ([FLINK-28330][runtime][security] Remove old delegation token framework code)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)