(DEPRECATED) Apache Flink User Mailing List archive.

Re: Issue in Flink/Zookeeper authentication via Kerberos

Posted by Eron Wright on
URL: http://deprecated-apache-flink-user-mailing-list-archive.369.s1.nabble.com/Issue-in-Flink-Zookeeper-authentication-via-Kerberos-tp19120p19519.html

I believe that the solution here is to ensure that the znodes created by Flink have an ACL that allows access only to the original creator.   For example, if a given Flink job has a Kerberos identity of "[hidden email]", it should set the znode ACL appropriately to disallow access to any client that doesn't successfully authenticate as that user.  This may be accomplished with the following Flink configuration setting:

high-availability.zookeeper.client.acl: creator

Some code links:
- https://github.com/apache/flink/blob/release-1.4.2/flink-core/src/main/java/org/apache/flink/configuration/HighAvailabilityOptions.java#L171
- https://github.com/apache/flink/blob/release-1.4.2/flink-runtime/src/main/java/org/apache/flink/runtime/util/ZooKeeperUtils.java#L93

Hope this helps!
Eron

On Sun, Apr 15, 2018 at 2:16 AM, Sahu, Sarthak 1. (Nokia - IN/Bangalore) <[hidden email]> wrote:

Glad to get the reply. With wrong Kerberos information I am expecting an ‘access denied’.

 

As per flink log, it clear states that authentication failed due to Kerberos wrong information and trying to connect with zookeeper with unauthorised mode if zookeeper allows.

And then it connected successfully!

 

Do I missing any configuration in flink/zookeeper side.

Expecting you suggestion here.

 

Regards

Sarthak Sahu

 

From: Eron Wright [mailto:[hidden email]]
Sent: Tuesday, April 3, 2018 3:07 AM
To: Sahu, Sarthak 1. (Nokia - IN/Bangalore) <[hidden email]>
Cc: [hidden email]; Timo Walther <[hidden email]>


Subject: Re: Issue in Flink/Zookeeper authentication via Kerberos

 

Hello, I'm happy to help.  Could you elaborate on the issue that you see?  Are you saying that you expect to get 'access denied' but Zookeeper is allowing the connection anyway?   

 

My first thought is, maybe ZK allows unauthenticated connections but relies on the authorization layer to deny access to nodes based on the ACL.   FLink has a configuration setting to set the 'owner' of the znode.   

 

-Eron

 

On Mon, Apr 2, 2018 at 1:50 AM, Sahu, Sarthak 1. (Nokia - IN/Bangalore) <[hidden email]> wrote:

Hi Eron/Shuyi

 

Could you please help me on this below issue.

 

Regards

Sarthak Sahu

 

From: Timo Walther [mailto:[hidden email]]
Sent: Monday, March 26, 2018 3:05 PM
To: [hidden email]
Cc: [hidden email]; [hidden email]
Subject: Re: Issue in Flink/Zookeeper authentication via Kerberos

 

Hi Sarthak,

I'm not a Kerberos expert but maybe Eron or Shuyi are more familiar with the details?

Would be great if somebody could help.

Thanks,
Timo

Am 22.03.18 um 10:16 schrieb Sahu, Sarthak 1. (Nokia - IN/Bangalore):

Hi Folks,

 

  Environment Setup:

  1. I have configured KDC 5 server.
  2. Configured Kerberos in zookeeper-3.4.10 wherein I can able to connect ZooKeeper Server/Client via Kerberos authentication.
  3. Now flink-1.4.0 has configured for Kerberos authentication as per below instruction.

·       https://ci.apache.org/projects/flink/flink-docs-release-1.4/ops/config.html#kerberos-based-security

·       https://ci.apache.org/projects/flink/flink-docs-release-1.4/ops/config.html#kerberos-based-security-1

  Success Scenario:

  1. All Kerberos configuration parameter is correct and flink/zookeeper able to connect trough TGT.

 Problem:

  1. Even if wrong Kerberos credentials given, flink able to connect ZooKeeper.

 

Please find the taskmanager/jobmanger logs and flink config file for both scenario attached.

 

Hoping for quick resolution.

 

Regards

Sarthak Sahu

 

 

 


Free forum by Nabble Edit this page