[FLINK-32465] KerberosLoginProvider.isLoginPossible does accidental login with keytab - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.18.0, 1.17.2
Fix Version/s: 1.18.0, 1.17.2
Component/s: API / Core
Labels:
- pull-request-available

Description

In KerberosLoginProvider.isLoginPossible there is a call to UserGroupInformation.getCurrentUser() before principal check (keytab usage). This triggers an accidental login with either kerberos credentials if available, or as the local OS user, based on security settings. This is not problematic most of the time since KerberosLoginProvider.doLogin overwrites the credentials with keytab. The problem hurts however when login fails for whatever reason. Such case the workload is just not starting.

Attachments

Issue Links

links to

GitHub Pull Request #22887

GitHub Pull Request #22889

Activity

People

Assignee:: Gabor Somogyi

Reporter:: Gabor Somogyi

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 28/Jun/23 09:30

Updated:: 28/Jun/23 15:51

Resolved:: 28/Jun/23 15:51