You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Till Rohrmann (JIRA)" <ji...@apache.org> on 2019/02/26 16:36:00 UTC
[jira] [Closed] (FLINK-3699) Allow per-job Kerberos authentication
[ https://issues.apache.org/jira/browse/FLINK-3699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Till Rohrmann closed FLINK-3699.
--------------------------------
Resolution: Workaround
Closed because there is a workaround by starting dedicated Flink clusters and there is no activity.
> Allow per-job Kerberos authentication
> --------------------------------------
>
> Key: FLINK-3699
> URL: https://issues.apache.org/jira/browse/FLINK-3699
> Project: Flink
> Issue Type: Improvement
> Components: Distributed Coordination, JobManager, Scheduler, YARN
> Affects Versions: 1.0.0
> Reporter: Stefano Baghino
> Priority: Major
> Labels: kerberos, security, yarn
>
> Currently, authentication in a secure ("Kerberized") environment is performed once as a standalone cluster or a YARN session is started up. This means that jobs submitted will all be executed with the privileges of the user that started up the cluster. This is reasonable in a lot of situations but disallows a fine control over ACLs when Flink is involved.
> Adding a way for each job submission to be independently authenticated would allow each job to run with the privileges of a specific user, enabling much more granular control over ACLs, in particular in the context of existing secure cluster setups.
> So far, a known workaround to this limitation (at least when running on YARN) is to run a per-job cluster as a specific user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)