[jira] [Commented] (FLINK-29362) Allow loading dynamic config for kerberos authentication in CliFrontend

["Lijie Wang (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/FLINK-29362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17620868#comment-17620868 ] 

Lijie Wang commented on FLINK-29362:
------------------------------------

I will close this issue because it's duplicated with FLINK-12130. 

> Allow loading dynamic config for kerberos authentication in CliFrontend
> -----------------------------------------------------------------------
>
>                 Key: FLINK-29362
>                 URL: https://issues.apache.org/jira/browse/FLINK-29362
>             Project: Flink
>          Issue Type: Improvement
>          Components: Command Line Client
>            Reporter: Biao Geng
>            Priority: Major
>
> In the [code|https://github.com/apache/flink/blob/97f5a45cd035fbae37a7468c6f771451ddb4a0a4/flink-clients/src/main/java/org/apache/flink/client/cli/CliFrontend.java#L1167], Flink's client will try to {{SecurityUtils.install(new SecurityConfiguration(cli.configuration));}} with configs(e.g. {{security.kerberos.login.principal}} and {{security.kerberos.login.keytab}}) from only flink-conf.yaml.
> If users specify the above 2 config via -D option, it will not work as {{cli.parseAndRun(args)}} will be executed after installing security configs from flink-conf.yaml.
> However, if a user specify principal A in client's flink-conf.yaml and use -D option to specify principal B, the launched YARN container will use principal B though the job is submitted in client end with principal A.
> Such behavior can be misleading as Flink provides 2 ways to set a config but does not keep consistency between client and cluster. It also influence users who want use flink with kerberos as they must modify flink-conf.yaml if they want to use another kerberos user.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)