You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "John Lonergan (Jira)" <ji...@apache.org> on 2020/01/12 13:55:00 UTC

[jira] [Commented] (FLINK-3929) Support for Kerberos Authentication with Keytab Credential

    [ https://issues.apache.org/jira/browse/FLINK-3929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17013767#comment-17013767 ] 

John Lonergan commented on FLINK-3929:
--------------------------------------

This approach alone doesn't consider the impact of password changes on the kerberos keytab and session. 
I imagine many apps exist in env's where a password must be rolled every so often. 

When this happens then the distributed keytab will be invalidated and the job will fail. 
What options are there to avoid this failure?
In general we have to assume that a process beyond our control will peridically roll the  password and there will be no notification to our job.

Therefore presumably our job needs to either be able to attempt recovery from this (a just in time attempt at recreating the keytab) or we need a process that preemptively refreshes the keytab so that the next call to UserGroupInformation.loginFromKeytab in the HDFS client (or wherever) causes the new keytab to be loaded.

And of course this will depend on the coding of the client lib to cooperate with the refresh of the keytab.

What is the scheme for long running considering password rolls?



> Support for Kerberos Authentication with Keytab Credential
> ----------------------------------------------------------
>
>                 Key: FLINK-3929
>                 URL: https://issues.apache.org/jira/browse/FLINK-3929
>             Project: Flink
>          Issue Type: New Feature
>          Components: Runtime / Coordination
>            Reporter: Eron Wright
>            Assignee: Vijay Srinivasaraghavan
>            Priority: Major
>              Labels: kerberos, security
>             Fix For: 1.2.0
>
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing] design doc._
> Add support for a keytab credential to be associated with the Flink cluster, to facilitate:
> - Kerberos-authenticated data access for connectors
> - Kerberos-authenticated ZooKeeper access
> Support both the standalone and YARN deployment modes.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)