You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by mx...@apache.org on 2015/10/23 18:15:02 UTC

flink git commit: [docs] add information on how to use Kerberos

Repository: flink
Updated Branches:
  refs/heads/master e69693778 -> 4a3151681


[docs] add information on how to use Kerberos


Project: http://git-wip-us.apache.org/repos/asf/flink/repo
Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/4a315168
Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/4a315168
Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/4a315168

Branch: refs/heads/master
Commit: 4a31516814c6a4e38a76e712a21a6924039f7371
Parents: e696937
Author: Maximilian Michels <mx...@apache.org>
Authored: Fri Oct 23 18:13:13 2015 +0200
Committer: Maximilian Michels <mx...@apache.org>
Committed: Fri Oct 23 18:14:36 2015 +0200

----------------------------------------------------------------------
 docs/setup/config.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/flink/blob/4a315168/docs/setup/config.md
----------------------------------------------------------------------
diff --git a/docs/setup/config.md b/docs/setup/config.md
index 447a329..489790b 100644
--- a/docs/setup/config.md
+++ b/docs/setup/config.md
@@ -145,6 +145,31 @@ this can improve the efficiency of the operations performed on the memory
 - `taskmanager.memory.segment-size`: The size of memory buffers used by the 
 memory manager and the network stack in bytes (DEFAULT: 32768 (= 32 KiBytes)).
 
+
+### Kerberos
+
+Flink supports Kerberos authentication of Hadoop services such as HDFS, YARN,
+or HBase.
+
+While Hadoop uses Kerberos tickets to authenticate users with services
+initially, the authentication process continues differently afterwards. Instead
+of saving the ticket to authenticate on a later access, Hadoop creates its own
+security tockens (DelegationToken) that it passes around. These are
+authenticated to Kerberos periodically but are independent of the token renewal
+time. The tokens have a maximum life span identical to the Kerberos ticket maximum life
+span.
+
+Please make sure to set the maximum ticket life span high long running
+jobs. The renewal time of the ticket, on the other hand, is not important
+because Hadoop abstracts this away using its own security tocken renewal
+system. Hadoop makes sure that tickets are renewed in time and you can be sure
+to be authenticated until the end of the ticket life time.
+
+If you are on YARN, then it is sufficient to authenticate the client with
+Kerberos. On a Flink standalone cluster you need to ensure that, initially, all
+nodes are authenticated with Kerberos using the `kinit` tool.
+
+
 ### Other
 
 - `taskmanager.tmp.dirs`: The directory for temporary files, or a list of