You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Rong Rong (JIRA)" <ji...@apache.org> on 2019/01/04 17:44:01 UTC
[jira] [Updated] (FLINK-11088) Improve Kerberos Authentication
Keytab discovery on YARN
[ https://issues.apache.org/jira/browse/FLINK-11088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rong Rong updated FLINK-11088:
------------------------------
Summary: Improve Kerberos Authentication Keytab discovery on YARN (was: Improve Kerberos Authentication using Keytab in YARN proxy user mode)
> Improve Kerberos Authentication Keytab discovery on YARN
> --------------------------------------------------------
>
> Key: FLINK-11088
> URL: https://issues.apache.org/jira/browse/FLINK-11088
> Project: Flink
> Issue Type: Sub-task
> Components: Security, YARN
> Reporter: Rong Rong
> Assignee: Rong Rong
> Priority: Major
>
> Currently flink-yarn assumes keytab is shipped as application master environment local resource on client side and will be distributed to all the TMs. This does not work for YARN proxy user mode [1] since proxy user or super user might not have access to actual users' keytab, but can request delegation tokens on users' behalf.
> Based on the type of security options for long-living YARN service[2], we propose to have the keytab file path discovery configurable depending on the launch mode of the YARN client.
> Reference:
> [1] https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
> [2] https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)