You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Biao Geng (Jira)" <ji...@apache.org> on 2022/09/20 15:47:00 UTC

[jira] [Created] (FLINK-29362) Allow loading dynamic config for kerberos authentication in CliFrontend

Biao Geng created FLINK-29362:
---------------------------------

             Summary: Allow loading dynamic config for kerberos authentication in CliFrontend
                 Key: FLINK-29362
                 URL: https://issues.apache.org/jira/browse/FLINK-29362
             Project: Flink
          Issue Type: Improvement
          Components: Command Line Client
            Reporter: Biao Geng


In the [code|https://github.com/apache/flink/blob/97f5a45cd035fbae37a7468c6f771451ddb4a0a4/flink-clients/src/main/java/org/apache/flink/client/cli/CliFrontend.java#L1167], Flink's client will try to {{SecurityUtils.install(new SecurityConfiguration(cli.configuration));}} with configs(e.g. {{security.kerberos.login.principal}} and {{security.kerberos.login.keytab}}) from only flink-conf.yaml.
If users specify the above 2 config via -D option, it will not work as {{cli.parseAndRun(args)}} will be executed after installing security configs from flink-conf.yaml.
However, if a user specify principal A in client's flink-conf.yaml and use -D option to specify principal B, the launched YARN container will use principal B though the job is submitted in client end with principal A.

Such behavior can be misleading as Flink provides 2 ways to set a config but does not keep consistency between client and cluster. It also influence users who want use flink with kerberos as they must modify flink-conf.yaml if they want to use another kerberos user.




--
This message was sent by Atlassian Jira
(v8.20.10#820010)