Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-11271 Improvement to Kerberos Security
  3. FLINK-11088

Allow pre-install Kerberos authentication keytab discovery on YARN

    XMLWordPrintableJSON

Details

    Description

      Currently flink-yarn assumes keytab is shipped as application master environment local resource on client side and will be distributed to all the TMs. This does not work for YARN proxy user mode [1] since proxy user or super user might not have access to actual users' keytab, but can request delegation tokens on users' behalf.

      Based on the type of security options for long-living YARN service[2], we propose to have the keytab file path discovery configurable depending on the launch mode of the YARN client.

      Reference:
      [1] https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
      [2] https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #7702

          Activity

            People

              rongr Rong Rong
              rongr Rong Rong
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m