Re: [DISCUSS] Flink Kerberos Improvement
Hi Rong, thanks a lot for the proposal. Currently, Flink assume the keytab
is located in a remote DFS. Pre-installing Keytabs statically in YARN node
local filesystem is a common approach, so I think we should support this
mode in Flink natively. As an optimazation to reduce the KDC access
frequency, we should also support method 3 (the DT approach) as discussed
in . A question is that why do we need to implement impersonation in
Flink? I assume the superuser can do the impersonation for 'joe' and 'joe'
can then invoke Flink client to deploy the job. Thanks a lot.
On Mon, Dec 17, 2018 at 5:49 PM Rong Rong <walterddr@xxxxxxxxx> wrote:
> Hi All,
> We have been experimenting integration of Kerberos with Flink in our Corp
> environment and found out some limitations on the current Flink-Kerberos
> security mechanism running with Apache YARN.
> Based on the Hadoop Kerberos security guide . Apparently there are only
> a subset of the suggested long-running service security mechanism is
> supported in Flink. Furthermore, the current model does not work well with
> superuser impersonating actual users  for deployment purposes, which is
> a widely adopted way to launch application in corp environments.
> We would like to propose an improvement  to introduce the other comment
> methods  for securing long-running application on YARN and enable
> impersonation mode. Any comments and suggestions are highly appreciated.
> Many thanks,
"So you have to trust that the dots will somehow connect in your future."