Repository: flink Updated Branches: refs/heads/master e69693778 -> 4a3151681
[docs] add information on how to use Kerberos Project: http://git-wip-us.apache.org/repos/asf/flink/repo Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/4a315168 Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/4a315168 Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/4a315168 Branch: refs/heads/master Commit: 4a31516814c6a4e38a76e712a21a6924039f7371 Parents: e696937 Author: Maximilian Michels <[email protected]> Authored: Fri Oct 23 18:13:13 2015 +0200 Committer: Maximilian Michels <[email protected]> Committed: Fri Oct 23 18:14:36 2015 +0200 ---------------------------------------------------------------------- docs/setup/config.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/flink/blob/4a315168/docs/setup/config.md ---------------------------------------------------------------------- diff --git a/docs/setup/config.md b/docs/setup/config.md index 447a329..489790b 100644 --- a/docs/setup/config.md +++ b/docs/setup/config.md @@ -145,6 +145,31 @@ this can improve the efficiency of the operations performed on the memory - `taskmanager.memory.segment-size`: The size of memory buffers used by the memory manager and the network stack in bytes (DEFAULT: 32768 (= 32 KiBytes)). + +### Kerberos + +Flink supports Kerberos authentication of Hadoop services such as HDFS, YARN, +or HBase. + +While Hadoop uses Kerberos tickets to authenticate users with services +initially, the authentication process continues differently afterwards. Instead +of saving the ticket to authenticate on a later access, Hadoop creates its own +security tockens (DelegationToken) that it passes around. These are +authenticated to Kerberos periodically but are independent of the token renewal +time. The tokens have a maximum life span identical to the Kerberos ticket maximum life +span. + +Please make sure to set the maximum ticket life span high long running +jobs. The renewal time of the ticket, on the other hand, is not important +because Hadoop abstracts this away using its own security tocken renewal +system. Hadoop makes sure that tickets are renewed in time and you can be sure +to be authenticated until the end of the ticket life time. + +If you are on YARN, then it is sufficient to authenticate the client with +Kerberos. On a Flink standalone cluster you need to ensure that, initially, all +nodes are authenticated with Kerberos using the `kinit` tool. + + ### Other - `taskmanager.tmp.dirs`: The directory for temporary files, or a list of
