[
https://issues.apache.org/jira/browse/FLINK-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16310633#comment-16310633
]
Shuyi Chen commented on FLINK-7860:
-----------------------------------
I assume in the doAs block, it will be run as "joe" and should not be able to
access to the superuser's credential. Otherwise, it seems to be a security
issue of hadoop. Please correct me if I am wrong.
And we have a super service that proxy all job submissions from 100+ different
service accounts to secure YARN. The super service will be running a super user
account, and wont have direct access to the keytab of individual service
account. It can only access those keytab indirectly through doAs() to
impersonate the individual users. Since this is a common pattern in hadoop, I
think it will make sense for Flink to support it as well.
> Support YARN proxy user in Flink (impersonation)
> ------------------------------------------------
>
> Key: FLINK-7860
> URL: https://issues.apache.org/jira/browse/FLINK-7860
> Project: Flink
> Issue Type: New Feature
> Components: YARN
> Reporter: Shuyi Chen
> Assignee: Shuyi Chen
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
