[
https://issues.apache.org/jira/browse/FLINK-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16312065#comment-16312065
]
Shuyi Chen commented on FLINK-7860:
-----------------------------------
If you look at the [documentation |
https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html]
of Yarn Proxy user, one use case is superuser with kerberos credential
proxying user w/o any credential, also, superuser can get DT for 'joe' if
needed. So, I dont think the super service will need to access the service
account ('joe') keytab to be able to deploy a Flink cluster, and I have
verified this in our secure cluster. But on the other hand, since Flink
streaming jobs are long running jobs, once the job is deployed on Yarn, the job
need the 'joe' 's keytab to renew all needed DTs after and every, says, 7 days
(since DT can not be renewed after 7 days). So if we deploy a flink job w/o
keytab, it wont run for longer than 7 days.
The current Flink implementation does not use DTs, therefore, your flink
cluster will fail at start after launched by YARN if there is no keytab
provided by 'joe'.
> Support YARN proxy user in Flink (impersonation)
> ------------------------------------------------
>
> Key: FLINK-7860
> URL: https://issues.apache.org/jira/browse/FLINK-7860
> Project: Flink
> Issue Type: New Feature
> Components: YARN
> Reporter: Shuyi Chen
> Assignee: Shuyi Chen
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
