[jira] [Updated] (FLINK-11088) Improve Kerberos Authentication using Keytab in YARN proxy user mode

Rong Rong (JIRA) Tue, 11 Dec 2018 09:56:07 -0800


     [ 
https://issues.apache.org/jira/browse/FLINK-11088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Rong Rong updated FLINK-11088:
------------------------------
    Description: 
Currently flink-yarn assumes keytab is shipped as application master 
environment local resource on client side and will be distributed to all the 
TMs. This does not work for YARN proxy user mode since proxy user or super user 
does not have access to actual user's keytab but only delegation tokens. 

We propose to have the keytab file path discovery configurable depending on the 
launch mode of the YARN client. 

Reference: 
[1] 
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
[2] 
https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services


  was:
Currently flink-yarn assumes keytab is shipped as application master 
environment local resource on client side and will be distributed to all the 
TMs. This does not work for YARN proxy user mode since proxy user or super user 
does not have access to actual user's keytab but only delegation tokens. 

We propose to have the keytab file path discovery configurable depending on the 
launch mode of the YARN client. 

Reference: 
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html


> Improve Kerberos Authentication using Keytab in YARN proxy user mode
> --------------------------------------------------------------------
>
>                 Key: FLINK-11088
>                 URL: https://issues.apache.org/jira/browse/FLINK-11088
>             Project: Flink
>          Issue Type: Improvement
>          Components: Security, YARN
>            Reporter: Rong Rong
>            Assignee: Rong Rong
>            Priority: Major
>
> Currently flink-yarn assumes keytab is shipped as application master 
> environment local resource on client side and will be distributed to all the 
> TMs. This does not work for YARN proxy user mode since proxy user or super 
> user does not have access to actual user's keytab but only delegation tokens. 
> We propose to have the keytab file path discovery configurable depending on 
> the launch mode of the YARN client. 
> Reference: 
> [1] 
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
> [2] 
> https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (FLINK-11088) Improve Kerberos Authentication using Keytab in YARN proxy user mode

Reply via email to