[
https://issues.apache.org/jira/browse/FLINK-11088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rong Rong updated FLINK-11088:
------------------------------
Description:
Currently flink-yarn assumes keytab is shipped as application master
environment local resource on client side and will be distributed to all the
TMs. This does not work for YARN proxy user mode [1] since proxy user or super
user might not have access to actual users' keytab, but can request delegation
tokens on users' behalf.
Based on the type of security options for long-living YARN service[2], we
propose to have the keytab file path discovery configurable depending on the
launch mode of the YARN client.
Reference:
[1]
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
[2]
https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services
was:
Currently flink-yarn assumes keytab is shipped as application master
environment local resource on client side and will be distributed to all the
TMs. This does not work for YARN proxy user mode since proxy user or super user
does not have access to actual user's keytab but only delegation tokens.
We propose to have the keytab file path discovery configurable depending on the
launch mode of the YARN client.
Reference:
[1]
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
[2]
https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services
> Improve Kerberos Authentication using Keytab in YARN proxy user mode
> --------------------------------------------------------------------
>
> Key: FLINK-11088
> URL: https://issues.apache.org/jira/browse/FLINK-11088
> Project: Flink
> Issue Type: Improvement
> Components: Security, YARN
> Reporter: Rong Rong
> Assignee: Rong Rong
> Priority: Major
>
> Currently flink-yarn assumes keytab is shipped as application master
> environment local resource on client side and will be distributed to all the
> TMs. This does not work for YARN proxy user mode [1] since proxy user or
> super user might not have access to actual users' keytab, but can request
> delegation tokens on users' behalf.
> Based on the type of security options for long-living YARN service[2], we
> propose to have the keytab file path discovery configurable depending on the
> launch mode of the YARN client.
> Reference:
> [1]
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
> [2]
> https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
