[
https://issues.apache.org/jira/browse/FLINK-11088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16721857#comment-16721857
]
Rong Rong edited comment on FLINK-11088 at 12/14/18 11:03 PM:
--------------------------------------------------------------
I further dig into the details on the document on Hadoop side and seems like
there are 3 recommended way of distributing credentials to secure long running
service on YARN. See here:
https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services.
I am not sure whether this applies to other cluster resource management system,
but I think it is worthwhile to take a look. For one: the current way of
letting all JM and TMs renews keytab with KDC seems to be a problem. If we can
have AM or JM renewing with keytab credential and distribute them via
delegation token to all TMs it will release lots of loads on KDC server.
I will start drafting a simple discussion doc if the community thinks this is
worth to dig deeper. Any thoughts [~suez1224], [~till.rohrmann], [~aljoscha] ?
was (Author: walterddr):
I further dig into the details on the document on Hadoop side and seems like
there are 3 recommended way of distributing credentials to secure long running
service on YARN. See here:
https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services.
I am not sure whether this applies to other cluster resource management system,
but I think it is worthwhile to take a look. For one: the current way of
letting all JM and TMs renews keytab with KDC seems to be a problem. If we can
have AM or JM renewing with keytab credential and distribute them via
delegation token to all TMs it will release lots of loads on KDC server.
I will start drafting a simple discussion doc if the community thinks this is
worth to dig deeper. Any thoughts [~till.rohrmann] [~aljoscha] ?
> Improve Kerberos Authentication using Keytab in YARN proxy user mode
> --------------------------------------------------------------------
>
> Key: FLINK-11088
> URL: https://issues.apache.org/jira/browse/FLINK-11088
> Project: Flink
> Issue Type: Improvement
> Components: Security, YARN
> Reporter: Rong Rong
> Assignee: Rong Rong
> Priority: Major
>
> Currently flink-yarn assumes keytab is shipped as application master
> environment local resource on client side and will be distributed to all the
> TMs. This does not work for YARN proxy user mode [1] since proxy user or
> super user might not have access to actual users' keytab, but can request
> delegation tokens on users' behalf.
> Based on the type of security options for long-living YARN service[2], we
> propose to have the keytab file path discovery configurable depending on the
> launch mode of the YARN client.
> Reference:
> [1]
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
> [2]
> https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
