[jira] [Commented] (FLINK-9685) Flink should support hostname-substitution for security.kerberos.login.principal

Thu, 07 Mar 2019 15:38:17 -0800 


    [ 
https://issues.apache.org/jira/browse/FLINK-9685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787326#comment-16787326
 ] 

Rong Rong commented on FLINK-9685:
----------------------------------

Hi. I was wondering whether I fully understood the requirement for this JIRA. 
 1. do we want to support general substitution on principal keywords? e.g. 
REALM as well?
 2. what kind of principal format we are going to support
 3. what would be the good keyword substitution reserved for this purpose.

Can we refer to the kerberos document for any possible improvement for 2/3?

Regarding the implementation, should we differ this change or the replacement 
logic to the specific module instead, for example: {{HadoopModule}}. It seems 
to me that the only place should be using the principal is the security 
modules/contexts themselves, and each module might interpret this differently?? 
this is actually part of the overall effort to provide SeviceProvider pattern 
in FLINK-11589.

> Flink should support hostname-substitution for 
> security.kerberos.login.principal
> --------------------------------------------------------------------------------
>
>                 Key: FLINK-9685
>                 URL: https://issues.apache.org/jira/browse/FLINK-9685
>             Project: Flink
>          Issue Type: Improvement
>          Components: Runtime / Coordination
>            Reporter: Ethan Li
>            Assignee: Aleksandr Salatich
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> [https://github.com/apache/flink/blob/master/flink-runtime/src/main/java/org/apache/flink/runtime/security/SecurityConfiguration.java#L83]
>  
> We can have something like this
> {code:java}
> String rawPrincipal = 
> flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
> if (rawPrincipal != null) {
>    try {
>       rawPrincipal = rawPrincipal.replace("HOSTNAME", 
> InetAddress.getLocalHost().getCanonicalHostName());
>    } catch (UnknownHostException e) {
>       LOG.error("Failed to replace HOSTNAME with localhost because {}", e);
>    }
> }
> this.principal = rawPrincipal;
> {code}
> So it will be easier to deploy flink to cluster. Instead of setting different 
> principal on every node, we can have the same principal 
> headless_user/HOSTNAME@DOMAIN .



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to