[jira] [Commented] (FLINK-21640) Job fails to be submitted in tenant scenario

Fri, 26 Mar 2021 04:24:04 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-21640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309373#comment-17309373
 ] 

Bo Cui commented on FLINK-21640:
--------------------------------

{quote}
Beyond the implementation, actually I have a concern about your proposal. If we 
make the Flink root ZK node public, then I think it could not satisfy the 
following use case.

In a secure ZooKeeper cluster, each user could configure their own Flink root 
node(e.g. high-availability.zookeeper.path.root=flink-user-a), then he/she will 
expect the root node should not be modified by other users. If we apply your 
proposal, the user b could create nodes under /flink-user-a. Right?

All in all, I think this issue is about the ZooKeeper maintenance. If /flink 
node is shared by many users in a secure ZooKeeper cluster, then it should be 
created beforehand with correct permission.
{quote}
in my cluster, All users use the same 
root,high-availability.zookeeper.path.root=/flink. and userB can create nodes 
under /flink. 
1、Users can only modify and delete nodes created by themselves.
2、if /flink has chaildNodes, and userB cannot modify nodes that do not belong 
to them, userB can not delete /flink
3、If each user uses a different rootNode, `/` will has many nodes(/flinkA 
/flinkB....), which is bad behavior.

> Job fails to be submitted in tenant scenario
> --------------------------------------------
>
>                 Key: FLINK-21640
>                 URL: https://issues.apache.org/jira/browse/FLINK-21640
>             Project: Flink
>          Issue Type: Bug
>          Components: API / Core, Client / Job Submission
>    Affects Versions: 1.12.2, 1.13.0
>            Reporter: Bo Cui
>            Assignee: Bo Cui
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: image-2021-03-06-09-30-52-410.png, 
> image-2021-03-06-09-34-05-518.png
>
>
> Job fails to be submitted in tenant scenario
>  !image-2021-03-06-09-30-52-410.png! 
> because current user does not have the Znode permission.
>  !image-2021-03-06-09-34-05-518.png! 
> i think the parent znode acl is anyone.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to