zuston edited a comment on pull request #15131: URL: https://github.com/apache/flink/pull/15131#issuecomment-818561960
@XComp Thanks for your reply > I'm still not comfortable with this change considering that it's not tested. Have you had the chance to check whether it works? Could you provide this manual test in a reproducible fashion (e.g. docker) or is this too much of an effort? Sorry, I am not very familiar with the Flink code. Can you provide a test case link about with kerberos HDFS? I want to refer it to add test case. **How to reproduce it?** I think you can fetch HDFS delegation token before submitting Flink job on Yarn, it will throw exception. > Based on what I read about it, the issue is that Apache Oozie utilizes Apache Hadoop's ProxyUser which impersonates the actual user which has access to the actual data. I still don't understand why the delegation token fetching causes an error. Is it because the Flink job would be still submitted under the "normal" user instead of the Oozie user? No. Oozie will submit Flink job without keytab and only rely on delegation token to access HDFS. So when using Oozie to submit job, flink fetching delegation token without keytab by itself will throw exception. And why cause these exception? Limited by kerberos mechanism. Actually there is no need for Flink to fetch token, Flink can use the token Oozie has fetched directly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
