[
https://issues.apache.org/jira/browse/FLINK-29362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17620868#comment-17620868
]
Lijie Wang commented on FLINK-29362:
------------------------------------
I will close this issue because it's duplicated with FLINK-12130.
> Allow loading dynamic config for kerberos authentication in CliFrontend
> -----------------------------------------------------------------------
>
> Key: FLINK-29362
> URL: https://issues.apache.org/jira/browse/FLINK-29362
> Project: Flink
> Issue Type: Improvement
> Components: Command Line Client
> Reporter: Biao Geng
> Priority: Major
>
> In the
> [code|https://github.com/apache/flink/blob/97f5a45cd035fbae37a7468c6f771451ddb4a0a4/flink-clients/src/main/java/org/apache/flink/client/cli/CliFrontend.java#L1167],
> Flink's client will try to {{SecurityUtils.install(new
> SecurityConfiguration(cli.configuration));}} with configs(e.g.
> {{security.kerberos.login.principal}} and {{security.kerberos.login.keytab}})
> from only flink-conf.yaml.
> If users specify the above 2 config via -D option, it will not work as
> {{cli.parseAndRun(args)}} will be executed after installing security configs
> from flink-conf.yaml.
> However, if a user specify principal A in client's flink-conf.yaml and use -D
> option to specify principal B, the launched YARN container will use principal
> B though the job is submitted in client end with principal A.
> Such behavior can be misleading as Flink provides 2 ways to set a config but
> does not keep consistency between client and cluster. It also influence users
> who want use flink with kerberos as they must modify flink-conf.yaml if they
> want to use another kerberos user.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
