liangrui198 opened a new pull request, #27795: URL: https://github.com/apache/flink/pull/27795
issues: [https://issues.apache.org/jira/browse/FLINK-39274](https://issues.apache.org/jira/browse/FLINK-39274) ## Contribution Checklist Currently, when there are a large number of Flink batch tasks or short-term small tasks, the KDC is under excessive pressure, which causes the KDC service to become sluggish. The reason is that the TM of Flink does not reuse the TOKEN distributed by the JM, but re-logs in using the keytab. The code's judgment is relatively crude and direct, using whether the principal is null to determine whether to perform keytab login. However, the keytab configurations of JM and TM are shared, which is a conflict point here. If my Flink is a batch task and only accesses the HDFS service and requires Kerberos authentication, the TM does not need to perform the operations of logging in to the KDC and renewing the TOKEN at all. It can directly use the TOKEN downloaded by the JM. ## What is the purpose of the change Add logical restrictions to prevent repeated login to the TM KDC. Since I clearly observed that JM has issued a valid token, it is reasonable to implement the same optimization effect as the Spark mechanism. ## Verifying this change HadoopModuleTest.java add keytabLoginDisabledShouldSkipKdcLogin test add keytabLoginEnabledByDefaultShouldPerformKdcLogin test ## Does this pull request potentially affect one of the following parts: security.kerberos.login.keytab-login.enabled By default, it is set to true. The existing logic remains unchanged. Instead, it will be deactivated for those who need it. ## Documentation flink\docs\content.zh\docs\deployment\security\security-kerberos.md flink\docs\content\docs\deployment\security\security-kerberos.md add security.kerberos.login.keytab-login.enabled -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
