e generic solution. Thanks!
> Tao Yang
>
>
> --
> 发件人:Rong Rong
> 发送时间:2018年12月19日(星期三) 03:06
> 收件人:dev
> 主 题:Re: [DISCUSS] Flink Kerberos Improvement
>
> Hi Shuyi,
>
> Yes. I think the impersonation is a very
some work on this and hope it can help for finding
a more generic solution. Thanks!
Tao Yang
--
发件人:Rong Rong
发送时间:2018年12月19日(星期三) 03:06
收件人:dev
主 题:Re: [DISCUSS] Flink Kerberos Improvement
Hi Shuyi,
Yes. I think the impersonation
Hi Stephan,
This proposal is an extension of @shuyi's initial improvement specifically
to tackle Kerberos related issues.
However in order for this extension to work, some of the original
components proposed are required (such as the service provider pattern for
security factories).
Thanks,
Rong
Hi all!
A quick question: Is this a special case of the security improvements
proposed in this thread [1], or a separate proposal all together?
Stephan
[1]
http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Flink-security-improvements-td21068.html
On Tue, Dec 18, 2018 at 8:0
Hi Shuyi,
Yes. I think the impersonation is a very much valid question! This can
actually be considered as 2 questions as I stated in the doc.
1. In the doc I stated that impersonation should be implemented on the
user-side code and should only invoke the cluster client as the actual user
joe'.
2.
Hi Rong, thanks a lot for the proposal. Currently, Flink assume the keytab
is located in a remote DFS. Pre-installing Keytabs statically in YARN node
local filesystem is a common approach, so I think we should support this
mode in Flink natively. As an optimazation to reduce the KDC access
frequenc
Hi All,
We have been experimenting integration of Kerberos with Flink in our Corp
environment and found out some limitations on the current Flink-Kerberos
security mechanism running with Apache YARN.
Based on the Hadoop Kerberos security guide [1]. Apparently there are only
a subset of the sugges
