Biao Geng created FLINK-29362: --------------------------------- Summary: Allow loading dynamic config for kerberos authentication in CliFrontend Key: FLINK-29362 URL: https://issues.apache.org/jira/browse/FLINK-29362 Project: Flink Issue Type: Improvement Components: Command Line Client Reporter: Biao Geng
In the [code|https://github.com/apache/flink/blob/97f5a45cd035fbae37a7468c6f771451ddb4a0a4/flink-clients/src/main/java/org/apache/flink/client/cli/CliFrontend.java#L1167], Flink's client will try to {{SecurityUtils.install(new SecurityConfiguration(cli.configuration));}} with configs(e.g. {{security.kerberos.login.principal}} and {{security.kerberos.login.keytab}}) from only flink-conf.yaml. If users specify the above 2 config via -D option, it will not work as {{cli.parseAndRun(args)}} will be executed after installing security configs from flink-conf.yaml. However, if a user specify principal A in client's flink-conf.yaml and use -D option to specify principal B, the launched YARN container will use principal B though the job is submitted in client end with principal A. Such behavior can be misleading as Flink provides 2 ways to set a config but does not keep consistency between client and cluster. It also influence users who want use flink with kerberos as they must modify flink-conf.yaml if they want to use another kerberos user. -- This message was sent by Atlassian Jira (v8.20.10#820010)