Biao Geng created FLINK-29362:
---------------------------------
Summary: Allow loading dynamic config for kerberos authentication
in CliFrontend
Key: FLINK-29362
URL: https://issues.apache.org/jira/browse/FLINK-29362
Project: Flink
Issue Type: Improvement
Components: Command Line Client
Reporter: Biao Geng
In the
[code|https://github.com/apache/flink/blob/97f5a45cd035fbae37a7468c6f771451ddb4a0a4/flink-clients/src/main/java/org/apache/flink/client/cli/CliFrontend.java#L1167],
Flink's client will try to {{SecurityUtils.install(new
SecurityConfiguration(cli.configuration));}} with configs(e.g.
{{security.kerberos.login.principal}} and {{security.kerberos.login.keytab}})
from only flink-conf.yaml.
If users specify the above 2 config via -D option, it will not work as
{{cli.parseAndRun(args)}} will be executed after installing security configs
from flink-conf.yaml.
However, if a user specify principal A in client's flink-conf.yaml and use -D
option to specify principal B, the launched YARN container will use principal B
though the job is submitted in client end with principal A.
Such behavior can be misleading as Flink provides 2 ways to set a config but
does not keep consistency between client and cluster. It also influence users
who want use flink with kerberos as they must modify flink-conf.yaml if they
want to use another kerberos user.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
