Hi All, We have been experimenting integration of Kerberos with Flink in our Corp environment and found out some limitations on the current Flink-Kerberos security mechanism running with Apache YARN.
Based on the Hadoop Kerberos security guide [1]. Apparently there are only a subset of the suggested long-running service security mechanism is supported in Flink. Furthermore, the current model does not work well with superuser impersonating actual users [2] for deployment purposes, which is a widely adopted way to launch application in corp environments. We would like to propose an improvement [3] to introduce the other comment methods [1] for securing long-running application on YARN and enable impersonation mode. Any comments and suggestions are highly appreciated. Many thanks, Rong [1] https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services [2] https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html [3] https://docs.google.com/document/d/1rBLCpyQKg6Ld2P0DEgv4VIOMTwv4sitd7h7P5r202IE/edit?usp=sharing
