Hi Junfan,
Thanks for investing your time to make this feature better.
I've had a look at FLINK-21700 and now I think I see your point (plz
correct me if I misunderstood something).
According to the actual plans *security.kerberos.fetch.delegation-token* is
intended to be removed
because *security.kerberos.tokens.${provider}.enabled* would provide more
fine grained possibilities.
However this would be not super convenient from oozie perspective because
one must know all
available token provider names (which may change over time) to turn all
off. If I understand the problem well
then the mentioned use-case justifies not to remove
*security.kerberos.fetch.delegation-token*.
I tend to agree to keep the global flag and simplifying external token
handling use-case from config perspective.
Waiting on your opinion...
BR,
G
On Thu, Jan 13, 2022 at 3:42 AM 张俊帆 <zuston.sha...@gmail.com> wrote:
> Hi G,
>
> Thanks for starting the discussion. I think this is a important
> improvement for Flink.
> The proposal looks good to me. And I focus on one point.
>
> 1. Hope that keeping the consistent with current implementation, we rely
> on the config
> of 'security.kerberos.fetch.delegation-token’ to submit Flink Batch
> Action in Oozie.
> More details could be found in FLINK-21700
>
> Looking forward to your implementations.
>
> Best
> JunFan.
> On Jan 12, 2022, 4:03 AM +0800, Márton Balassi <balassi.mar...@gmail.com>,
> wrote:
> > Hi G,
> >
> > Thanks for taking this challenge on. Scalable Kerberos authentication
> > support is important for Flink, delegation tokens is a great mechanism to
> > future-proof this. I second your assessment that the existing
> > implementation could use some improvement too and like the approach you
> > have outlined. It is crucial that the changes are self-contained and will
> > not affect users that do not use Kerberos, while are minimal for the ones
> > who do (configuration values change, but the defaults just keep working
> in
> > most cases).
> >
> > Thanks,
> > Marton
> >
> > On Tue, Jan 11, 2022 at 2:59 PM Gabor Somogyi <gabor.g.somo...@gmail.com
> >
> > wrote:
> >
> > > Hi All,
> > >
> > > Hope all of you have enjoyed the holiday season.
> > >
> > > I would like to start the discussion on FLIP-211
> > > <
> > >
> https://cwiki.apache.org/confluence/display/FLINK/FLIP-211%3A+Kerberos+delegation+token+framework
> > > >
> > > which
> > > aims to provide a
> > > Kerberos delegation token framework that /obtains/renews/distributes
> tokens
> > > out-of-the-box.
> > >
> > > Please be aware that the FLIP wiki area is not fully done since the
> > > discussion may
> > > change the feature in major ways. The proposal can be found in a
> google doc
> > > here
> > > <
> > >
> https://docs.google.com/document/d/1JzMbQ1pCJsLVz8yHrCxroYMRP2GwGwvacLrGyaIx5Yc/edit?fbclid=IwAR0vfeJvAbEUSzHQAAJfnWTaX46L6o7LyXhMfBUCcPrNi-uXNgoOaI8PMDQ
> > > >
> > > .
> > > As the community agrees on the approach the content will be moved to
> the
> > > wiki page.
> > >
> > > Feel free to add your thoughts to make this feature better!
> > >
> > > BR,
> > > G
> > >
>
