[
https://issues.apache.org/jira/browse/FLINK-11088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rong Rong updated FLINK-11088:
------------------------------
Summary: Allow pre-install Kerberos authentication keytab discovery on YARN
(was: Allow Pre-install Kerberos Authentication Keytab discovery on YARN)
> Allow pre-install Kerberos authentication keytab discovery on YARN
> ------------------------------------------------------------------
>
> Key: FLINK-11088
> URL: https://issues.apache.org/jira/browse/FLINK-11088
> Project: Flink
> Issue Type: Sub-task
> Components: Security, YARN
> Reporter: Rong Rong
> Assignee: Rong Rong
> Priority: Major
>
> Currently flink-yarn assumes keytab is shipped as application master
> environment local resource on client side and will be distributed to all the
> TMs. This does not work for YARN proxy user mode [1] since proxy user or
> super user might not have access to actual users' keytab, but can request
> delegation tokens on users' behalf.
> Based on the type of security options for long-living YARN service[2], we
> propose to have the keytab file path discovery configurable depending on the
> launch mode of the YARN client.
> Reference:
> [1]
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
> [2]
> https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
