[jira] [Commented] (FLINK-3929) Support for Kerberos Authentication with Keytab Credential

Sun, 12 Jan 2020 05:55:15 -0800 


    [ 
https://issues.apache.org/jira/browse/FLINK-3929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17013767#comment-17013767
 ] 

John Lonergan commented on FLINK-3929:
--------------------------------------

This approach alone doesn't consider the impact of password changes on the 
kerberos keytab and session. 
I imagine many apps exist in env's where a password must be rolled every so 
often. 

When this happens then the distributed keytab will be invalidated and the job 
will fail. 
What options are there to avoid this failure?
In general we have to assume that a process beyond our control will peridically 
roll the  password and there will be no notification to our job.

Therefore presumably our job needs to either be able to attempt recovery from 
this (a just in time attempt at recreating the keytab) or we need a process 
that preemptively refreshes the keytab so that the next call to 
UserGroupInformation.loginFromKeytab in the HDFS client (or wherever) causes 
the new keytab to be loaded.

And of course this will depend on the coding of the client lib to cooperate 
with the refresh of the keytab.

What is the scheme for long running considering password rolls?



> Support for Kerberos Authentication with Keytab Credential
> ----------------------------------------------------------
>
>                 Key: FLINK-3929
>                 URL: https://issues.apache.org/jira/browse/FLINK-3929
>             Project: Flink
>          Issue Type: New Feature
>          Components: Runtime / Coordination
>            Reporter: Eron Wright
>            Assignee: Vijay Srinivasaraghavan
>            Priority: Major
>              Labels: kerberos, security
>             Fix For: 1.2.0
>
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Add support for a keytab credential to be associated with the Flink cluster, 
> to facilitate:
> - Kerberos-authenticated data access for connectors
> - Kerberos-authenticated ZooKeeper access
> Support both the standalone and YARN deployment modes.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to