[
https://issues.apache.org/jira/browse/FLINK-11088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rong Rong updated FLINK-11088:
------------------------------
Fix Version/s: 1.11.0
> Allow pre-install Kerberos authentication keytab discovery on YARN
> ------------------------------------------------------------------
>
> Key: FLINK-11088
> URL: https://issues.apache.org/jira/browse/FLINK-11088
> Project: Flink
> Issue Type: Sub-task
> Components: Deployment / YARN
> Reporter: Rong Rong
> Assignee: Rong Rong
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.11.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently flink-yarn assumes keytab is shipped as application master
> environment local resource on client side and will be distributed to all the
> TMs. This does not work for YARN proxy user mode [1] since proxy user or
> super user might not have access to actual users' keytab, but can request
> delegation tokens on users' behalf.
> Based on the type of security options for long-living YARN service[2], we
> propose to have the keytab file path discovery configurable depending on the
> launch mode of the YARN client.
> Reference:
> [1]
> https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
> [2]
> https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
