[
https://issues.apache.org/jira/browse/FLINK-3699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15297875#comment-15297875
]
Stefano Baghino commented on FLINK-3699:
----------------------------------------
Hi Eron; I concur with your opinion. Thanks for taking the time and making the
effort to organize the work to be done in order to improve this aspect of
Flink. Unfortunately I'm not able to work on this issue right now, so I'm
switching it to unassigned. This issue can be used to track progress toward
this goal while the much finer grained tasks you reported are being worked on.
> Allow per-job Kerberos authentication
> --------------------------------------
>
> Key: FLINK-3699
> URL: https://issues.apache.org/jira/browse/FLINK-3699
> Project: Flink
> Issue Type: Improvement
> Components: JobManager, Scheduler, TaskManager, YARN Client
> Affects Versions: 1.0.0
> Reporter: Stefano Baghino
> Labels: kerberos, security, yarn
>
> Currently, authentication in a secure ("Kerberized") environment is performed
> once as a standalone cluster or a YARN session is started up. This means that
> jobs submitted will all be executed with the privileges of the user that
> started up the cluster. This is reasonable in a lot of situations but
> disallows a fine control over ACLs when Flink is involved.
> Adding a way for each job submission to be independently authenticated would
> allow each job to run with the privileges of a specific user, enabling much
> more granular control over ACLs, in particular in the context of existing
> secure cluster setups.
> So far, a known workaround to this limitation (at least when running on YARN)
> is to run a per-job cluster as a specific user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
