[jira] [Commented] (FLINK-3929) Support for Kerberos Authentication with Keytab Credential

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLINK-3929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15395809#comment-15395809
 ] 

ASF GitHub Bot commented on FLINK-3929:
---------------------------------------

Github user mxm commented on a diff in the pull request:

    https://github.com/apache/flink/pull/2275#discussion_r72456655
  
    --- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/YarnTaskManagerRunner.java ---
    @@ -75,34 +84,47 @@ public static void runYarnTaskManager(String[] args, 
final Class<? extends YarnT
                                "specified in the Flink config: " + 
flinkTempDirs);
                }
     
    -           LOG.info("YARN daemon runs as '" + 
UserGroupInformation.getCurrentUser().getShortUserName() +
    -                   "' setting user to execute Flink TaskManager to '" + 
yarnClientUsername + "'");
    -
                // tell akka to die in case of an error
                
configuration.setBoolean(ConfigConstants.AKKA_JVM_EXIT_ON_FATAL_ERROR, true);
     
    -           UserGroupInformation ugi = 
UserGroupInformation.createRemoteUser(yarnClientUsername);
    -           for (Token<? extends TokenIdentifier> toks : 
UserGroupInformation.getCurrentUser().getTokens()) {
    -                   ugi.addToken(toks);
    +           String keytabPath = null;
    +           if(remoteKeytabPath != null) {
    +                   File f = new File(currDir, 
ConfigConstants.KEYTAB_FILE_NAME);
    --- End diff --
    
    We should choose an internal unique name for the keytab file. We can 
transfer the name via the Yarn environment variables.


> Support for Kerberos Authentication with Keytab Credential
> ----------------------------------------------------------
>
>                 Key: FLINK-3929
>                 URL: https://issues.apache.org/jira/browse/FLINK-3929
>             Project: Flink
>          Issue Type: New Feature
>            Reporter: Eron Wright 
>            Assignee: Vijay Srinivasaraghavan
>              Labels: kerberos, security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Add support for a keytab credential to be associated with the Flink cluster, 
> to facilitate:
> - Kerberos-authenticated data access for connectors
> - Kerberos-authenticated ZooKeeper access
> Support both the standalone and YARN deployment modes.
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)