[
https://issues.apache.org/jira/browse/FLINK-4287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15401866#comment-15401866
]
Niels Basjes commented on FLINK-4287:
-------------------------------------
Because of the extensive work being done in FLINK-3929 I'm skipping the part
about calling UserGroupInformation.loginUserFromKeytab
> Unable to access secured HBase from a yarn-session.
> ---------------------------------------------------
>
> Key: FLINK-4287
> URL: https://issues.apache.org/jira/browse/FLINK-4287
> Project: Flink
> Issue Type: Improvement
> Components: YARN Client
> Affects Versions: 1.0.3
> Reporter: Niels Basjes
> Assignee: Niels Basjes
>
> When I start {{yarn-session.sh -n1}} against a Kerberos secured Yarn+HBase
> cluster I see this in the messages:
> {quote}
> 2016-08-01 09:53:01,763 INFO org.apache.flink.yarn.Utils
> - Attempting to obtain Kerberos security token for HBase
> 2016-08-01 09:53:01,763 INFO org.apache.flink.yarn.Utils
> - HBase is not available (not packaged with this application):
> ClassNotFoundException : "org.apache.hadoop.hbase.HBaseConfiguration".
> {quote}
> as a consequence it has become impossible to access a secured HBase from this
> yarn session.
> From what I see now at least two things need to be done:
> # Add all relevant HBase parts to the yarn-session.sh scripting.
> # Add an optional option to pass principle and keytab file so the session can
> last longer than the time the Kerberos tickets last. (i.e pass these
> parameters into a call to {{UserGroupInformation.loginUserFromKeytab(user,
> keytabFile);}})
> I do see that this would leave an important problem open:
> This yarnsession is accessible by everyone on the cluster and as a
> consequence they can run jobs in there that can access all data I have access
> to. Perhaps this should be a separate jira issue?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
