It sounds good to me. If your job keeps running (longer than the
expiration time), I think it implies that Krb5LoginModule will use
your newly generated cache. It's my pleasure to help you.
Best,
Yangze Guo
On Mon, Jun 1, 2020 at 10:47 PM Nick Bendtner wrote:
>
> Hi Guo,
> The auto renewal happe
Hi Guo,
The auto renewal happens fine, however I want to generate a new ticket with
a new renew until period so that the job can run longer than 7 days, I am
talking about the second paragraph your email, I have set a custom cache by
setting KRB5CCNAME . Just want to make sure that Krb5LoginModule
Hi, Nick.
Do you mean that you manually execute "kinit -R" to renew the ticket cache?
If that is the case, Flink already sets the "renewTGT" to true. If
everything is ok, you do not need to do it yourself. However, it seems
this mechanism has a bug and this bug is not fixed in all JDK
versions. Pl
Hi Guo,
Thanks again for your inputs. If I periodically renew the kerberos
cache using an external process(kinit) on all flink nodes in standalone
mode, will the cluster still be short lived or will the new ticket in the
cache be used and the cluster can live till the end of the new expiry ?
Best,
Yes, you can use kinit. But AFAIK, if you deploy Flink on Kubernetes
or Mesos, Flink will not ship the ticket cache. If you deploy Flink on
Yarn, Flink will acquire delegation tokens with your ticket cache and
set tokens for job manager and task executor. As the document said,
the main drawback is
Hi Guo,
Even for HDFS I don't really need to set "security.kerberos.login.contexts"
. As long as there is the right ticket in the ticket cache before starting
the flink cluster it seems to work fine. I think even [4] from your
reference seems to do the same thing. I have defined own ticket
cache sp
Hi, Nick,
>From my understanding, if you configure the
"security.kerberos.login.keytab", Flink will add the
AppConfigurationEntry of this keytab to all the apps defined in
"security.kerberos.login.contexts". If you define
"java.security.auth.login.config" at the same time, Flink will also
keep the
Hi guys,
Is there any difference in providing kerberos config to the flink jvm using
this method in the flink configuration?
env.java.opts: -Dconfig.resource=qa.conf
-Djava.library.path=/usr/mware/flink-1.7.2/simpleapi/lib/
-Djava.security.auth.login.config=/usr/mware/flink-1.7.2/Jaas/kafka-jaas.
