Hello,
Flink does initialize the process-wide login user, using the UGI's Kerberos
login method. It doesn't support proxy user at the moment. Let's dig
into the scenario a bit to see how best to support it.
As you know, the proxy user functionality of Hadoop allows a process that
has superuser credentials to impersonate a normal user when making remote
calls to HDFS and other remote services. A possible scenario would be,
the Flink cluster has a superuser account and accesses HDFS on behalf of
someone. Keep in mind that job code runs with full trust within the
JM/TM, and would have access to the superuser keytab. Does that sound
like your scenario?
Proxy user support would not facilitate the scenario of running a user's
job code such that the job accesses HDFS as that user. The only way to
support that scenario is by launching the cluster using that user's keytab.
I hope this helps,
Eron
On Mon, Oct 23, 2017 at 10:52 AM, Chan, Regina <regina.c...@gs.com> wrote:
> Hi folks,
>
>
>
> Is Flink is able to do impersonation using UserGroupInformation? How do we
> make all the tasks run with this in a way that we wouldn’t have to do it
> per task?
>
>
>
>
>
> UserGroupInformation ugi = UserGroupInformation.*createProxyUser*(
> proxyUser, UserGroupInformation.*getLoginUser*());
>
> PrivilegedExceptionAction<Void> iAction = *new*
> PrivilegedExceptionAction<Void>()
>
>
> {
>
> *public* Void run() *throws* Exception
>
> {
>
> action.run();
>
> *return* *null*;
>
> }
>
> };
>
> ugi.doAs(iAction);
>
>
>
>
>
>
>
> *Regina Chan*
>
> *Goldman Sachs* *–* Enterprise Platforms, Data Architecture
>
> *30 Hudson Street, 37th floor | Jersey City, NY 07302
> <https://maps.google.com/?q=30+Hudson+Street,+37th+floor+%7C+Jersey+City,+NY+07302%0D+(%C2%A0+(212&entry=gmail&source=g>*
> (
> <https://maps.google.com/?q=30+Hudson+Street,+37th+floor+%7C+Jersey+City,+NY+07302%0D+(%C2%A0+(212&entry=gmail&source=g>
> (212) 902-5697
>
>
>
