Our scenario is to enable a specific Kerberos to impersonate any Kerberos in a 
specific group, this is enabled the in hdfs configuration. That Kerberos does 
not need to be root, just a Kerberos allowed to impersonate that users in that 
group.

We want the job to access HDFS as the impersonated Kerberos, not the one that 
launched it. We do this with our MR jobs but simply impersonating in the driver 
and all the mappers/reduces run correctly and use the impersonate user active 
when the job was submitted. We expected flink to work similarly and found the 
issue.

We do this without the keytab for that user, if we had it, we wouldn’t need to 
impersonate if you see what I mean.

So, what kind of changes would be needed where to implement this function, 
happy to do the patch to enable this behavior.

Billy


From: Eron Wright [mailto:eronwri...@gmail.com]
Sent: Monday, October 23, 2017 4:53 PM
To: Chan, Regina [Tech]
Cc: user@flink.apache.org
Subject: Re: Impersonation support in Flink

Hello,
Flink does initialize the process-wide login user, using the UGI's Kerberos 
login method.  It doesn't support proxy user at the moment.   Let's dig into 
the scenario a bit to see how best to support it.

As you know, the proxy user functionality of Hadoop allows a process that has 
superuser credentials to impersonate a normal user when making remote calls to 
HDFS and other remote services.    A possible scenario would be, the Flink 
cluster has a superuser account and accesses HDFS on behalf of someone.   Keep 
in mind that job code runs with full trust within the JM/TM, and would have 
access to the superuser keytab.   Does that sound like your scenario?

Proxy user support would not facilitate the scenario of running a user's job 
code such that the job accesses HDFS as that user.   The only way to support 
that scenario is by launching the cluster using that user's keytab.

I hope this helps,
Eron

On Mon, Oct 23, 2017 at 10:52 AM, Chan, Regina 
<regina.c...@gs.com<mailto:regina.c...@gs.com>> wrote:
Hi folks,

Is Flink is able to do impersonation using UserGroupInformation? How do we make 
all the tasks run with this in a way that we wouldn’t have to do it per task?


UserGroupInformation ugi = UserGroupInformation.createProxyUser( proxyUser, 
UserGroupInformation.getLoginUser());
PrivilegedExceptionAction<Void> iAction = new PrivilegedExceptionAction<Void>()
{
public Void run() throws Exception
{
              action.run();
              return null;
       }
};
ugi.doAs(iAction);



Regina Chan
Goldman Sachs – Enterprise Platforms, Data Architecture
30 Hudson Street, 37th floor | Jersey City, NY 
07302<https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D30-2BHudson-2BStreet-2C-2B37th-2Bfloor-2B-257C-2BJersey-2BCity-2C-2BNY-2B07302-250D-2B-28-25C2-25A0-2B-28212-26entry-3Dgmail-26source-3Dg&d=DwMFaQ&c=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4&r=rlkM70D3djmDN7dGPzzbVKG26ShcTFDMKlX5AWucE5Q&m=ZeDE52hr-zVl4Qjl1El1KhVbTkJEdJstVisdyaaqbrs&s=rN_ceG5mzqTClLiso3EBYH1DwUi9Sh_EZyszNwdm_Q4&e=>
 
•<https://urldefense.proofpoint.com/v2/url?u=https-3A__maps.google.com_-3Fq-3D30-2BHudson-2BStreet-2C-2B37th-2Bfloor-2B-257C-2BJersey-2BCity-2C-2BNY-2B07302-250D-2B-28-25C2-25A0-2B-28212-26entry-3Dgmail-26source-3Dg&d=DwMFaQ&c=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4&r=rlkM70D3djmDN7dGPzzbVKG26ShcTFDMKlX5AWucE5Q&m=ZeDE52hr-zVl4Qjl1El1KhVbTkJEdJstVisdyaaqbrs&s=rN_ceG5mzqTClLiso3EBYH1DwUi9Sh_EZyszNwdm_Q4&e=>
  (212) 902-5697<tel:(212)%20902-5697>


Reply via email to