Hi, At present, Flink distribute keytabs via YARN to the nodes that is running a Flink job, and this might be a potential security problem. I’ve read FLINK-3670 and the corresponding mail list discussions, and I think a more appropriate implementation would be like Spark’s: regenerate delegation tokens in AM and the containers just get the generated delegation token instead of the whole keytab. Also, I noticed that Dispatcher was introduced in FLIP-6 and one of its functionality is acquiring user’s authentication tokens. So, my question is, is delegation token regeneration part of FLIP-6? If not, would it be supported in the future?
Best regards, Paul Lam
