git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[DISCUSS] Flink Kerberos Improvement


Hi All,

We have been experimenting integration of Kerberos with Flink in our Corp
environment and found out some limitations on the current Flink-Kerberos
security mechanism running with Apache YARN.

Based on the Hadoop Kerberos security guide [1]. Apparently there are only
a subset of the suggested long-running service security mechanism is
supported in Flink. Furthermore, the current model does not work well with
superuser impersonating actual users [2] for deployment purposes, which is
a widely adopted way to launch application in corp environments.

We would like to propose an improvement [3] to introduce the other comment
methods [1] for securing long-running application on YARN and enable
impersonation mode. Any comments and suggestions are highly appreciated.

Many thanks,
Rong

[1]
https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html#Securing_Long-lived_YARN_Services
[2]
https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html
[3]
https://docs.google.com/document/d/1rBLCpyQKg6Ld2P0DEgv4VIOMTwv4sitd7h7P5r202IE/edit?usp=sharing