flink-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject flink git commit: [docs] add information on how to use Kerberos
Date Fri, 23 Oct 2015 16:20:48 GMT
Repository: flink
Updated Branches:
  refs/heads/release-0.9 ab694a3b2 -> 2b5f88a4b


[docs] add information on how to use Kerberos


Project: http://git-wip-us.apache.org/repos/asf/flink/repo
Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/2b5f88a4
Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/2b5f88a4
Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/2b5f88a4

Branch: refs/heads/release-0.9
Commit: 2b5f88a4b86dd61502931b8e149a761ff9c9318d
Parents: ab694a3
Author: Maximilian Michels <mxm@apache.org>
Authored: Fri Oct 23 18:13:13 2015 +0200
Committer: Maximilian Michels <mxm@apache.org>
Committed: Fri Oct 23 18:20:14 2015 +0200

----------------------------------------------------------------------
 docs/setup/config.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/flink/blob/2b5f88a4/docs/setup/config.md
----------------------------------------------------------------------
diff --git a/docs/setup/config.md b/docs/setup/config.md
index 4f7378d..c2373f6 100644
--- a/docs/setup/config.md
+++ b/docs/setup/config.md
@@ -326,6 +326,30 @@ to set the JM host:port manually. It is recommended to leave this option
at 1.
 
 ## Background
 
+### Kerberos
+
+Flink supports Kerberos authentication of Hadoop services such as HDFS, YARN,
+or HBase.
+
+While Hadoop uses Kerberos tickets to authenticate users with services
+initially, the authentication process continues differently afterwards. Instead
+of saving the ticket to authenticate on a later access, Hadoop creates its own
+security tockens (DelegationToken) that it passes around. These are
+authenticated to Kerberos periodically but are independent of the token renewal
+time. The tokens have a maximum life span identical to the Kerberos ticket maximum life
+span.
+
+Please make sure to set the maximum ticket life span high long running
+jobs. The renewal time of the ticket, on the other hand, is not important
+because Hadoop abstracts this away using its own security tocken renewal
+system. Hadoop makes sure that tickets are renewed in time and you can be sure
+to be authenticated until the end of the ticket life time.
+
+If you are on YARN, then it is sufficient to authenticate the client with
+Kerberos. On a Flink standalone cluster you need to ensure that, initially, all
+nodes are authenticated with Kerberos using the `kinit` tool.
+
+
 ### Configuring the Network Buffers
 
 Network buffers are a critical resource for the communication layers. They are


Mime
View raw message