flink-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefano Baghino (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FLINK-3699) Allow per-job Kerberos authentication
Date Tue, 05 Apr 2016 08:20:25 GMT
Stefano Baghino created FLINK-3699:
--------------------------------------

             Summary: Allow per-job Kerberos authentication 
                 Key: FLINK-3699
                 URL: https://issues.apache.org/jira/browse/FLINK-3699
             Project: Flink
          Issue Type: Improvement
          Components: JobManager, Scheduler, TaskManager, YARN Client
    Affects Versions: 1.0.0
            Reporter: Stefano Baghino


Currently, authentication in a secure ("Kerberized") environment is performed once as a standalone
cluster or a YARN session is started up. This means that jobs submitted will all be executed
with the privileges of the user that started up the cluster. This is reasonable in a lot of
situations but disallows a fine control over ACLs when Flink is involved.

Adding a way for each job submission to be independently authenticated would allow each job
to run with the privileges of a specific user, enabling much more granular control over ACLs,
in particular in the context of existing secure cluster setups.

So far, a known workaround to this limitation (at least when running on YARN) is to run a
per-job cluster as a specific user.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message