flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tzu-Li (Gordon) Tai (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (FLINK-6713) Document how to allow multiple Kafka consumers / producers to authenticate using different credentials
Date Thu, 25 May 2017 04:12:04 GMT

     [ https://issues.apache.org/jira/browse/FLINK-6713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Tzu-Li (Gordon) Tai updated FLINK-6713:
---------------------------------------
    Description: 
The doc improvements should include:

1. Clearly state that the built-in JAAS security module in Flink is a JVM process-wide static
JAAS file installation (all static JAAS files are, not Flink specific), and therefore only
allows all Kafka consumers and producers in a single JVM (and therefore the whole job, since
we do not allow assigning operators to specific slots) to authenticate as one single user.

2. If Kerberos authentication is used: self-ship multiple keytab files, and use Kafka's dynamic
JAAS configuration through client properties to point to separate keytabs for each consumer
/ producer. Note that ticket cache would never work for multiple authentications.

3. If plain simple login is used: Kafka's dynamic JAAS configuration should be used (and is
the only way to do so).

  was:
The doc improvements should include:

1. Clearly state that the built-in JAAS security module in Flink is a JVM process-wide static
JAAS file installation (all static JAAS files are, not Flink specific), and therefore only
allows all Kafka consumers and producers in a single JVM (and therefore the whole job, since
we do not allow assigning operators to specific slots) to authenticate as one single user.

2. If Kerberos authentication is used, 2 approaches: 1) with Flink's built-in Kerberos support,
multiple user principals need to be merged as a single keytab, or 2) self-ship multiple keytab
files, and use Kafka's dynamic JAAS configuration through client properties to point to separate
keytabs for each consumer / producer. Note that ticket cache would never work for multiple
authentications.

3. If plain simple login is used: Kafka's dynamic JAAS configuration should be used (and is
the only way to do so).


> Document how to allow multiple Kafka consumers / producers to authenticate using different
credentials
> ------------------------------------------------------------------------------------------------------
>
>                 Key: FLINK-6713
>                 URL: https://issues.apache.org/jira/browse/FLINK-6713
>             Project: Flink
>          Issue Type: Improvement
>          Components: Documentation, Kafka Connector
>            Reporter: Tzu-Li (Gordon) Tai
>            Assignee: Tzu-Li (Gordon) Tai
>
> The doc improvements should include:
> 1. Clearly state that the built-in JAAS security module in Flink is a JVM process-wide
static JAAS file installation (all static JAAS files are, not Flink specific), and therefore
only allows all Kafka consumers and producers in a single JVM (and therefore the whole job,
since we do not allow assigning operators to specific slots) to authenticate as one single
user.
> 2. If Kerberos authentication is used: self-ship multiple keytab files, and use Kafka's
dynamic JAAS configuration through client properties to point to separate keytabs for each
consumer / producer. Note that ticket cache would never work for multiple authentications.
> 3. If plain simple login is used: Kafka's dynamic JAAS configuration should be used (and
is the only way to do so).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message