flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eron Wright (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-7860) Support YARN proxy user in Flink (impersonation)
Date Fri, 22 Dec 2017 18:54:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16301806#comment-16301806
] 

Eron Wright  commented on FLINK-7860:
-------------------------------------

Regarding how a proxy user would be configured, the goal is to set the login user to a proxy
user UGI that wraps the kerberos (real) UGI. The real UGI must continue to be initialized
using a keytab as normal.  Rather than introduce new config settings, Flink could simply make
use of Hadoop's built-in `HADOOP_PROXY_USER` environment variable.

I suggest that Flink simply propagate the `HADOOP_PROXY_USER` variable to the AM/TM.   Then,
in `org.apache.flink.runtime.security.modules.HadoopModule`, wrap the `loginUser` with a proxy-user
UGI when `HADOOP_PROXY_USER` is set and then call `UGI.setLoginUser`.  This need only be done
in the `loginUserFromKeytab` scenario, not in the `loginUserFromSubject` scenario since `loginUserFromSubject`
already does exactly that.


> Support YARN proxy user in Flink (impersonation)
> ------------------------------------------------
>
>                 Key: FLINK-7860
>                 URL: https://issues.apache.org/jira/browse/FLINK-7860
>             Project: Flink
>          Issue Type: New Feature
>          Components: YARN
>            Reporter: Shuyi Chen
>            Assignee: Shuyi Chen
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message