flink-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eron Wright <eronwri...@gmail.com>
Subject Re: Impersonation support in Flink
Date Mon, 23 Oct 2017 20:53:13 GMT
Hello,
Flink does initialize the process-wide login user, using the UGI's Kerberos
login method.  It doesn't support proxy user at the moment.   Let's dig
into the scenario a bit to see how best to support it.

As you know, the proxy user functionality of Hadoop allows a process that
has superuser credentials to impersonate a normal user when making remote
calls to HDFS and other remote services.    A possible scenario would be,
the Flink cluster has a superuser account and accesses HDFS on behalf of
someone.   Keep in mind that job code runs with full trust within the
JM/TM, and would have access to the superuser keytab.   Does that sound
like your scenario?

Proxy user support would not facilitate the scenario of running a user's
job code such that the job accesses HDFS as that user.   The only way to
support that scenario is by launching the cluster using that user's keytab.

I hope this helps,
Eron

On Mon, Oct 23, 2017 at 10:52 AM, Chan, Regina <Regina.Chan@gs.com> wrote:

> Hi folks,
>
>
>
> Is Flink is able to do impersonation using UserGroupInformation? How do we
> make all the tasks run with this in a way that we wouldn’t have to do it
> per task?
>
>
>
>
>
> UserGroupInformation ugi = UserGroupInformation.*createProxyUser*(
> proxyUser, UserGroupInformation.*getLoginUser*());
>
> PrivilegedExceptionAction<Void> iAction = *new* PrivilegedExceptionAction<Void>()
>
>
> {
>
> *public* Void run() *throws* Exception
>
> {
>
>               action.run();
>
>               *return* *null*;
>
>        }
>
> };
>
> ugi.doAs(iAction);
>
>
>
>
>
>
>
> *Regina Chan*
>
> *Goldman Sachs* *–* Enterprise Platforms, Data Architecture
>
> *30 Hudson Street, 37th floor | Jersey City, NY 07302
> <https://maps.google.com/?q=30+Hudson+Street,+37th+floor+%7C+Jersey+City,+NY+07302%0D+(%C2%A0+(212&entry=gmail&source=g>*
> (
> <https://maps.google.com/?q=30+Hudson+Street,+37th+floor+%7C+Jersey+City,+NY+07302%0D+(%C2%A0+(212&entry=gmail&source=g>
> (212) 902-5697
>
>
>

Mime
View raw message