flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefano Baghino (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (FLINK-3699) Allow per-job Kerberos authentication
Date Thu, 07 Apr 2016 08:55:25 GMT

     [ https://issues.apache.org/jira/browse/FLINK-3699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Stefano Baghino reassigned FLINK-3699:

    Assignee: Stefano Baghino

> Allow per-job Kerberos authentication 
> --------------------------------------
>                 Key: FLINK-3699
>                 URL: https://issues.apache.org/jira/browse/FLINK-3699
>             Project: Flink
>          Issue Type: Improvement
>          Components: JobManager, Scheduler, TaskManager, YARN Client
>    Affects Versions: 1.0.0
>            Reporter: Stefano Baghino
>            Assignee: Stefano Baghino
>              Labels: kerberos, security, yarn
> Currently, authentication in a secure ("Kerberized") environment is performed once as
a standalone cluster or a YARN session is started up. This means that jobs submitted will
all be executed with the privileges of the user that started up the cluster. This is reasonable
in a lot of situations but disallows a fine control over ACLs when Flink is involved.
> Adding a way for each job submission to be independently authenticated would allow each
job to run with the privileges of a specific user, enabling much more granular control over
ACLs, in particular in the context of existing secure cluster setups.
> So far, a known workaround to this limitation (at least when running on YARN) is to run
a per-job cluster as a specific user.

This message was sent by Atlassian JIRA

View raw message