flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shuyi Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-7860) Support YARN proxy user in Flink (impersonation)
Date Thu, 04 Jan 2018 02:26:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16310633#comment-16310633
] 

Shuyi Chen commented on FLINK-7860:
-----------------------------------

I assume in the doAs block, it will be run as "joe" and should not be able to access to the
superuser's credential. Otherwise, it seems to be a security issue of hadoop. Please correct
me if I am wrong.

And we have a super service that proxy all job submissions from 100+ different service accounts
to secure YARN. The super service will be running a super user account, and wont have direct
access to the keytab of individual service account. It can only access those keytab indirectly
through doAs() to impersonate the individual users. Since this is a common pattern in hadoop,
I think it will make sense for Flink to support it as well.

> Support YARN proxy user in Flink (impersonation)
> ------------------------------------------------
>
>                 Key: FLINK-7860
>                 URL: https://issues.apache.org/jira/browse/FLINK-7860
>             Project: Flink
>          Issue Type: New Feature
>          Components: YARN
>            Reporter: Shuyi Chen
>            Assignee: Shuyi Chen
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message