flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rong Rong (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-9685) Flink should support hostname-substitution for security.kerberos.login.principal
Date Thu, 07 Mar 2019 23:38:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-9685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787326#comment-16787326
] 

Rong Rong commented on FLINK-9685:
----------------------------------

Hi. I was wondering whether I fully understood the requirement for this JIRA. 
 1. do we want to support general substitution on principal keywords? e.g. REALM as well?
 2. what kind of principal format we are going to support
 3. what would be the good keyword substitution reserved for this purpose.

Can we refer to the kerberos document for any possible improvement for 2/3?

Regarding the implementation, should we differ this change or the replacement logic to the
specific module instead, for example: {{HadoopModule}}. It seems to me that the only place
should be using the principal is the security modules/contexts themselves, and each module
might interpret this differently?? this is actually part of the overall effort to provide
SeviceProvider pattern in FLINK-11589.

> Flink should support hostname-substitution for security.kerberos.login.principal
> --------------------------------------------------------------------------------
>
>                 Key: FLINK-9685
>                 URL: https://issues.apache.org/jira/browse/FLINK-9685
>             Project: Flink
>          Issue Type: Improvement
>          Components: Runtime / Coordination
>            Reporter: Ethan Li
>            Assignee: Aleksandr Salatich
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> [https://github.com/apache/flink/blob/master/flink-runtime/src/main/java/org/apache/flink/runtime/security/SecurityConfiguration.java#L83]
>  
> We can have something like this
> {code:java}
> String rawPrincipal = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
> if (rawPrincipal != null) {
>    try {
>       rawPrincipal = rawPrincipal.replace("HOSTNAME", InetAddress.getLocalHost().getCanonicalHostName());
>    } catch (UnknownHostException e) {
>       LOG.error("Failed to replace HOSTNAME with localhost because {}", e);
>    }
> }
> this.principal = rawPrincipal;
> {code}
> So it will be easier to deploy flink to cluster. Instead of setting different principal
on every node, we can have the same principal headless_user/HOSTNAME@DOMAIN .



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message