Repository: flink Updated Branches: refs/heads/release-0.9 ab694a3b2 -> 2b5f88a4b
[docs] add information on how to use Kerberos Project: http://git-wip-us.apache.org/repos/asf/flink/repo Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/2b5f88a4 Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/2b5f88a4 Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/2b5f88a4 Branch: refs/heads/release-0.9 Commit: 2b5f88a4b86dd61502931b8e149a761ff9c9318d Parents: ab694a3 Author: Maximilian Michels <m...@apache.org> Authored: Fri Oct 23 18:13:13 2015 +0200 Committer: Maximilian Michels <m...@apache.org> Committed: Fri Oct 23 18:20:14 2015 +0200 ---------------------------------------------------------------------- docs/setup/config.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/flink/blob/2b5f88a4/docs/setup/config.md ---------------------------------------------------------------------- diff --git a/docs/setup/config.md b/docs/setup/config.md index 4f7378d..c2373f6 100644 --- a/docs/setup/config.md +++ b/docs/setup/config.md @@ -326,6 +326,30 @@ to set the JM host:port manually. It is recommended to leave this option at 1. ## Background +### Kerberos + +Flink supports Kerberos authentication of Hadoop services such as HDFS, YARN, +or HBase. + +While Hadoop uses Kerberos tickets to authenticate users with services +initially, the authentication process continues differently afterwards. Instead +of saving the ticket to authenticate on a later access, Hadoop creates its own +security tockens (DelegationToken) that it passes around. These are +authenticated to Kerberos periodically but are independent of the token renewal +time. The tokens have a maximum life span identical to the Kerberos ticket maximum life +span. + +Please make sure to set the maximum ticket life span high long running +jobs. The renewal time of the ticket, on the other hand, is not important +because Hadoop abstracts this away using its own security tocken renewal +system. Hadoop makes sure that tickets are renewed in time and you can be sure +to be authenticated until the end of the ticket life time. + +If you are on YARN, then it is sufficient to authenticate the client with +Kerberos. On a Flink standalone cluster you need to ensure that, initially, all +nodes are authenticated with Kerberos using the `kinit` tool. + + ### Configuring the Network Buffers Network buffers are a critical resource for the communication layers. They are
