Hi everyone, Alan Sheinberg and I would like to start a discussion on FLIP-588: Support per-job delegation tokens [1]. Flink's delegation token framework is currently cluster-scoped, which means a DelegationTokenProvider has no notion of an individual job. This breaks when different jobs on the same cluster need to authenticate as different identities to the same external service. To resolve this, the FLIP adds per-job lifecycle hooks (registerJob/unregisterJob/stop) as default methods on the DelegationTokenProvider SPI, along with the runtime wiring to invoke them on job start and stop. This change is fully backward compatible (new methods are default no-ops). It is worth mentioning that it widens the internal registerJobMaster RPC to carry the job configuration.
Looking forward to your feedback. [1] https://cwiki.apache.org/confluence/display/FLINK/FLIP-588%3A+Support+per-job+delegation+tokens -- Kind regards, Aleksandr
