[ https://issues.apache.org/jira/browse/FLINK-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16301806#comment-16301806 ]
Eron Wright commented on FLINK-7860: ------------------------------------- Regarding how a proxy user would be configured, the goal is to set the login user to a proxy user UGI that wraps the kerberos (real) UGI. The real UGI must continue to be initialized using a keytab as normal. Rather than introduce new config settings, Flink could simply make use of Hadoop's built-in `HADOOP_PROXY_USER` environment variable. I suggest that Flink simply propagate the `HADOOP_PROXY_USER` variable to the AM/TM. Then, in `org.apache.flink.runtime.security.modules.HadoopModule`, wrap the `loginUser` with a proxy-user UGI when `HADOOP_PROXY_USER` is set and then call `UGI.setLoginUser`. This need only be done in the `loginUserFromKeytab` scenario, not in the `loginUserFromSubject` scenario since `loginUserFromSubject` already does exactly that. > Support YARN proxy user in Flink (impersonation) > ------------------------------------------------ > > Key: FLINK-7860 > URL: https://issues.apache.org/jira/browse/FLINK-7860 > Project: Flink > Issue Type: New Feature > Components: YARN > Reporter: Shuyi Chen > Assignee: Shuyi Chen > -- This message was sent by Atlassian JIRA (v6.4.14#64029)