[jira] [Comment Edited] (FLINK-7860) Support YARN proxy user in Flink (impersonation)

Fri, 22 Dec 2017 10:55:37 -0800 

    [ 
https://issues.apache.org/jira/browse/FLINK-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16301806#comment-16301806
 ] 

Eron Wright  edited comment on FLINK-7860 at 12/22/17 6:54 PM:
---------------------------------------------------------------

Regarding how a proxy user would be configured, the goal is to set the login 
user to a proxy user UGI that wraps the kerberos (real) UGI. The real UGI must 
continue to be initialized using a keytab as normal.  Rather than introduce new 
config settings, Flink could simply make use of Hadoop's built-in 
`HADOOP_PROXY_USER` environment variable.

I suggest that Flink simply propagate the `HADOOP_PROXY_USER` variable to the 
AM/TM.   Then, in `org.apache.flink.runtime.security.modules.HadoopModule`, 
wrap the `loginUser` with a proxy-user UGI when `HADOOP_PROXY_USER` is set and 
then call `UGI.setLoginUser`.  This need only be done in the 
`loginUserFromKeytab` scenario, not in the `loginUserFromSubject` scenario 
since `loginUserFromSubject` already does exactly that.

See HADOOP-8561.



was (Author: eronwright):
Regarding how a proxy user would be configured, the goal is to set the login 
user to a proxy user UGI that wraps the kerberos (real) UGI. The real UGI must 
continue to be initialized using a keytab as normal.  Rather than introduce new 
config settings, Flink could simply make use of Hadoop's built-in 
`HADOOP_PROXY_USER` environment variable.

I suggest that Flink simply propagate the `HADOOP_PROXY_USER` variable to the 
AM/TM.   Then, in `org.apache.flink.runtime.security.modules.HadoopModule`, 
wrap the `loginUser` with a proxy-user UGI when `HADOOP_PROXY_USER` is set and 
then call `UGI.setLoginUser`.  This need only be done in the 
`loginUserFromKeytab` scenario, not in the `loginUserFromSubject` scenario 
since `loginUserFromSubject` already does exactly that.


> Support YARN proxy user in Flink (impersonation)
> ------------------------------------------------
>
>                 Key: FLINK-7860
>                 URL: https://issues.apache.org/jira/browse/FLINK-7860
>             Project: Flink
>          Issue Type: New Feature
>          Components: YARN
>            Reporter: Shuyi Chen
>            Assignee: Shuyi Chen
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to