[FLINK-29362] Allow loading dynamic config for kerberos authentication in CliFrontend - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: None
Component/s: Command Line Client
Labels:
None

Description

In the code, Flink's client will try to SecurityUtils.install(new SecurityConfiguration(cli.configuration)); with configs(e.g. security.kerberos.login.principal and security.kerberos.login.keytab) from only flink-conf.yaml.
If users specify the above 2 config via -D option, it will not work as cli.parseAndRun(args) will be executed after installing security configs from flink-conf.yaml.
However, if a user specify principal A in client's flink-conf.yaml and use -D option to specify principal B, the launched YARN container will use principal B though the job is submitted in client end with principal A.

Such behavior can be misleading as Flink provides 2 ways to set a config but does not keep consistency between client and cluster. It also influence users who want use flink with kerberos as they must modify flink-conf.yaml if they want to use another kerberos user.

Attachments

Issue Links

duplicates

FLINK-12130 Apply command line options to configuration before installing security modules

Reopened

Activity

People

Assignee:: Unassigned

Reporter:: Biao Geng

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Sep/22 15:46

Updated:: 20/Oct/22 07:47

Resolved:: 20/Oct/22 07:47