Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Support impersonation mode for flink sql engine #6368

Open
3 of 4 tasks
wForget opened this issue May 7, 2024 · 1 comment · May be fixed by #6383
Open
3 of 4 tasks

[FEATURE] Support impersonation mode for flink sql engine #6368

wForget opened this issue May 7, 2024 · 1 comment · May be fixed by #6383
Assignees
@wForget
Labels
kind:feature Feature request priority:major

Comments

@wForget
Copy link
Member

wForget commented May 7, 2024

Code of Conduct

Search before asking

  • I have searched in the issues and found no similar issues.

Describe the feature

Support impersonation mode for flink sql engine

Motivation

No response

Describe the solution

Add the following options to FlinkProcessBuilder:

HADOOP_PROXY_USER=proxyUser
security.delegation.tokens.enabled=false

Additional context

No response

Are you willing to submit PR?

  • Yes. I would be willing to submit a PR with guidance from the Kyuubi community to improve.
  • No. I cannot submit a PR at this time.
@wForget wForget self-assigned this May 7, 2024
wForget added a commit to wForget/kyuubi that referenced this issue May 10, 2024
@wForget
[KYUUBI apache#6368] Support impersonation mode for flink sql engine
66f94ce
@wForget wForget linked a pull request May 10, 2024 that will close this issue
Draft
4 tasks
@wForget wForget mentioned this issue May 21, 2024
Merged
@wForget
Copy link
Member Author

wForget commented May 22, 2024 

HADOOP_PROXY_USER=proxyUser
security.delegation.tokens.enabled=false

After turning off security.delegation.tokens.enabled, it is difficult for us to pass delegation token updates of jobmanager to taskmanager.

Based on the solution in apache/flink#22009 (comment), I will follow the steps:

  • Implement custom KyuubiDelegationTokenProvider and KyuubiDelegationTokenReceiver
  • Add the following options
HADOOP_PROXY_USER=proxyUser
security.module.factory.classes=org.apache.flink.runtime.security.modules.JaasModuleFactory,org.apache.flink.runtime.security.modules.ZookeeperModuleFactory
security.delegation.token.provider.hadoopfs.enabled=false
security.delegation.token.provider.s3-hadoop.enabled=false
security.delegation.token.provider.s3-presto.enabled=false
security.delegation.token.provider.HiveServer2.enabled=false
security.delegation.token.provider.hbase.enabled=false

wForget added a commit to wForget/kyuubi that referenced this issue May 24, 2024
@wForget
[KYUUBI apache#6368] Support impersonation mode for flink sql engine
9830076
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wForget wForget

Labels
kind:feature Feature request priority:major
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[KYUUBI #6368] Flink engine supports user impersonation wForget/kyuubi
1 participant
@wForget