Securing Apache Flink jobs

Submitting Flink jobs in a secure environment requires every security parameter for authentication, authorization and other connector related security settings. You should prepare your keystore and keytab files for Flink and for also the chosen connector component.

Using SPNEGO authentication with Kerberos for Flink Deployments

By default on a kerberized cluster the Flink dashboard is secured by the YARN proxy, which means direct external access to the Flink deployments should be disabled.

Alternatively, it is possible to directly enable SPNEGO for the Flink Dashboard. To secure a session cluster, use the following configuration options:

flink-yarn-session -d -nm [***CLUSTER-NAME***] \
-Dsecurity.kerberos.login.use-ticket-cache=true \
-Dsecurity.spnego.auth.enabled=true \
-Dsecurity.spnego.auth.keytab=[***SERVICE-KEYTAB***] \
-Dsecurity.spnego.auth.principal=[***HTTP PRINCIPAL***] \
-Dyarn.ship-files=[***SERVICE-KEYTAB***]

To run a Flink job on the previously created session cluster, use the following command:

flink run \
-d -t yarn-session \
-yid [***YARN APPLICATION ID***] \
-yD security.spnego.auth.enabled=true \
-yD security.kerberos.login.keytab=[***USER-KEYTAB***] \
-yD security.kerberos.login.principal=[***USER-PRINCIPAL***] \
[***FULL PATH***][***FILENAME***].jar