SQL Client security

Before launching the SQL Client, you need to use the kinit command to have Kerberos authentication for the client. You also need to add the keytab files for starting the YARN session to use the SQL Client in a secured environment.

flink-sql-client

In Kerberos protected environments, you must use kinit <principal> before launching the flink-sql-client. The CLI does not support keytab based Kerberos authentication yet.

flink-yarn-session

YARN sessions that flink-sql-client is connected to should be started with Kerberos keytab and principal properties:

flink-yarn-session -tm 2096 -s 2 -d -nm "<application_name>" \
-D security.kerberos.login.principal=<username> \
-D security.kerberos.login.keytab=<keytab_name>

note

In case you did not receive the keytab file from your administrator, you can use the following command to generate one:

> ktutil
ktutil: add_entry -password -p test -k 1 -e des3-cbc-sha1
Password for test@:
ktutil:  wkt test.keytab
ktutil:  quit