Enabling SPNEGO authentication for Flink Dashboard

You must manually configure the SPNEGO authentication for Flink Dashboard in Cloudera Manager to enable secure access for users as by default the authentication is turned off.

Enabling SPNEGO authentication for Flink Dashboard

  1. Go to your cluster in Cloudera Manager.
  2. Select Flink from the list of services.
  3. Select the Configuration tab.
  4. Filter to Scope > Flink Dashboard.
  5. Search for Use SPNEGO Authentication.
  6. Select the checkbox to enable SPNEGO authentication for Flink Dashboard.
  7. Click Save Changes.

    You need to restart the Flink service to finalize the configuration.

  8. Click on Actions > Restart next to the Flink service name.

Providing user credentials for flink list

The Flink CLI uses the Flink Dashboard when you use the flink list command. In this case, the Flink CLI connects to the Flink Dashboard and lists the running and scheduled applications. The connection between the CLI and Dashboard requires user credentials for the SPNEGO authentication.

The following methods can be used to provide the user credentials:
  • You can use the kinit command and the custom ticket cache file:
    1. Connect to your host using ssh.
      ssh root@<your_hostname>
      You are prompted to provide your password.
    2. Run the kinit command to obtain a valid TGT.
      kinit <your_principal>
    In this case, the flink list command reads the TGT from the default ticket cache file of the user.
  • You can provide the keytab file and login principals directly to the flink list command:
    1. Connect to your host using ssh.
      ssh root@<your_hostname>
      You are prompted to provide your password.
    2. Run the flink list command using your keytab information:
      flink list -yD security.kerberos.login.keytab=<your_keytab_file_name> -yD security.kerberos.login.principal=<your_principal>