Google Git
Sign in
apache / flink-web / 0f9478d1de8c2317e67a6a63df5961eba5bbc8db / . / content / 2023 / 01 / 20 / delegation-token-framework-obtain-distribute-and-use-temporary-credentials-automatically / index.html
blob: 5691e9b5c27cf7acfab0c6074208b4e65c17b014 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en" dir=ZgotmplZ>
<head>
<link rel="stylesheet" href="/bootstrap/css/bootstrap.min.css">
<script src="/bootstrap/js/bootstrap.bundle.min.js"></script>
<link rel="stylesheet" type="text/css" href="/font-awesome/css/font-awesome.min.css">
<script src="/js/anchor.min.js"></script>
<script src="/js/flink.js"></script>
<link rel="canonical" href="https://flink.apache.org/2023/01/20/delegation-token-framework-obtain-distribute-and-use-temporary-credentials-automatically/">
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="The Apache Flink Community is pleased to announce that the upcoming minor version of Flink (1.17) includes the Delegation Token Framework proposed in FLIP-272. This enables Flink to authenticate to external services at a central location (JobManager) and distribute authentication tokens to the TaskManagers.
Introduction # Authentication in distributed systems is not an easy task. Previously all worker nodes (TaskManagers) reading from or writing to an external system needed to authenticate on their own.">
<meta name="theme-color" content="#FFFFFF"><meta property="og:title" content="Delegation Token Framework: Obtain, Distribute and Use Temporary Credentials Automatically" />
<meta property="og:description" content="The Apache Flink Community is pleased to announce that the upcoming minor version of Flink (1.17) includes the Delegation Token Framework proposed in FLIP-272. This enables Flink to authenticate to external services at a central location (JobManager) and distribute authentication tokens to the TaskManagers.
Introduction # Authentication in distributed systems is not an easy task. Previously all worker nodes (TaskManagers) reading from or writing to an external system needed to authenticate on their own." />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://flink.apache.org/2023/01/20/delegation-token-framework-obtain-distribute-and-use-temporary-credentials-automatically/" /><meta property="article:section" content="posts" />
<meta property="article:published_time" content="2023-01-20T08:00:00+00:00" />
<meta property="article:modified_time" content="2023-01-20T08:00:00+00:00" />
<title>Delegation Token Framework: Obtain, Distribute and Use Temporary Credentials Automatically | Apache Flink</title>
<link rel="manifest" href="/manifest.json">
<link rel="icon" href="/favicon.png" type="image/x-icon">
<link rel="stylesheet" href="/book.min.22eceb4d17baa9cdc0f57345edd6f215a40474022dfee39b63befb5fb3c596b5.css" integrity="sha256-IuzrTRe6qc3A9XNF7dbyFaQEdAIt/uObY777X7PFlrU=">
<script defer src="/en.search.min.2698f0d1b683dae4d6cb071668b310a55ebcf1c48d11410a015a51d90105b53e.js" integrity="sha256-Jpjw0baD2uTWywcWaLMQpV688cSNEUEKAVpR2QEFtT4="></script>
<!--
Made with Book Theme
https://github.com/alex-shpak/hugo-book
-->
<meta name="generator" content="Hugo 0.124.1">
<script>
var _paq = window._paq = window._paq || [];
_paq.push(['disableCookies']);
_paq.push(["setDomains", ["*.flink.apache.org","*.nightlies.apache.org/flink"]]);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//analytics.apache.org/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
</head>
<body dir=ZgotmplZ>
<header>
<nav class="navbar navbar-expand-xl">
<div class="container-fluid">
<a class="navbar-brand" href="/">
<img src="/img/logo/png/100/flink_squirrel_100_color.png" alt="Apache Flink" height="47" width="47" class="d-inline-block align-text-middle">
<span>Apache Flink</span>
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<i class="fa fa-bars navbar-toggler-icon"></i>
</button>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav">
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" role="button" data-bs-toggle="dropdown" aria-expanded="false">About</a>
<ul class="dropdown-menu">
<li>
<a class="dropdown-item" href="/what-is-flink/flink-architecture/">Architecture</a>
</li>
<li>
<a class="dropdown-item" href="/what-is-flink/flink-applications/">Applications</a>
</li>
<li>
<a class="dropdown-item" href="/what-is-flink/flink-operations/">Operations</a>
</li>
<li>
<a class="dropdown-item" href="/what-is-flink/use-cases/">Use Cases</a>
</li>
<li>
<a class="dropdown-item" href="/what-is-flink/powered-by/">Powered By</a>
</li>
<li>
<a class="dropdown-item" href="/what-is-flink/roadmap/">Roadmap</a>
</li>
<li>
<a class="dropdown-item" href="/what-is-flink/community/">Community & Project Info</a>
</li>
<li>
<a class="dropdown-item" href="/what-is-flink/security/">Security</a>
</li>
<li>
<a class="dropdown-item" href="/what-is-flink/special-thanks/">Special Thanks</a>
</li>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" role="button" data-bs-toggle="dropdown" aria-expanded="false">Getting Started</a>
<ul class="dropdown-menu">
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-docs-stable/docs/try-flink/local_installation/">With Flink<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-stable/docs/try-flink-kubernetes-operator/quick-start/">With Flink Kubernetes Operator<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-cdc-docs-stable/docs/get-started/introduction/">With Flink CDC<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-ml-docs-stable/docs/try-flink-ml/quick-start/">With Flink ML<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-statefun-docs-stable/getting-started/project-setup.html">With Flink Stateful Functions<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-docs-stable/docs/learn-flink/overview/">Training Course<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" role="button" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
<ul class="dropdown-menu">
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-docs-stable/">Flink 1.19 (stable)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-docs-master/">Flink Master (snapshot)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-stable/">Kubernetes Operator 1.8 (latest)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main">Kubernetes Operator Main (snapshot)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-cdc-docs-stable">CDC 3.0 (stable)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-cdc-docs-master">CDC Master (snapshot)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-ml-docs-stable/">ML 2.3 (stable)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-ml-docs-master">ML Master (snapshot)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-statefun-docs-stable/">Stateful Functions 3.3 (stable)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
<li>
<a class="dropdown-item" href="https://nightlies.apache.org/flink/flink-statefun-docs-master">Stateful Functions Master (snapshot)<i class="link fa fa-external-link title" aria-hidden="true"></i>
</a>
</li>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" role="button" data-bs-toggle="dropdown" aria-expanded="false">How to Contribute</a>
<ul class="dropdown-menu">
<li>
<a class="dropdown-item" href="/how-to-contribute/overview/">Overview</a>
</li>
<li>
<a class="dropdown-item" href="/how-to-contribute/contribute-code/">Contribute Code</a>
</li>
<li>
<a class="dropdown-item" href="/how-to-contribute/reviewing-prs/">Review Pull Requests</a>
</li>
<li>
<a class="dropdown-item" href="/how-to-contribute/code-style-and-quality-preamble/">Code Style and Quality Guide</a>
</li>
<li>
<a class="dropdown-item" href="/how-to-contribute/contribute-documentation/">Contribute Documentation</a>
</li>
<li>
<a class="dropdown-item" href="/how-to-contribute/documentation-style-guide/">Documentation Style Guide</a>
</li>
<li>
<a class="dropdown-item" href="/how-to-contribute/improve-website/">Contribute to the Website</a>
</li>
<li>
<a class="dropdown-item" href="/how-to-contribute/getting-help/">Getting Help</a>
</li>
</ul>
</li>
<li class="nav-item">
<a class="nav-link" href="/posts/">Flink Blog</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/downloads/">Downloads</a>
</li>
</ul>
<div class="book-search">
<div class="book-search-spinner hidden">
<i class="fa fa-refresh fa-spin"></i>
</div>
<form class="search-bar d-flex" onsubmit="return false;"su>
<input type="text" id="book-search-input" placeholder="Search" aria-label="Search" maxlength="64" data-hotkeys="s/">
<i class="fa fa-search search"></i>
<i class="fa fa-circle-o-notch fa-spin spinner"></i>
</form>
<div class="book-search-spinner hidden"></div>
<ul id="book-search-results"></ul>
</div>
</div>
</div>
</nav>
<div class="navbar-clearfix"></div>
</header>
<main class="flex">
<section class="container book-page">
<article class="markdown">
<h1>
<a href="/2023/01/20/delegation-token-framework-obtain-distribute-and-use-temporary-credentials-automatically/">Delegation Token Framework: Obtain, Distribute and Use Temporary Credentials Automatically</a>
</h1>
January 20, 2023 -
Gabor Somogyi
Marton Balassi
<a href="https://twitter.com/MartonBalassi">(@MartonBalassi)</a>
<p><p>The Apache Flink Community is pleased to announce that the upcoming minor version of Flink (1.17) includes
the Delegation Token Framework proposed in <a href="https://cwiki.apache.org/confluence/display/FLINK/FLIP-272%3A&#43;Generalized&#43;delegation&#43;token&#43;support">FLIP-272</a>.
This enables Flink to authenticate to external services at a central location (JobManager) and distribute authentication
tokens to the TaskManagers.</p>
<h2 id="introduction">
Introduction
<a class="anchor" href="#introduction">#</a>
</h2>
<p>Authentication in distributed systems is not an easy task. Previously all worker nodes (TaskManagers) reading from or
writing to an external system needed to authenticate on their own. In such a case several things can go wrong, including but not limited to:</p>
<ul>
<li>Too many authentication requests (potentially resulting in rejected requests)</li>
<li>Large number of retries on authentication failures</li>
<li>Re-occurring propagation/update of temporary credentials in a timely manner</li>
<li>Dependency issues when external system libraries are having the same dependency with different versions</li>
<li>Each authentication/temporary credentials are different making standardization challenging</li>
<li>&hellip;</li>
</ul>
<p>The aim of Delegation Token Framework is to solve the above challenges. The framework is authentication protocol agnostic and pluggable.
The primary design concept is that authentication happens only at a single location (JobManager), the obtained temporary
credentials propagated automatically to all the task managers where they can be used. The token re-obtain process is also handled
in the JobManager.</p>
<p align="center">
<img src="/img/blog/2023-01-20-delegation-token-framework/delegation_token_framework.svg" width="70%" height="70%">
</p>
<p>New authentication providers can be added with small amount of code which is going to be loaded by Flink automatically.
At the moment the following external systems are supported:</p>
<ul>
<li>Hadoop filesystems</li>
<li>HBase</li>
<li>S3</li>
</ul>
<p>Planned, but not yet implemented/contributed:</p>
<ul>
<li>Kafka</li>
<li>Hive</li>
</ul>
<p>The design and implementation approach has already been proven in <a href="https://spark.apache.org/docs/latest/security.html#kerberos">Apache Spark</a>.
Gabor is a Spark committer, he championed this feature in the Spark community. The most notable improvement we achieved compared to the
current state in Spark is that the framework in Flink is already authentication protocol agnostic (and not bound to Kerberos).</p>
<h2 id="documentation">
Documentation
<a class="anchor" href="#documentation">#</a>
</h2>
<p>For more details please refer to the following documentation:</p>
<ul>
<li><a href="https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-delegation-token/">Delegation Tokens In General</a></li>
<li><a href="https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-kerberos/#using-delegation-tokens">How to use Kerberos delegation tokens</a></li>
</ul>
<h2 id="development-details">
Development details
<a class="anchor" href="#development-details">#</a>
</h2>
<p>Major tickets where the framework has been added:</p>
<ul>
<li><a href="https://issues.apache.org/jira/browse/FLINK-21232">FLINK-21232</a> Kerberos delegation token framework</li>
<li><a href="https://issues.apache.org/jira/browse/FLINK-29918">FLINK-29918</a> Generalized delegation token support</li>
<li><a href="https://issues.apache.org/jira/browse/FLINK-30704">FLINK-30704</a> Add S3 delegation token support</li>
</ul>
<h2 id="example-implementation">
Example implementation
<a class="anchor" href="#example-implementation">#</a>
</h2>
<p>Adding a new authentication protocol is relatively straight-forward:</p>
<ul>
<li>Check out the <a href="https://github.com/gaborgsomogyi/flink-test-java-delegation-token-provider">example implementation</a></li>
<li>Change <code>FlinkTestJavaDelegationTokenProvider.obtainDelegationTokens</code> to obtain a custom token from any external service</li>
<li>Change <code>FlinkTestJavaDelegationTokenReceiver.onNewTokensObtained</code> to receive the previously obtained tokens on all task managers</li>
<li>Use the tokens for external service authentication</li>
<li>Compile the project and put it into the classpath (adding it inside a plugin also supported)</li>
<li>Enjoy that Flink does all the heavy lifting behind the scenes :-)</li>
</ul>
<h2 id="example-implementation-testing">
Example implementation testing
<a class="anchor" href="#example-implementation-testing">#</a>
</h2>
<p>The existing providers are tested with the <a href="https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/">Flink Kubernetes Operator</a>
but one can use any other supported deployment model, because the framework is not bound to any of them.
We choose the Kubernetes Operator so that we could provide a completely containerized and easily reproducible test environment.</p>
<p>An example tutorial can be found <a href="https://gist.github.com/gaborgsomogyi/ac4f71ead8494da2f5c35265bcb1e885">here</a> on
external system authentication.</p>
<h2 id="summary">
Summary
<a class="anchor" href="#summary">#</a>
</h2>
<p>The Delegation Token Framework is feature complete on the master branch and is becoming generally available on the release of
Flink 1.17. The framework obtains authentication tokens at a central location and propagates them to all workers on a re-occurring basis.</p>
<p>Any connector to an external system which supports authentication can be a potential user of this framework.
To support authentication in your connector we encourage you to implement your own <code>DelegationTokenProvider/DelegationTokenReceiver</code> pair.</p>
</p>
</article>
<div class="edit-this-page">
<p>
<a href="https://cwiki.apache.org/confluence/display/FLINK/Flink+Translation+Specifications">Want to contribute translation?</a>
</p>
<p>
<a href="//github.com/apache/flink-web/edit/asf-site/docs/content/posts/2023-01-20-delegation-token-framework.md">
Edit This Page<i class="fa fa-edit fa-fw"></i>
</a>
</p>
</div>
</section>
<aside class="book-toc">
<nav id="TableOfContents"><h3>On This Page <a href="javascript:void(0)" class="toc" onclick="collapseToc()"><i class="fa fa-times" aria-hidden="true"></i></a></h3>
<ul>
<li>
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#documentation">Documentation</a></li>
<li><a href="#development-details">Development details</a></li>
<li><a href="#example-implementation">Example implementation</a></li>
<li><a href="#example-implementation-testing">Example implementation testing</a></li>
<li><a href="#summary">Summary</a></li>
</ul>
</li>
</ul>
</nav>
</aside>
<aside class="expand-toc hidden">
<a class="toc" onclick="expandToc()" href="javascript:void(0)">
<i class="fa fa-bars" aria-hidden="true"></i>
</a>
</aside>
</main>
<footer>
<div class="separator"></div>
<div class="panels">
<div class="wrapper">
<div class="panel">
<ul>
<li>
<a href="https://flink-packages.org/">flink-packages.org</a>
</li>
<li>
<a href="https://www.apache.org/">Apache Software Foundation</a>
</li>
<li>
<a href="https://www.apache.org/licenses/">License</a>
</li>
<li>
<a href="/zh/">
<i class="fa fa-globe" aria-hidden="true"></i>&nbsp;中文版
</a>
</li>
</ul>
</div>
<div class="panel">
<ul>
<li>
<a href="/what-is-flink/security">Security</a-->
</li>
<li>
<a href="https://www.apache.org/foundation/sponsorship.html">Donate</a>
</li>
<li>
<a href="https://www.apache.org/foundation/thanks.html">Thanks</a>
</li>
</ul>
</div>
<div class="panel icons">
<div>
<a href="/posts">
<div class="icon flink-blog-icon"></div>
<span>Flink blog</span>
</a>
</div>
<div>
<a href="https://github.com/apache/flink">
<div class="icon flink-github-icon"></div>
<span>Github</span>
</a>
</div>
<div>
<a href="https://twitter.com/apacheflink">
<div class="icon flink-twitter-icon"></div>
<span>Twitter</span>
</a>
</div>
</div>
</div>
</div>
<hr/>
<div class="container disclaimer">
<p>The contents of this website are © 2024 Apache Software Foundation under the terms of the Apache License v2. Apache Flink, Flink, and the Flink logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</p>
</div>
</footer>
</body>
</html>