flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-3930) Implement Service-Level Authorization
Date Thu, 01 Sep 2016 13:07:21 GMT

    [ https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15455319#comment-15455319

ASF GitHub Bot commented on FLINK-3930:

Github user rmetzger commented on a diff in the pull request:

    --- Diff: docs/setup/config.md ---
    @@ -107,6 +107,21 @@ Please make sure to set the maximum ticket life span high long running
jobs. The
     If you are on YARN, then it is sufficient to authenticate the client with Kerberos. On
a Flink standalone cluster you need to ensure that, initially, all nodes are authenticated
with Kerberos using the `kinit` tool.
    +### Secure Cookie Authentication
    +Flink supports hardening below cluster components through secure cookie implementation.
    +- Akka endpoints
    +- Blob Server/Client communication
    +- Web runtime communication
    +Secure cookie authentication can be enabled by providing below configurations to Flink
configuration file.
    +- `security.enabled`: A boolean value (true|false) indicating security is enabled or
    +- `security.cookie` : Secure cookie value to be used for authentication. For standalone
deployment mode, the secure cookie value is mandatory when security is enabled but for the
Yarn mode it is optional (auto-generated if not provided).
    +Alternatively, secure cookie value can be provided through Flink/Yarn CLI using "-k"
or "--cookie" parameter option.
    +The web runtime module prompts for secure cookie using standard basic HTTP authentication
mechanism, where the user id field is noop and the password field will be used to capture
the secure cookie.
    --- End diff --
    Much appreciated that your pull request also contains documentation updates! Thank you.

> Implement Service-Level Authorization
> -------------------------------------
>                 Key: FLINK-3930
>                 URL: https://issues.apache.org/jira/browse/FLINK-3930
>             Project: Flink
>          Issue Type: New Feature
>          Components: Security
>            Reporter: Eron Wright 
>            Assignee: Vijay Srinivasaraghavan
>              Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
> _This issue is part of a series of improvements detailed in the [Secure Data Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
design doc._
> Service-level authorization is the initial authorization mechanism to ensure clients
(or servers) connecting to the Flink cluster are authorized to do so.   The purpose is to
prevent a cluster from being used by an unauthorized user, whether to execute jobs, disrupt
cluster functionality, or gain access to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard

This message was sent by Atlassian JIRA

View raw message