flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-3930) Implement Service-Level Authorization
Date Thu, 01 Sep 2016 14:19:21 GMT

    [ https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15455534#comment-15455534
] 

ASF GitHub Bot commented on FLINK-3930:
---------------------------------------

Github user rmetzger commented on a diff in the pull request:

    https://github.com/apache/flink/pull/2425#discussion_r77182333
  
    --- Diff: flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java
---
    @@ -682,6 +774,91 @@ public static File getYarnPropertiesLocation(Configuration conf)
{
     		return new File(propertiesFileLocation, YARN_PROPERTIES_FILE + currentUser);
     	}
     
    +	public static void persistAppState(String appId, String cookie) {
    +		if(appId == null || cookie == null) { return; }
    +		String path = System.getProperty("user.home") + File.separator + fileName;
    +		LOG.debug("Going to persist cookie for the appID: {} in {} ", appId, path);
    +		try {
    +			File f = new File(path);
    +			if(!f.exists()) {
    +				f.createNewFile();
    +			}
    +			HierarchicalINIConfiguration config = new HierarchicalINIConfiguration(path);
    +			SubnodeConfiguration subNode = config.getSection(appId);
    +			if (subNode.containsKey(cookieKey)) {
    +				String errorMessage = "Secure Cookie is already found in "+ path + " for the appID:
"+ appId;
    +				LOG.error(errorMessage);
    +				throw new RuntimeException(errorMessage);
    +			}
    +			subNode.addProperty(cookieKey, cookie);
    +			config.save();
    +			LOG.debug("Persisted cookie for the appID: {}", appId);
    +		} catch(Exception e) {
    +			LOG.error("Exception occurred while persisting app state for app id: {}. Exception:
{}", appId, e);
    +			throw new RuntimeException(e);
    +		}
    +	}
    +
    +	public static String getAppSecureCookie(String appId) {
    +		if(appId == null) {
    +			String errorMessage = "Application ID cannot be null";
    +			LOG.error(errorMessage);
    +			throw new RuntimeException(errorMessage);
    +		}
    +
    +		String cookieFromFile;
    +		String path = System.getProperty("user.home") + File.separator + fileName;
    +		LOG.debug("Going to fetch cookie for the appID: {} from {}", appId, path);
    +
    +		try {
    +			File f = new File(path);
    +			if (!f.exists()) {
    +				String errorMessage = "Could not find the file: " + path + " in user home directory";
    +				LOG.error(errorMessage);
    +				throw new RuntimeException(errorMessage);
    +			}
    +			HierarchicalINIConfiguration config = new HierarchicalINIConfiguration(path);
    +			SubnodeConfiguration subNode = config.getSection(appId);
    +			if (!subNode.containsKey(cookieKey)) {
    +				String errorMessage = "Could  not find the app ID section in "+ path + " for the
appID: "+ appId;
    +				LOG.error(errorMessage);
    +				throw new RuntimeException(errorMessage);
    +			}
    +			cookieFromFile = subNode.getString(cookieKey, "");
    +			if(cookieFromFile.length() == 0) {
    +				String errorMessage = "Could  not find cookie in "+ path + " for the appID: "+ appId;
    +				LOG.error(errorMessage);
    +				throw new RuntimeException(errorMessage);
    +			}
    +		} catch(Exception e) {
    +			LOG.error("Exception occurred while fetching cookie for app id: {} Exception: {}",
appId, e);
    +			throw new RuntimeException(e);
    +		}
    +
    +		LOG.debug("Found cookie for the appID: {}", appId);
    +		return cookieFromFile;
    +	}
    +
    +	public static void removeAppState(String appId) {
    +		if(appId == null) { return; }
    +		String path = System.getProperty("user.home") + File.separator + fileName;
    +		LOG.debug("Going to remove the reference for the appId: {} from {}", appId, path);
    +		try {
    +			File f = new File(path);
    +			if (!f.exists()) {
    +				String errorMessage = "Could not find the file: " + path + " in user home directory";
    +				LOG.warn(errorMessage);
    +				return;
    +			}
    +			HierarchicalINIConfiguration config = new HierarchicalINIConfiguration(path);
    +			config.clearTree(appId);
    +			config.save();
    +			LOG.debug("Removed the reference for the appId: {} from {}", appId, path);
    +		} catch(Exception e) {
    +			LOG.warn("Exception occurred while fetching cookie for app id: {} Exception: {}",
appId, e);
    +		}
    +	}
    +
    --- End diff --
    
    According to the design doc, the file is expected to be stored with special permissions.
Where are you setting those?


> Implement Service-Level Authorization
> -------------------------------------
>
>                 Key: FLINK-3930
>                 URL: https://issues.apache.org/jira/browse/FLINK-3930
>             Project: Flink
>          Issue Type: New Feature
>          Components: Security
>            Reporter: Eron Wright 
>            Assignee: Vijay Srinivasaraghavan
>              Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
design doc._
> Service-level authorization is the initial authorization mechanism to ensure clients
(or servers) connecting to the Flink cluster are authorized to do so.   The purpose is to
prevent a cluster from being used by an unauthorized user, whether to execute jobs, disrupt
cluster functionality, or gain access to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message