flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-3930) Implement Service-Level Authorization
Date Thu, 01 Sep 2016 17:55:20 GMT

    [ https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15456157#comment-15456157
] 

ASF GitHub Bot commented on FLINK-3930:
---------------------------------------

Github user vijikarthi commented on a diff in the pull request:

    https://github.com/apache/flink/pull/2425#discussion_r77221958
  
    --- Diff: flink-runtime-web/src/main/java/org/apache/flink/runtime/webmonitor/HttpRequestHandler.java
---
    @@ -99,7 +110,43 @@ public void channelRead0(ChannelHandlerContext ctx, HttpObject msg)
{
     					currentDecoder.destroy();
     					currentDecoder = null;
     				}
    -				
    +
    +				if(secureCookie != null) {
    --- End diff --
    
    The secure cookie value could be auto-populated (Yarn) or user-provided but will be persisted
in the in-memory Flink configuration instance which is passed to the web layer during bootstrap.
Should the user decide to torn security off, then we expect the services to be restarted to
reflect the change?


> Implement Service-Level Authorization
> -------------------------------------
>
>                 Key: FLINK-3930
>                 URL: https://issues.apache.org/jira/browse/FLINK-3930
>             Project: Flink
>          Issue Type: New Feature
>          Components: Security
>            Reporter: Eron Wright 
>            Assignee: Vijay Srinivasaraghavan
>              Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
design doc._
> Service-level authorization is the initial authorization mechanism to ensure clients
(or servers) connecting to the Flink cluster are authorized to do so.   The purpose is to
prevent a cluster from being used by an unauthorized user, whether to execute jobs, disrupt
cluster functionality, or gain access to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message