Hi Vijay, Thank you for updating the pull request. I appreciate your work in the security realm of Flink and value your contributions so far. It would be great to merge the authorization pull request for the release. However, I don't feel comfortable about the network stack (i.e. Netty) related changes because they touch a very critical part of the Flink engine. While the code has already been iterated over in the lifetime of the pull request, I still think somebody extremely familiar with Netty and the Flink network layer should check out the changes (thinking about Ufuk here). Apart from that, I would like to further test the changes to harden the code.
It seems like we lack the resources for now to properly to take care of your pull request before the release. Unless someone from the community is really eager to help out here, I would be in favor of merging the pull request to the master after the release branch has been forked off. We should make sure it gets the attention it deserves then. Thanks, Max On Mon, Dec 12, 2016 at 8:09 AM, Vijay <vijikar...@yahoo.com> wrote: > On FLINK-3930, almost all of the feedback has been addressed. The only > pending review is Netty cookie authorization part which I have moved the > cookie validation from message level to a separate channel handler. I have > just rebased the code with master for final review. > > Regards, > Vijay > > Sent from my iPhone > >> On Dec 8, 2016, at 1:17 AM, Robert Metzger <rmetz...@apache.org> wrote: >> >> Thank you for your responses Max and Vijay. >> So I understand that Mesos is basically ready for the 1.2 release. >> >> Regarding the security changes: Having Hadoop, Kafka and Zookeeper >> integration is a big improvement and a much requested feature. I'm super >> excited to have that in :) >> Are all the other security changes useless without authorization, or could >> we consider releasing 1.2 without it? (Another way to think about it: How >> close is the PR to being merged. If its just a final review & we are done, >> I would actually try to get it in. But if there's a lot of uncertainty, I >> would prefer to move it to the next release) >> >> I agree regarding FLINK-2821, that's important for many deployments. >> >> >> The updated list: >> - RESOLVED dynamic Scaling / Key Groups (FLINK-3755) >> - RESOLVED Add Rescalable Non-Partitioned State (FLINK-4379) >> - RESOLVED [Split for 1.3] Add Flink 1.1 savepoint backwards compatability >> (FLINK-4797) >> - RESOLVED [Split for 1.3] Integrate Flink with Apache Mesos (FLINK-1984) >> - UNRESOLVED Secure Data Access (FLINK-3930) >> - RESOLVED Queryable State (FLINK-3779) >> - RESOLVED Metrics in Webinterface (FLINK-4389) >> - RESOLVED Kafka 0.10 support (FLINK-4035) >> - RESOLVED Table API: Group Window Aggregates (FLINK-4691, FLIP-11) >> - RESOLVED Table API: Scalar Functions (FLINK-3097) >> Added by Stephan: >> - NON-BLOCKING [Pending PR] Provide support for asynchronous operations >> over streams (FLINK-4391) >> - ONGOING [beginning of next week] Unify Savepoints and Checkpoints >> (FLINK-4484) >> Added by Fabian: >> - ONGOING [Pending PR] Clean up the packages of the Table API (FLINK-4704) >> - UNRESOLVED Move Row to flink-core (FLINK-5186) >> Added by Max: >> - ONGOING [Pending PR] Change Akka configuration to allow accessing actors >> from different URLs (FLINK-2821) >> >> >> On Wed, Dec 7, 2016 at 12:40 PM, Maximilian Michels <m...@apache.org> wrote: >> >>>> - UNRESOLVED Integrate Flink with Apache Mesos (FLINK-1984) >>> >>> The initial integration is already completed with the last issues >>> being resolved in the Mesos component: >>> https://issues.apache.org/jira/browse/FLINK/component/12331068/ The >>> implementation will be further refined after the next release and with >>> the merge of FLIP-6. We're missing documentation on how to deploy a >>> Flink Mesos cluster. >>> >>>> - UNRESOLVED Secure Data Access (FLINK-3930) >>> >>> We have support for Kerberos authentication with Haddop, Kafka, >>> Zookeper, and all services supporting JAAS. Additionally, we >>> implemented SSL encryption for all communications paths, i.e. web >>> interface, Akka, Netty, BlobServer. We still lack support for >>> authorization: Vijay's PR is blocked because we haven't found time to >>> properly review the sensitive network changes. >>> >>> I'd like to add the Akka changes for containered environments which >>> should be ready by the end of the week: >>> https://issues.apache.org/jira/browse/FLINK-2821 >>> >>> -Max >>> >>> On Tue, Dec 6, 2016 at 8:57 PM, Vijay <vijikar...@yahoo.com.invalid> >>> wrote: >>>>>> Secure Data Access (FLINK-3930) >>>> >>>> The PR for the work is still under review and I hope this could be >>> included in the release. >>>> >>>> Regards, >>>> Vijay >>>> >>>> Sent from my iPhone >>>> >>>>> On Dec 6, 2016, at 11:51 AM, Robert Metzger <rmetz...@apache.org> >>> wrote: >>>>> >>>>> UNRESOLVED Secure Data Access (FLINK-3930) >>>> >>> >
