[
https://issues.apache.org/jira/browse/BEAM-7190?focusedWorklogId=243797&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-243797
]
ASF GitHub Bot logged work on BEAM-7190:
----------------------------------------
Author: ASF GitHub Bot
Created on: 17/May/19 02:56
Start Date: 17/May/19 02:56
Worklog Time Spent: 10m
Work Description: lhaiesp commented on pull request #8597: [BEAM-7190]
Enable file based token auth for samza portable runner
URL: https://github.com/apache/beam/pull/8597
For Samza and potentially other portable runners who do not use docker and
need to run on multi-tenant environment, there is a need to secure the
communication between sdk worker and runner. Currently the SSL/TLS in
portability is half done.
However, after investigation we found that it's sufficient to just
1. Use loopback address. So that the traffic is not exposed to external
network
2. Enforce authentication. So that only the valid users can connect to the
ports.
With the two steps above, it won't be necessary to enable TLS. Because the
data channel is only local and one needs root privilege to eavesdrop the local
traffic.
A trivial way to do authentication is to share a secret token through file
system (e.g. set the file permission to be 600, i.e. -rw-------) . Next we
introduce a customized interpreter for both the gRPC client and server to
provide and verify this token (see GrpcFileTokenAuthProvider.java and
token_auth_interceptor.py). The server can then deny any connection attempts
that do not have the right token.
------------------------
Thank you for your contribution! Follow this checklist to help us
incorporate your contribution quickly and easily:
- [ ] [**Choose
reviewer(s)**](https://beam.apache.org/contribute/#make-your-change) and
mention them in a comment (`R: @username`).
- [ ] Format the pull request title like `[BEAM-XXX] Fixes bug in
ApproximateQuantiles`, where you replace `BEAM-XXX` with the appropriate JIRA
issue, if applicable. This will automatically link the pull request to the
issue.
- [ ] If this contribution is large, please file an Apache [Individual
Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
Post-Commit Tests Status (on master branch)
------------------------------------------------------------------------------------------------
Lang | SDK | Apex | Dataflow | Flink | Gearpump | Samza | Spark
--- | --- | --- | --- | --- | --- | --- | ---
Go | [](https://builds.apache.org/job/beam_PostCommit_Go/lastCompletedBuild/)
| --- | --- | --- | --- | --- | ---
Java | [](https://builds.apache.org/job/beam_PostCommit_Java/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PostCommit_Java_ValidatesRunner_Apex/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PostCommit_Java_ValidatesRunner_Dataflow/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PostCommit_Java_ValidatesRunner_Flink/lastCompletedBuild/)<br>[](https://builds.apache.org/job/beam_PostCommit_Java_PVR_Flink_Batch/lastCompletedBuild/)<br>[](https://builds.apache.org/job/beam_PostCommit_Java_PVR_Flink_Streaming/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PostCommit_Java_ValidatesRunner_Gearpump/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PostCommit_Java_ValidatesRunner_Samza/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PostCommit_Java_ValidatesRunner_Spark/lastCompletedBuild/)
Python | [](https://builds.apache.org/job/beam_PostCommit_Python_Verify/lastCompletedBuild/)<br>[](https://builds.apache.org/job/beam_PostCommit_Python3_Verify/lastCompletedBuild/)
| --- | [](https://builds.apache.org/job/beam_PostCommit_Py_VR_Dataflow/lastCompletedBuild/)
<br> [](https://builds.apache.org/job/beam_PostCommit_Py_ValCont/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PreCommit_Python_PVR_Flink_Cron/lastCompletedBuild/)
| --- | --- | ---
Pre-Commit Tests Status (on master branch)
------------------------------------------------------------------------------------------------
--- |Java | Python | Go | Website
--- | --- | --- | --- | ---
Non-portable | [](https://builds.apache.org/job/beam_PreCommit_Java_Cron/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PreCommit_Python_Cron/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PreCommit_Go_Cron/lastCompletedBuild/)
| [](https://builds.apache.org/job/beam_PreCommit_Website_Cron/lastCompletedBuild/)
Portable | --- | [](https://builds.apache.org/job/beam_PreCommit_Portable_Python_Cron/lastCompletedBuild/)
| --- | ---
See
[.test-infra/jenkins/README](https://github.com/apache/beam/blob/master/.test-infra/jenkins/README.md)
for trigger phrase, status and link of all Jenkins jobs.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 243797)
Time Spent: 10m
Remaining Estimate: 0h
> enable file system based token authentication for portable runner
> -----------------------------------------------------------------
>
> Key: BEAM-7190
> URL: https://issues.apache.org/jira/browse/BEAM-7190
> Project: Beam
> Issue Type: Task
> Components: runner-samza
> Reporter: Hai Lu
> Assignee: Hai Lu
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> For Samza and potentially other portable runners, there is a need to secure
> the communication between sdk worker and runner. Currently the SSL/TLS in
> portability is half done.
> However, after investigation we found that it's sufficient to just 1) use
> loopback address 2) enforce authentication and that way the communication is
> both authenticated and secured.
> This ticket intends to track the implementation of the solution above. More
> details can be found in the following PR.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
