[jira] [Created] (FLINK-10371) Allow to enable SSL mutual authentication on REST endpoints by configuration

Wed, 19 Sep 2018 07:02:36 -0700 

Johannes Dillmann created FLINK-10371:
-----------------------------------------

             Summary: Allow to enable SSL mutual authentication on REST 
endpoints by configuration
                 Key: FLINK-10371
                 URL: https://issues.apache.org/jira/browse/FLINK-10371
             Project: Flink
          Issue Type: Improvement
          Components: Client, REST, Security
    Affects Versions: 1.6.0, 1.7.0
            Reporter: Johannes Dillmann
             Fix For: 1.6.1, 1.7.0


With Flink 1.6 SSL mutual authentication was introduced for internal 
connectivity in FLINK-9312. 
 SSL support for external connectivity was also introduced in regard to 
encryption of the connection and verification of the Flink REST endpoint from 
the client side.

But _mutual authentication between the REST endpoint and clients is not 
supported yet_.
 The [documentation suggests 
|https://ci.apache.org/projects/flink/flink-docs-release-1.6/ops/security-ssl.html]
 using a side car proxy to enable SSL mutual auth on the REST endpoint and 
points out the advantages of using a feature rich proxy.

While this is a good rationale, there are still important use cases for support 
of  simple mutual authentication directly in Flink: Mainly support for using 
standard images in a containerized environment.

There are tools used to setup Flink Jobs (for example on Kubernetes clusters) 
and act as gateways to the Flink REST endpoint and the Flink web interface. To 
prevent unauthorised access to Flink the connectivity has to be secured. As the 
tools acts as gateway it is easy to create and pass a shared keystore  and 
truststore used for mutual authentication to the Flink instances configurations.

To enable for SSL mutual authentication on REST endpoints, I am suggesting to 
add a the configuration parameter `security.ssl.rest.authentication-enabled` 
which defaults to `false`.
 If it is set to `true` the `SSLUtils` factories for creating the REST server 
endpoint and the REST clients should set authentication to required and share 
`security.ssl.rest.keystore` and `security.ssl.rest.truststore` to setup SSL 
mutual authenticated connections.

 

I have a working prototype which I would gladly submit as a PR to get further 
feedback. The changes to Flink are minimal and the default behaviour won't 
change.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to