[jira] [Updated] (FLINK-17641) How to secure flink applications on yarn on multi-tenant environment

Wed, 26 May 2021 04:08:53 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-17641?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Flink Jira Bot updated FLINK-17641:
-----------------------------------
    Labels: stale-major  (was: )

I am the [Flink Jira Bot|https://github.com/apache/flink-jira-bot/] and I help 
the community manage its development. I see this issues has been marked as 
Major but is unassigned and neither itself nor its Sub-Tasks have been updated 
for 30 days. I have gone ahead and added a "stale-major" to the issue". If this 
ticket is a Major, please either assign yourself or give an update. Afterwards, 
please remove the label or in 7 days the issue will be deprioritized.


> How to secure flink applications on yarn on multi-tenant environment
> --------------------------------------------------------------------
>
>                 Key: FLINK-17641
>                 URL: https://issues.apache.org/jira/browse/FLINK-17641
>             Project: Flink
>          Issue Type: Improvement
>          Components: Deployment / YARN
>            Reporter: Ethan Li
>            Priority: Major
>              Labels: stale-major
>
> This is a question I wish to get some insights on. 
> We are trying to support and secure flink on shared yarn cluster. Besides the 
> security provided by yarn side (queueACL, kerberos), what I noticed is that 
> flink CLI can still interact with the flink job as long as it knows the 
> jobmanager rpc port/hostname and rest.port, which can be obtained easily with 
> yarn command. 
> Also on the UI side, on yarn cluster, users can visit flink job UI via yarn 
> proxy using browser. As long as the user can authenticate and view yarn 
> resourcemanager webpage, he/she can visit the flink UI without any problem. 
> This basically means Flink UI is wide-open to corp internal users.
> On the internal connection side, I am aware of the support added in 1.10 to 
> limit the mTLS connection by configuring 
> security.ssl.internal.cert.fingerprint 
> (https://ci.apache.org/projects/flink/flink-docs-stable/ops/security-ssl.html)
> This works but it is not very flexible. Users need to update the config if 
> the cert changes before they submit a new job.
> I asked the similar question on the mailing list before. I am really 
> interested in how other folks deal with this issue. Thanks.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to