[
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15439611#comment-15439611
]
ASF GitHub Bot commented on FLINK-3930:
---------------------------------------
GitHub user vijikarthi opened a pull request:
https://github.com/apache/flink/pull/2425
FLINK-3930 Added shared secret based authorization for Flink service …
This PR addresses FLINK-3930 requirements. It enables shared secret based
secure cookie authorization for the following components
- Akka layer
- Blob Service
- Web UI
Secure cookie authentication can be enabled by providing below
configurations to Flink configuration file.
- `security.enabled`: A boolean value (true|false) indicating security is
enabled or not.
- `security.cookie` : Secure cookie value to be used for authentication.
For standalone deployment mode, the secure cookie value is mandatory when
security is enabled but for the Yarn mode it is optional (auto-generated if not
provided).
Alternatively, secure cookie value can be provided through Flink/Yarn CLI
using "-k" or "--cookie" parameter option.
The web runtime module prompts for secure cookie using standard basic HTTP
authentication mechanism, where the user id field is a noop and the password
field will be used to capture the secure cookie.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/vijikarthi/flink FLINK-3930
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flink/pull/2425.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2425
----
commit 33d391cb17e68dd203328a91fa6b63218884b49d
Author: Vijay Srinivasaraghavan <[email protected]>
Date: 2016-08-26T19:02:20Z
FLINK-3930 Added shared secret based authorization for Flink service
components
----
> Implement Service-Level Authorization
> -------------------------------------
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
> Issue Type: New Feature
> Reporter: Eron Wright
> Assignee: Vijay Srinivasaraghavan
> Labels: security
> Original Estimate: 672h
> Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
> design doc._
> Service-level authorization is the initial authorization mechanism to ensure
> clients (or servers) connecting to the Flink cluster are authorized to do so.
> The purpose is to prevent a cluster from being used by an unauthorized
> user, whether to execute jobs, disrupt cluster functionality, or gain access
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
