[
https://issues.apache.org/jira/browse/FLINK-31020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17689187#comment-17689187
]
Chesnay Schepler commented on FLINK-31020:
------------------------------------------
> We cannot guarantee that REST APIs other than submit/cancel/modify do not
> use POST/PUT operations on the web UI.
This statement doesn't make any sense.
If we were to disable all mutating operations in the REST API, then any
attempts from the UI to use these APIs will simply fail.
The bigger issue to me is that this is an extremely specific use-case that is
only applicable in application mode where you _never_ even cancel a job with a
savepoint.
> Read-only mode for Rest API
> ---------------------------
>
> Key: FLINK-31020
> URL: https://issues.apache.org/jira/browse/FLINK-31020
> Project: Flink
> Issue Type: New Feature
> Components: Runtime / REST
> Affects Versions: 1.16.1
> Reporter: Omkar Deshpande
> Priority: Major
>
> We run Flink jobs on application cluster on Kubernetes. We don't
> submit/cancel or modify jobs from rest API or web UI. If there was an option
> to enable only GET operations on the rest service, it would greatly solve the
> problem of configuring access control and reduce the attack surface.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
