[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

Thu, 17 Nov 2016 16:27:07 -0800 

    [ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15675269#comment-15675269
 ] 

ASF GitHub Bot commented on FLINK-3930:
---------------------------------------

Github user vijikarthi commented on the issue:

    https://github.com/apache/flink/pull/2425
  
    @StephanEwen, @mxm  I have updated the documentation changes as suggested, 
moved common code from BlobUtils to SecurityContext, added new ConfigOptions 
class for security configurations lookup. 
    
    >
    The cookie is added to every single message/buffer that is transferred. 
That is too much - securing the integrity of the stream is responsibility of 
the encryption layer. The cookie should be added to requests messages that 
establish connections only.
    
    I have added a new handler code to front load the secure cookie validation. 
These handlers are added to both `NettyServer` and `NettyClient` pipeline right 
after the SSL handler is added. I still kept the original code that passes 
cookie for every message (will remove the logic if you are okay with the 
handler implementation)
    
    Please review and let me know your feedback.


> Implement Service-Level Authorization
> -------------------------------------
>
>                 Key: FLINK-3930
>                 URL: https://issues.apache.org/jira/browse/FLINK-3930
>             Project: Flink
>          Issue Type: New Feature
>          Components: Security
>            Reporter: Eron Wright 
>            Assignee: Vijay Srinivasaraghavan
>              Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to