[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116980#comment-16116980
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user EronWright commented on the issue:

https://github.com/apache/flink/pull/2425
  
Note to future self: to generate a self-signed certificate, use 
`CertAndKeyGen` and see 
[OPENDJ-2247](https://bugster.forgerock.org/jira/browse/OPENDJ-2247).


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15930108#comment-15930108
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi closed the pull request at:

https://github.com/apache/flink/pull/2425


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15928528#comment-15928528
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on the issue:

https://github.com/apache/flink/pull/2425
  
@StephanEwen It's absolutely fine with me and I will cancel this PR.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15927451#comment-15927451
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user WangTaoTheTonic commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r106335560
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/CookieHandler.java
 ---
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.flink.runtime.io.network.netty;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.Unpooled;
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelInboundHandlerAdapter;
+import io.netty.handler.codec.MessageToMessageDecoder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class CookieHandler {
+
+   public static class ClientCookieHandler extends 
ChannelInboundHandlerAdapter {
+
+   private final Logger LOG = 
LoggerFactory.getLogger(ClientCookieHandler.class);
+
+   private final String secureCookie;
+
+   final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
+
+   public ClientCookieHandler(String secureCookie) {
+   this.secureCookie = secureCookie;
+   }
+
+   @Override
+   public void channelActive(ChannelHandlerContext ctx) throws 
Exception {
+   super.channelActive(ctx);
+   LOG.debug("In channelActive method of 
ClientCookieHandler");
+
+   if(this.secureCookie != null && 
this.secureCookie.length() != 0) {
+   LOG.debug("In channelActive method of 
ClientCookieHandler -> sending secure cookie");
+   final ByteBuf buffer = Unpooled.buffer(4 + 
this.secureCookie.getBytes(DEFAULT_CHARSET).length);
+   
buffer.writeInt(secureCookie.getBytes(DEFAULT_CHARSET).length);
+   
buffer.writeBytes(secureCookie.getBytes(DEFAULT_CHARSET));
+   ctx.writeAndFlush(buffer);
+   }
+   }
+   }
+
+   public static class ServerCookieDecoder extends 
MessageToMessageDecoder {
+
+   private final String secureCookie;
+
+   private final List channelList = new ArrayList<>();
+
+   private final Charset DEFAULT_CHARSET = 
Charset.forName("utf-8");
+
+   private final Logger LOG = 
LoggerFactory.getLogger(ServerCookieDecoder.class);
+
+   public ServerCookieDecoder(String secureCookie) {
+   this.secureCookie = secureCookie;
+   }
+
+   /**
+* Decode from one message to an other. This method will be 
called for each written message that can be handled
+* by this encoder.
+*
+* @param ctx the {@link ChannelHandlerContext} which this 
{@link MessageToMessageDecoder} belongs to
+* @param msg the message to decode to an other one
+* @param out the {@link List} to which decoded messages should 
be added
+* @throws Exception is thrown if an error accour
+*/
+   @Override
+   protected void decode(ChannelHandlerContext ctx, ByteBuf msg, 
List out) throws Exception {
+
+   LOG.debug("ChannelHandlerContext name: {}, channel: 
{}", ctx.name(), ctx.channel());
+
+   if(secureCookie == null || secureCookie.length() == 0) {
+   LOG.debug("Not validating secure cookie since 
the server configuration is not enabled to use cookie");
+  

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15927446#comment-15927446
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user WangTaoTheTonic commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r106335331
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/CookieHandler.java
 ---
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.flink.runtime.io.network.netty;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.Unpooled;
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelInboundHandlerAdapter;
+import io.netty.handler.codec.MessageToMessageDecoder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class CookieHandler {
+
+   public static class ClientCookieHandler extends 
ChannelInboundHandlerAdapter {
+
+   private final Logger LOG = 
LoggerFactory.getLogger(ClientCookieHandler.class);
+
+   private final String secureCookie;
+
+   final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
+
+   public ClientCookieHandler(String secureCookie) {
+   this.secureCookie = secureCookie;
+   }
+
+   @Override
+   public void channelActive(ChannelHandlerContext ctx) throws 
Exception {
+   super.channelActive(ctx);
+   LOG.debug("In channelActive method of 
ClientCookieHandler");
+
+   if(this.secureCookie != null && 
this.secureCookie.length() != 0) {
+   LOG.debug("In channelActive method of 
ClientCookieHandler -> sending secure cookie");
+   final ByteBuf buffer = Unpooled.buffer(4 + 
this.secureCookie.getBytes(DEFAULT_CHARSET).length);
+   
buffer.writeInt(secureCookie.getBytes(DEFAULT_CHARSET).length);
+   
buffer.writeBytes(secureCookie.getBytes(DEFAULT_CHARSET));
+   ctx.writeAndFlush(buffer);
+   }
+   }
+   }
+
+   public static class ServerCookieDecoder extends 
MessageToMessageDecoder {
+
+   private final String secureCookie;
+
+   private final List channelList = new ArrayList<>();
--- End diff --

Is it better to use `Set` instead of a `List` here? As it is mainly used 
for lookup.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15926045#comment-15926045
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on the issue:

https://github.com/apache/flink/pull/2425
  
@vijikarthi I hope you are okay with exploring that option - this is not 
saying that this pull request is not a good solution, but whenever we have to 
maintain less code it makes things easier.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15926044#comment-15926044
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on the issue:

https://github.com/apache/flink/pull/2425
  
Thanks Eron, that makes a lot of sense.

My first thought would be: Let's add SSL mutual authentication. That seems 
desirable anyways and we would not need another mechanism (shared secret). Do 
you know if newer versions of Akka support this mutual auth? We may be able to 
upgrade if we drop Java 7, or we could see if there is a lightweight way to 
patch this into flakka.



> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15924834#comment-15924834
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user EronWright commented on the issue:

https://github.com/apache/flink/pull/2425
  
@StephanEwen keep in mind that Flink's current SSL support in Flink doesn't 
achieve _mutual authentication_ - there's no client certificate there.With 
SSL enabled, an untrusted client can launch jobs in your Flink cluster and thus 
gain access to the Kerberos credential associated with the cluster.

SSL mutual authentication is a good alternative to a shared secret, but at 
the time we were limited to built-in Akka functionality (which doesn't include 
mutual auth).   Given the "flakka" fork that's now in place, a pure SSL 
solution might now be possible (I haven't thought it through completely).

The fact remains that, today, _all the secrets known to a Flink job are 
exposed to everyone who can connect to the cluster's endpoint_.  

It would be nice to construct a holistic plan that worked out how the Web 
UI would support authentication and also incorporated FLIP-6.  Both YARN 
and Mesos interpose a web proxy for the UI with its own limitations, notably no 
support for SSL mutual auth.



> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15924477#comment-15924477
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on the issue:

https://github.com/apache/flink/pull/2425
  
@StephanEwen The shared secret serves can be considered as an additional 
security extension on top of TLS integration, thus it designates only an 
authorized identity to execute actions on a running cluster.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15924235#comment-15924235
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on the issue:

https://github.com/apache/flink/pull/2425
  
Sorry for chiming in a bit late here with this more fundamental question.

I would like to understand from a security architecture, what additional 
security this shared secret gives us:
  - If there is no encryption, then this shared secret is not very secure, 
as it can be sniffed from the network
  - When there is encryption, isn't the current assumption that all parties 
have access to the server-side certificate? Would that already be a form of 
shared secret, meaning that certificate-based authentication as part of the SSL 
handshake already covers the mechanism of a shared secret?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15906765#comment-15906765
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user Rucongzhang commented on the issue:

https://github.com/apache/flink/pull/2425
  
@vijikarthi ,when you will push this issue to the master? I can help you, 
if you need any help. Thanks!


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15675235#comment-15675235
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r88576086
  
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on https://github.com/apache/
 
 ## Token Renewal
 
-UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
+
+# Authorization Support
+
+Service-level authorization is the initial authorization mechanism to 
ensure clients (or servers) connecting to the Flink cluster are authorized to 
do so. The purpose is to prevent a cluster from being used by an unauthorized 
user, whether to execute jobs, disrupt cluster functionality, or gain access to 
secrets stored within the cluster.
+
+The primary goal is to secure the following components by introducing a 
shared secret mechanism to control the authorization. When security is enabled, 
the configured shared secret will be used as the basis to validate all the 
incoming/outgoing request.
+
+- Akka Endpoints
+
+- Flink Web Module
+
+- Blob Service
+
+- Task Manager/Netty data transfer communication 
+
+## Security Configurations
+
+Secure cookie configuration can be supplied by adding below configuration 
elements to Flink configuration file:
+
+- `security.enabled`: A boolean value (true|false) indicating security is 
enabled or not.
+
+- `security.cookie` : Secure cookie value to be used for authorization
+
+Once a cluster is configured to run with secure cookie option, any request 
to the cluster will be validated for the existence of secure cookie.
+
+## Standalone Mode:
+
+In standalone mode of deployment, if security is enabled then it is 
mandatory to provide the secure cookie configuration in the Flink configuration 
file. A missing cookie configuration will flag an error.
+
+## Yarn Mode:
+
+In Yarn mode of deployment, secure cookie can be provided in multiple ways.
+
+- Flink configuration
+
+- As command line argument (-k or --cookie) to Yarn session CLI 
+
+- Auto generated if not supplied through Flink configuration or Yarn 
session CLI argument
+
+The secure cookie will be made available as container environment variable 
for the application containers (JM/TM) to make use of it.
+
+On the client machine from where the Yarn session CLI is used to create 
the Flink application, the application specific secure cookie will be persisted 
in an INI file format in the user home directory. Any subsequent access to the 
Flink cluster using Yarn Session CLI (by passing the application ID) will 
automatically include appropriate secure cookie associated with the application 
ID to communicate with the cluster.
+
+Since the secure cookie is persisted in the user home directory, it is 
safe enough to consider that it can be accessed only by the user who created 
the cluster.
--- End diff --

standard linux file permission - 664


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15652272#comment-15652272
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on the issue:

https://github.com/apache/flink/pull/2425
  
@StephanEwen @mxm - Could you please review the proposed change and let me 
know if you are okay with it.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15642713#comment-15642713
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on the issue:

https://github.com/apache/flink/pull/2425
  
>
The cookie is added to every single message/buffer that is transferred. 
That is too much - securing the integrity of the stream is responsibility of 
the encryption layer. The cookie should be added to requests messages that 
establish connections only.

I will change the code to address cookie handling right after the SSL 
handshake using a new handler and drop the cookie passing for every messages. 
The handler will be added to the pipeline of both `NettyClient` and 
`NettyServer`. Client will send the cookie when the channel becomes active and 
the server will validate and keep track of the clients that are authorized. 

Here is the pseudo-code for Client and Server handlers. Please take a look 
and let me know if you are okay with this approach and I will modify the code.

---
public static class ClientCookieHandler extends 
ChannelInboundHandlerAdapter {

private final String secureCookie;

final Charset DEFAULT_CHARSET = Charset.forName("utf-8");

public ClientCookieHandler(String secureCookie) {
this.secureCookie = secureCookie;
}


@Override
public void channelActive(ChannelHandlerContext ctx) throws 
Exception {
super.channelActive(ctx);

if(this.secureCookie != null && 
this.secureCookie.length() != 0) {
final ByteBuf buffer = Unpooled.buffer(4 + 
this.secureCookie.getBytes(DEFAULT_CHARSET).length);

buffer.writeInt(secureCookie.getBytes(DEFAULT_CHARSET).length);

buffer.writeBytes(secureCookie.getBytes(DEFAULT_CHARSET));
ctx.writeAndFlush(buffer);
}
}
}

public static class ServerCookieDecoder extends 
MessageToMessageDecoder {

private final String secureCookie;

private final List channelList = new ArrayList<>();

private final Charset DEFAULT_CHARSET = 
Charset.forName("utf-8");

   public ServerCookieDecoder(String secureCookie) {
this.secureCookie = secureCookie;
}

@Override
protected void decode(ChannelHandlerContext ctx, ByteBuf msg, 
List out) throws Exception {

if(secureCookie == null || secureCookie.length() == 0) {
return;
}

if(channelList.contains(ctx.channel())) {
return;
}

//read cookie based on the cookie length passed
int cookieLength = msg.readInt();
if(cookieLength != 
secureCookie.getBytes(DEFAULT_CHARSET).length) {
String message = "Cookie length does not match 
with source cookie. Invalid secure cookie passed.";
throw new IllegalStateException(message);
}

//read only if cookie length is greater than zero
if(cookieLength > 0) {

final byte[] buffer = new 
byte[secureCookie.getBytes(DEFAULT_CHARSET).length];
msg.readBytes(buffer, 0, cookieLength);


if(!Arrays.equals(secureCookie.getBytes(DEFAULT_CHARSET), buffer)) {
LOG.error("Secure cookie from the 
client is not matching with the server's identity");
throw new 
IllegalStateException("Invalid secure cookie passed.");
}

LOG.info("Secure cookie validation passed");

channelList.add(ctx.channel());
}

}
}
--- 


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements 

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636639#comment-15636639
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on the issue:

https://github.com/apache/flink/pull/2425
  
The Netty logic needs some improvements:

  - The cookie is added to every single message/buffer that is transferred. 
That is too much - securing the integrity of the stream is responsibility of 
the encryption layer. The cookie should be added to requests messages that 
establish connections only.

  - Charset lookups and cookie to bytes encoding happens for every buffer, 
rather than once in an initialization step.

  - The String to byte conversion is not consistent. Sometimes it uses the 
default platform encoding, sometimes "UTF-8". 


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636613#comment-15636613
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86564819
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -57,24 +61,37 @@
// constructor in order to work with the generic deserializer.
// 

 
-   static final int HEADER_LENGTH = 4 + 4 + 1; // frame length (4), magic 
number (4), msg ID (1)
+   static final int HEADER_LENGTH = 4 + 4 + 4 + 1; // frame length (4), 
magic number (4), Cookie (4), msg ID (1)
--- End diff --

Looks like this is the cookie length


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636444#comment-15636444
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86548851
  
--- Diff: docs/setup/yarn_setup.md ---
@@ -134,6 +140,14 @@ Flink on YARN will only start all requested containers 
if enough resources are a
 some account also for the number of vcores. By default, the number of 
vcores is equal to the processing slots (`-s`) argument. The 
`yarn.containers.vcores` allows overwriting the
 number of vcores with a custom value.
 
+### Service Authorization using Secure Cookie
+
+If service authorization for the cluster components (Akka, Blob Service, 
Web UI) is enabled, you could pass the secure cookie value as command line 
argument (-k or --cookie) instead of hardcoding the value in Flink 
configuration file.
--- End diff --

I would link to the main security docs from here.

A crucial thing to point out here is that when users use this with YARN 
sessions, all jobs running in that session will use the same cookie. The cookie 
is a "per-cluster" or "per-processes" parameter.

Please add that for proper security between jobs, jobs should be submitted 
individually, not via a Flink Yarn Session.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636447#comment-15636447
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86544195
  
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on https://github.com/apache/
 
 ## Token Renewal
 
-UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
+
+# Authorization Support
+
+Service-level authorization is the initial authorization mechanism to 
ensure clients (or servers) connecting to the Flink cluster are authorized to 
do so. The purpose is to prevent a cluster from being used by an unauthorized 
user, whether to execute jobs, disrupt cluster functionality, or gain access to 
secrets stored within the cluster.
+
+The primary goal is to secure the following components by introducing a 
shared secret mechanism to control the authorization. When security is enabled, 
the configured shared secret will be used as the basis to validate all the 
incoming/outgoing request.
+
+- Akka Endpoints
+
+- Flink Web Module
+
+- Blob Service
+
+- Task Manager/Netty data transfer communication 
+
+## Security Configurations
+
+Secure cookie configuration can be supplied by adding below configuration 
elements to Flink configuration file:
+
+- `security.enabled`: A boolean value (true|false) indicating security is 
enabled or not.
+
+- `security.cookie` : Secure cookie value to be used for authorization
+
+Once a cluster is configured to run with secure cookie option, any request 
to the cluster will be validated for the existence of secure cookie.
+
+## Standalone Mode:
+
+In standalone mode of deployment, if security is enabled then it is 
mandatory to provide the secure cookie configuration in the Flink configuration 
file. A missing cookie configuration will flag an error.
+
+## Yarn Mode:
+
+In Yarn mode of deployment, secure cookie can be provided in multiple ways.
+
+- Flink configuration
+
+- As command line argument (-k or --cookie) to Yarn session CLI 
+
+- Auto generated if not supplied through Flink configuration or Yarn 
session CLI argument
+
+The secure cookie will be made available as container environment variable 
for the application containers (JM/TM) to make use of it.
+
+On the client machine from where the Yarn session CLI is used to create 
the Flink application, the application specific secure cookie will be persisted 
in an INI file format in the user home directory. Any subsequent access to the 
Flink cluster using Yarn Session CLI (by passing the application ID) will 
automatically include appropriate secure cookie associated with the application 
ID to communicate with the cluster.
+
+Since the secure cookie is persisted in the user home directory, it is 
safe enough to consider that it can be accessed only by the user who created 
the cluster.
+
+### Akka endpoints
--- End diff --

Can we mark the sections following from here as "Notes on the 
Implementation"? Users should not get confused about that they need to do 
anything there.

We may even want to factor them out into a separate document later


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security 

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636443#comment-15636443
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86540326
  
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on https://github.com/apache/
 
 ## Token Renewal
 
-UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
+
+# Authorization Support
+
+Service-level authorization is the initial authorization mechanism to 
ensure clients (or servers) connecting to the Flink cluster are authorized to 
do so. The purpose is to prevent a cluster from being used by an unauthorized 
user, whether to execute jobs, disrupt cluster functionality, or gain access to 
secrets stored within the cluster.
+
+The primary goal is to secure the following components by introducing a 
shared secret mechanism to control the authorization. When security is enabled, 
the configured shared secret will be used as the basis to validate all the 
incoming/outgoing request.
--- End diff --

This section first talks about a shared secret then about a cookie. It 
would be good to say somewhere that the cookie is the shared secret.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636442#comment-15636442
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86546406
  
--- Diff: docs/setup/config.md ---
@@ -125,6 +125,28 @@ Kerberos ticket renewal is abstracted and 
automatically handled by the Hadoop/Ka
 
 For Kafka and ZK, process-wide JAAS config will be created using the 
provided security credentials and the Kerberos authentication will be handled 
by Kafka/ZK login handlers.
 
+### Secure Cookie Authentication
+
--- End diff --

How about keeping this brief ans instead linking to the proper docs.

```
Flink supports configuring a *secure cookie* (a shared secret) to secure 
Flink processes.
The secure cookie is used to authorize all access to and between Flink 
Processes.
For more details, see [link to docs]
```


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636439#comment-15636439
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86550433
  
--- Diff: 
flink-core/src/main/java/org/apache/flink/configuration/GlobalConfiguration.java
 ---
@@ -144,8 +144,15 @@ private static Configuration loadYAMLResource(File 
file) {
continue;
}
 
-   LOG.debug("Loading configuration 
property: {}, {}", key, value);
config.setString(key, value);
+
+   //to prevent logging the secure cookie
+   
if(key.equals(ConfigConstants.SECURITY_COOKIE) && value != null) {
+   value = "**";
--- End diff --

Can all suppressed keys have a common prefix?

This should also be guarded by a test ;-)


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636448#comment-15636448
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86542654
  
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on https://github.com/apache/
 
 ## Token Renewal
 
-UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
+
+# Authorization Support
+
+Service-level authorization is the initial authorization mechanism to 
ensure clients (or servers) connecting to the Flink cluster are authorized to 
do so. The purpose is to prevent a cluster from being used by an unauthorized 
user, whether to execute jobs, disrupt cluster functionality, or gain access to 
secrets stored within the cluster.
+
+The primary goal is to secure the following components by introducing a 
shared secret mechanism to control the authorization. When security is enabled, 
the configured shared secret will be used as the basis to validate all the 
incoming/outgoing request.
+
+- Akka Endpoints
+
+- Flink Web Module
+
+- Blob Service
+
+- Task Manager/Netty data transfer communication 
+
+## Security Configurations
+
+Secure cookie configuration can be supplied by adding below configuration 
elements to Flink configuration file:
+
+- `security.enabled`: A boolean value (true|false) indicating security is 
enabled or not.
+
+- `security.cookie` : Secure cookie value to be used for authorization
+
+Once a cluster is configured to run with secure cookie option, any request 
to the cluster will be validated for the existence of secure cookie.
+
+## Standalone Mode:
+
+In standalone mode of deployment, if security is enabled then it is 
mandatory to provide the secure cookie configuration in the Flink configuration 
file. A missing cookie configuration will flag an error.
+
+## Yarn Mode:
+
+In Yarn mode of deployment, secure cookie can be provided in multiple ways.
+
+- Flink configuration
+
+- As command line argument (-k or --cookie) to Yarn session CLI 
+
+- Auto generated if not supplied through Flink configuration or Yarn 
session CLI argument
+
+The secure cookie will be made available as container environment variable 
for the application containers (JM/TM) to make use of it.
+
+On the client machine from where the Yarn session CLI is used to create 
the Flink application, the application specific secure cookie will be persisted 
in an INI file format in the user home directory. Any subsequent access to the 
Flink cluster using Yarn Session CLI (by passing the application ID) will 
automatically include appropriate secure cookie associated with the application 
ID to communicate with the cluster.
--- End diff --

Will this only happen if the cookie is auto generated?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636438#comment-15636438
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86543115
  
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on https://github.com/apache/
 
 ## Token Renewal
 
-UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
+
+# Authorization Support
--- End diff --

How about elaborating a bit on the interplay between the Authorization and 
Encryption support? For example, it is important to know that secrets go plain 
text over every wire unless encryption is enabled.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636440#comment-15636440
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86550641
  
--- Diff: flink-dist/src/main/resources/flink-conf.yaml ---
@@ -173,3 +174,13 @@ jobmanager.web.port: 8081
 # Override below configuration to provide custom ZK service name if 
configured
 #
 # zookeeper.sasl.service-name: zookeeper
+

+#==
+# Service Authorization Configuration (optional configuration)
--- End diff --

Can we group all security related parts together?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636441#comment-15636441
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86543731
  
--- Diff: docs/internals/flink_security.md ---
@@ -28,14 +28,16 @@ This document briefly describes how Flink security 
works in the context of vario
 and the connectors that participates in Flink Job execution stage. This 
documentation can be helpful for both administrators and developers 
--- End diff --

This document should probably start with an introduction to the different 
aspects of security:

  - Authentication (Flink authenticates at other services)
  - Authorization (No one unauthorized access the Flink cluster)
  - Encryption (no sniffing off data and credentials)

Authorization alone is probably only meaningful to prevent "accidental 
mixups", all meaningfully secure setups would need Authorization and Encryption


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636445#comment-15636445
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86544336
  
--- Diff: docs/setup/cli.md ---
@@ -217,6 +217,8 @@ Action "run" compiles and runs a program.
 
java.net.URLClassLoader}.
  -d,--detached  If present, runs the 
job in
 detached mode
+ -k,--cookie  Secure cookie to
+authenticate
--- End diff --

Agree


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636437#comment-15636437
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86540839
  
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on https://github.com/apache/
 
 ## Token Renewal
 
-UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
+
+# Authorization Support
+
+Service-level authorization is the initial authorization mechanism to 
ensure clients (or servers) connecting to the Flink cluster are authorized to 
do so. The purpose is to prevent a cluster from being used by an unauthorized 
user, whether to execute jobs, disrupt cluster functionality, or gain access to 
secrets stored within the cluster.
+
+The primary goal is to secure the following components by introducing a 
shared secret mechanism to control the authorization. When security is enabled, 
the configured shared secret will be used as the basis to validate all the 
incoming/outgoing request.
+
+- Akka Endpoints
--- End diff --

How about describing these parts by their role? I do not expect users to 
generally know that Flink uses Akka for distributed coordination. How about

  - Coordination / RPC communication between JobManager, ResourceManager, 
and TaskManager *(via Akka)*
  - Flink Web Module
  - File distribution, like JAR files, etc *(BLOB Service)*
  - Data exchange between TaskManagers *(via Netty)*


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636450#comment-15636450
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86540198
  
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on https://github.com/apache/
 
 ## Token Renewal
 
-UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
--- End diff --

What is `UGI`? Can we spell this out?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636446#comment-15636446
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86549853
  
--- Diff: 
flink-core/src/main/java/org/apache/flink/configuration/ConfigConstants.java ---
@@ -715,6 +715,15 @@
/** Flag to enable/disable hostname verification for the ssl 
connections */
public static final String SECURITY_SSL_VERIFY_HOSTNAME = 
"security.ssl.verify-hostname";
 
+   //  Secure Cookie Authentication 
---
+
+   /** Flag that specify whether service authentication is enabled or not 
**/
+   public static final String SECURITY_ENABLED = "security.enabled";
--- End diff --

Can we add these options directly via `ConfogOptions` similar to that: 
https://github.com/apache/flink/blob/master/flink-core/src/main/java/org/apache/flink/configuration/HighAvailabilityOptions.java

Maybe start a new class, `SecurityOptions`.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636436#comment-15636436
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86542840
  
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on https://github.com/apache/
 
 ## Token Renewal
 
-UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing 
the tickets upon reaching expiry and no further action is needed on the part of 
Flink.
+
+# Authorization Support
+
+Service-level authorization is the initial authorization mechanism to 
ensure clients (or servers) connecting to the Flink cluster are authorized to 
do so. The purpose is to prevent a cluster from being used by an unauthorized 
user, whether to execute jobs, disrupt cluster functionality, or gain access to 
secrets stored within the cluster.
+
+The primary goal is to secure the following components by introducing a 
shared secret mechanism to control the authorization. When security is enabled, 
the configured shared secret will be used as the basis to validate all the 
incoming/outgoing request.
+
+- Akka Endpoints
+
+- Flink Web Module
+
+- Blob Service
+
+- Task Manager/Netty data transfer communication 
+
+## Security Configurations
+
+Secure cookie configuration can be supplied by adding below configuration 
elements to Flink configuration file:
+
+- `security.enabled`: A boolean value (true|false) indicating security is 
enabled or not.
+
+- `security.cookie` : Secure cookie value to be used for authorization
+
+Once a cluster is configured to run with secure cookie option, any request 
to the cluster will be validated for the existence of secure cookie.
+
+## Standalone Mode:
+
+In standalone mode of deployment, if security is enabled then it is 
mandatory to provide the secure cookie configuration in the Flink configuration 
file. A missing cookie configuration will flag an error.
+
+## Yarn Mode:
+
+In Yarn mode of deployment, secure cookie can be provided in multiple ways.
+
+- Flink configuration
+
+- As command line argument (-k or --cookie) to Yarn session CLI 
+
+- Auto generated if not supplied through Flink configuration or Yarn 
session CLI argument
+
+The secure cookie will be made available as container environment variable 
for the application containers (JM/TM) to make use of it.
+
+On the client machine from where the Yarn session CLI is used to create 
the Flink application, the application specific secure cookie will be persisted 
in an INI file format in the user home directory. Any subsequent access to the 
Flink cluster using Yarn Session CLI (by passing the application ID) will 
automatically include appropriate secure cookie associated with the application 
ID to communicate with the cluster.
+
+Since the secure cookie is persisted in the user home directory, it is 
safe enough to consider that it can be accessed only by the user who created 
the cluster.
--- End diff --

I think this should be a bigger warning, as it shows a fundamental 
assumption that users should be aware of.
With what access permission settings is the ini file persisted?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15636449#comment-15636449
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user StephanEwen commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86546515
  
--- Diff: docs/setup/yarn_setup.md ---
@@ -101,13 +101,19 @@ Usage:
Optional
  -D Dynamic properties
  -d,--detached   Start detached
+ -id,--applicationIdAttach to running YARN session
+ -j,--jar   Path to Flink jar file
  -jm,--jobManagerMemory Memory for JobManager Container [in 
MB]
- -nm,--name  Set a custom name for the application 
on YARN
+ -k,--cookieSecure cookie to authenticate
--- End diff --

Why not? Is it not possible to manually specify a cookie in YARN?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15635973#comment-15635973
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on the issue:

https://github.com/apache/flink/pull/2425
  
Thank you for the changes. I wonder, could we remove the cookie header 
completely for Netty or the BlobServer in case the authorization is turned off? 
The Netty protocol has a `MAGIC_NUMBER` which is checked when decoding the 
message. We could use a different "magic number" to check whether we use the 
normal or the cookie-based Netty protocol. This would eliminate all the 
overhead of the cookie transmission. Furthermore, we should strip the cookie 
from the message once we have verified it is correct.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15634525#comment-15634525
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on the issue:

https://github.com/apache/flink/pull/2425
  
@mxm - Sorry that I have missed to address some of your comments. Attached 
patch that includes Netty code null precondition validation and fixes the Blob 
service cookie length issue. Please take a look and see if they are okay? 
Thanks for your patience.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15632707#comment-15632707
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86340045
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -788,75 +719,125 @@ private void logAndSysout(String message) {
}
}
 
-   public static File getYarnPropertiesLocation(Configuration conf) {
-   String defaultPropertiesFileLocation = 
System.getProperty("java.io.tmpdir");
-   String currentUser = System.getProperty("user.name");
-   String propertiesFileLocation =
-   
conf.getString(ConfigConstants.YARN_PROPERTIES_FILE_LOCATION, 
defaultPropertiesFileLocation);
-
-   return new File(propertiesFileLocation, YARN_PROPERTIES_FILE + 
currentUser);
+   public static File getYarnPropertiesLocation() {
+   String path = System.getProperty("user.home") + File.separator 
+ YARN_APP_INI;
+   File stateFile;
+   try {
+   stateFile = new File(path);
+   if(!stateFile.exists()) {
+   stateFile.createNewFile();
+   }
+   } catch(IOException e) {
+   throw new RuntimeException(e);
+   }
+   return stateFile;
}
 
-   public static void persistAppState(String appId, String cookie) {
-   if(appId == null || cookie == null) {
-   return;
+   public static void persistAppState(YarnAppState appState) {
+
+   final String appId = appState.getApplicationId();
+   final String parallelism = appState.getParallelism();
+   final String dynaProps = appState.getDynamicProperties();
+   final String cookie = appState.getCookie();
+
+   if(appId == null) {
+   throw new RuntimeException("Missing application ID from 
Yarn application state");
}
-   String path = System.getProperty("user.home") + File.separator 
+ fileName;
-   LOG.debug("Going to persist cookie for the appID: {} in {} ", 
appId, path);
+
+   String path = getYarnPropertiesLocation().getAbsolutePath();
+
+   LOG.debug("Going to persist Yarn application state: {} in {}", 
appState,path);
+
try {
-   File f = new File(path);
-   if(!f.exists()) {
-   f.createNewFile();
-   }
HierarchicalINIConfiguration config = new 
HierarchicalINIConfiguration(path);
+
SubnodeConfiguration subNode = config.getSection(appId);
-   if (subNode.containsKey(cookieKey)) {
-   String errorMessage = "Secure Cookie is already 
found in "+ path + " for the appID: "+ appId;
-   LOG.error(errorMessage);
-   throw new RuntimeException(errorMessage);
+   if(!subNode.isEmpty()) {
+   throw new RuntimeException("Application with ID 
" + appId + "already exists");
}
-   subNode.addProperty(cookieKey, cookie);
+
+   subNode.addProperty(YARN_PROPERTIES_PARALLELISM, 
parallelism);
+   
subNode.addProperty(YARN_PROPERTIES_DYNAMIC_PROPERTIES_STRING, dynaProps);
+   subNode.addProperty(YARN_PROPERTIES_SECURE_COOKIE, 
cookie);
+
+   //update latest entry section with the most recent APP 
Id
+   config.clearTree(YARN_LATEST_ENTRY_SECTION_NAME);
+   SubnodeConfiguration activeAppSection = 
config.getSection(YARN_LATEST_ENTRY_SECTION_NAME);
+   activeAppSection.addProperty(YARN_APPLICATION_ID_KEY, 
appId);
+
config.save();
-   LOG.debug("Persisted cookie for the appID: {}", appId);
+   LOG.debug("Persisted Yarn App state: {}", appState);
} catch(Exception e) {
-   LOG.error("Exception occurred while persisting app 
state for app id: {}", appId, e);
throw new RuntimeException(e);
}
}
 
-   public static String getAppSecureCookie(String appId) {
+   public static YarnAppState retrieveMostRecentYarnApp() {
+   String path = getYarnPropertiesLocation().getAbsolutePath();
+   LOG.debug("Going to fetch app state from {}", path);
+

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15632481#comment-15632481
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86324769
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -54,24 +58,36 @@
// constructor in order to work with the generic deserializer.
// 

 
-   static final int HEADER_LENGTH = 4 + 4 + 1; // frame length (4), magic 
number (4), msg ID (1)
+   static final int HEADER_LENGTH = 4 + 4 + 4 + 1; // frame length (4), 
magic number (4), Cookie (4), msg ID (1)
 
static final int MAGIC_NUMBER = 0xBADC0FFE;
 
+   static final String NO_SECURE_COOKIE = "";
+
abstract ByteBuf write(ByteBufAllocator allocator) throws Exception;
 
abstract void readFrom(ByteBuf buffer) throws Exception;
 
// 

 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id) {
-   return allocateBuffer(allocator, id, 0);
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie) {
+   return allocateBuffer(allocator, id, 0, secureCookie);
}
 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, int length) {
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, int length, String secureCookie) {
+   final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
+   secureCookie = secureCookie == null ? "": secureCookie;
--- End diff --

Should be removed in favor of never passing a null value here.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15632475#comment-15632475
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86323404
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobServerConnection.java
 ---
@@ -101,6 +102,14 @@ public void run() {
final byte[] buffer = new byte[BUFFER_SIZE];
 
while (true) {
+
+   int keyLength = inputStream.read();
--- End diff --

Here the cookie length is limited to one byte.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15632474#comment-15632474
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86321320
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -64,26 +64,25 @@
 
static final String NO_SECURE_COOKIE = "";
 
-   static final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
-
abstract ByteBuf write(ByteBufAllocator allocator) throws Exception;
 
abstract void readFrom(ByteBuf buffer) throws Exception;
 
// 

 
private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie) {
-   return allocateBuffer(allocator, id, secureCookie, 0);
+   return allocateBuffer(allocator, id, 0, secureCookie);
}
 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie, int length) {
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, int length, String secureCookie) {
+   final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
secureCookie = secureCookie == null ? "": secureCookie;
--- End diff --

Still think we should never pass a null cookie. Then the check wouldn't be 
necessary.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15632476#comment-15632476
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86322286
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -120,6 +136,15 @@ static LengthFieldBasedFrameDecoder 
createFrameLengthDecoder() {
@ChannelHandler.Sharable
static class NettyMessageDecoder extends 
MessageToMessageDecoder {
 
+   private static final Logger LOG = 
LoggerFactory.getLogger(NettyMessageDecoder.class);
+
+   final byte[] secureCookie;
+
+   public NettyMessageDecoder(String secureCookie) {
+   secureCookie = secureCookie == null ? "": secureCookie;
--- End diff --

Should be removed.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15632473#comment-15632473
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r86321008
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -64,26 +64,25 @@
 
static final String NO_SECURE_COOKIE = "";
 
-   static final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
-
abstract ByteBuf write(ByteBufAllocator allocator) throws Exception;
 
abstract void readFrom(ByteBuf buffer) throws Exception;
 
// 

 
private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie) {
-   return allocateBuffer(allocator, id, secureCookie, 0);
+   return allocateBuffer(allocator, id, 0, secureCookie);
}
 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie, int length) {
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, int length, String secureCookie) {
+   final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
secureCookie = secureCookie == null ? "": secureCookie;
--- End diff --

Simpler:
```java
if (secureCookie == null) {
secureCookie = NO_SECURE_COOKIE;
}
```


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15620793#comment-15620793
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on the issue:

https://github.com/apache/flink/pull/2425
  
Addressed multiple application support/Yarn configuration file changes as 
part of FLINK-4950 patch.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15611368#comment-15611368
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on the issue:

https://github.com/apache/flink/pull/2425
  
CC @uce to check out the network layer changes. This is a very sensitive 
and performance critical part of Flink. We should be very sure nothing breaks 
it with the changes.

@vijikarthi Please have a look at the null checks in the network code. I 
would replace them with `checkNotNull` and never pass any null values in there. 
It would be desirable that turned off security doesn't have any overhead with 
the security support built in.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15609088#comment-15609088
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r85175840
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -108,6 +111,11 @@
 
private final Options ALL_OPTIONS;
 
+   private static final String fileName = "yarn-app.ini";
+   private static final String cookieKey = "secureCookie";
--- End diff --

I think the ini file format is actually fine. Could also be JSON but I 
don't mind. To not break backwards-compatibility, I think we have to keep the 
behavior to use the last-used application id in case none is supplied. We could 
have an extra config entry for that.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15608966#comment-15608966
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r85167083
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -108,6 +111,11 @@
 
private final Options ALL_OPTIONS;
 
+   private static final String fileName = "yarn-app.ini";
+   private static final String cookieKey = "secureCookie";
--- End diff --

Yes, I will make the change. 
- Do you object to retain the ini file format and port the current 
properties file implementation to INI format (to persist multiple application 
states)?

- Per current implementation (retrieveCluster), the CLI code fetches the 
application ID from properties file if not supplied through CLI argument. When 
we support multiple application state, then we expect application ID to be 
supplied always since there could be more than one application ID and the 
default functionality will go away. Do you concur? 

>
If we really need to provide backward compatibility support, then we could 
return the application ID from the INI file should there be just only instance 
persisted? If more than one application ID exists, then we throw an error 
indicating "Application ID" needs to be supplied as CLI argument.

Please let me know how you want me to approach and I will make the changes 
accordingly.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15607973#comment-15607973
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on the issue:

https://github.com/apache/flink/pull/2425
  
@vijikarthi I haven't forgotten about your PR. Thanks for the feedback. 
I'll get back to you today.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15603349#comment-15603349
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on the issue:

https://github.com/apache/flink/pull/2425
  
@mxm - Please take a look when you get a chance?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15590228#comment-15590228
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on the issue:

https://github.com/apache/flink/pull/2425
  
Thanks @mxm for the review. I will incorporate your feedback and attach the 
patch.

>
When security is enabled, encryption should also be turned on by default. 
Otherwise we will transmit plain-text passwords over the wire.

Yes it makes sense. I will make a conditional check and throw an error if 
encryption is not enabled when security is enabled?

>
Should there be too modes for network transmission, 1) with cookie, one 
without? Do we need 32 bits for the cookie length? We should be precise about 
the maximum length. I saw it is set to 1024 in other places.

Yes, max cookie length validation is 1024. I will change the code where the 
buffer length was allocated to a high value, instead it will use the byte array 
length read from the message. 

> 
Should we really always send the cookie for every message? The security 
document mentions in T2-3 that we only want to authorize upon the first 
connection.

Yes, we took the approach to pass secure cookie for every message to keep 
minimal changes to the current design

>
Why do we transmit the cookie to the client? This seems like a major 
security concern. The client should always provide the cookie.
edit: I see this has been specified in the document in T2-4. Still, I 
wonder if it would make sense to simply add this now because the workaround to 
fetch the cookie from the JobManager doesn't look appealing.

Good catch. I forgot to revert the code after the merge and it is not 
required. Will fix it. 

>
You added a Yarn specific cookie option which should be part of the general 
options instead.

It is added since secure cookie can be supplied when using both Yarn 
session CLI as well as Flink CLI. I have provided detailed explanation in one 
of the comments.

>
You've introduce a new config file to persist the app state. We already 
have the Yarn properties file for that.

I have provided explanation on why we need new config file in one of the 
comments. Please take a look.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15589986#comment-15589986
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84175964
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -442,8 +453,10 @@ public static void runInteractiveCli(YarnClusterClient 
yarnCluster, boolean read
case "quit":
case "stop":

yarnCluster.shutdownCluster();
+   if 
(yarnCluster.hasBeenShutdown()) {
+   
removeAppState(applicationId);
--- End diff --

Will move the logic to shutdown handler code


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15589968#comment-15589968
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84174244
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -108,6 +111,11 @@
 
private final Options ALL_OPTIONS;
 
+   private static final String fileName = "yarn-app.ini";
+   private static final String cookieKey = "secureCookie";
--- End diff --

I agree it is not manageable to have multiple files but there are two main 
reasons for introducing this new file.
- Yarn properties file is stored in /tmp location which is accessible to 
all the users. We want to store the secure cookie in user home location to 
prevent cookie leak
- Current implementation of Yarn properties file does not take multiple 
applications (Yarn application ID) in to account which is resolved using the 
ini file implementation.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15589905#comment-15589905
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84170399
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -112,9 +129,9 @@ public void write(ChannelHandlerContext ctx, Object 
msg, ChannelPromise promise)
 
// Create the frame length decoder here as it depends on the 
encoder
//
-   // 
+--+--++++
-   // | FRAME LENGTH (4) | MAGIC NUMBER (4) | ID (1) || CUSTOM 
MESSAGE |
-   // 
+--+--++++
+   // 
+--+--+++++
+   // | FRAME LENGTH (4) | MAGIC NUMBER (4) | COOKIE (4) | ID (1) 
|| CUSTOM MESSAGE |
+   // 
+--+--+++++
static LengthFieldBasedFrameDecoder createFrameLengthDecoder() {
return new 
LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, 4, -4, 4);
--- End diff --

We don't strip the cookie and hence there is no change to adjust the decoder


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15589888#comment-15589888
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user vijikarthi commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84169656
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -57,24 +61,37 @@
// constructor in order to work with the generic deserializer.
// 

 
-   static final int HEADER_LENGTH = 4 + 4 + 1; // frame length (4), magic 
number (4), msg ID (1)
+   static final int HEADER_LENGTH = 4 + 4 + 4 + 1; // frame length (4), 
magic number (4), Cookie (4), msg ID (1)
 
static final int MAGIC_NUMBER = 0xBADC0FFE;
 
+   static final int BUFFER_SIZE = 65536;
+
+   static final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
+
abstract ByteBuf write(ByteBufAllocator allocator) throws Exception;
 
abstract void readFrom(ByteBuf buffer) throws Exception;
 
// 

 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id) {
-   return allocateBuffer(allocator, id, 0);
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie) {
+   return allocateBuffer(allocator, id, secureCookie, 0);
}
 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, int length) {
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie, int length) {
+   secureCookie = (secureCookie == null || secureCookie.length() 
== 0) ? "": secureCookie;
+   length+=secureCookie.getBytes().length;
final ByteBuf buffer = length != 0 ? 
allocator.directBuffer(HEADER_LENGTH + length) : allocator.directBuffer();
buffer.writeInt(HEADER_LENGTH + length);
buffer.writeInt(MAGIC_NUMBER);
+
+   buffer.writeInt(secureCookie.length());
--- End diff --

Good catch. Will change it.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588388#comment-15588388
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84029858
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/execution/librarycache/BlobLibraryCacheManager.java
 ---
@@ -199,6 +199,11 @@ public int getBlobServerPort() {
return blobService.getPort();
}
 
+   public String getSecureCookie() {
+   return blobService.getSecureCookie() == null
+   ? "": blobService.getSecureCookie();
--- End diff --

I feel like this logic should be delegated to the blobService. Also, this 
might be clearer:
```java
String secureCookie = blobService.getSecureCookie();
return secureCookie != null ? secureCookie : ""
```


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588405#comment-15588405
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84039872
  
--- Diff: 
flink-runtime/src/test/java/org/apache/flink/runtime/blob/BlobServerDeleteTest.java
 ---
@@ -18,6 +18,7 @@
 
 package org.apache.flink.runtime.blob;
 
+import org.apache.flink.configuration.ConfigConstants;
--- End diff --

Unused import


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588394#comment-15588394
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84033606
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -57,24 +61,37 @@
// constructor in order to work with the generic deserializer.
// 

 
-   static final int HEADER_LENGTH = 4 + 4 + 1; // frame length (4), magic 
number (4), msg ID (1)
+   static final int HEADER_LENGTH = 4 + 4 + 4 + 1; // frame length (4), 
magic number (4), Cookie (4), msg ID (1)
 
static final int MAGIC_NUMBER = 0xBADC0FFE;
 
+   static final int BUFFER_SIZE = 65536;
+
+   static final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
+
abstract ByteBuf write(ByteBufAllocator allocator) throws Exception;
 
abstract void readFrom(ByteBuf buffer) throws Exception;
 
// 

 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id) {
-   return allocateBuffer(allocator, id, 0);
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie) {
+   return allocateBuffer(allocator, id, secureCookie, 0);
}
 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, int length) {
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie, int length) {
+   secureCookie = (secureCookie == null || secureCookie.length() 
== 0) ? "": secureCookie;
+   length+=secureCookie.getBytes().length;
final ByteBuf buffer = length != 0 ? 
allocator.directBuffer(HEADER_LENGTH + length) : allocator.directBuffer();
buffer.writeInt(HEADER_LENGTH + length);
buffer.writeInt(MAGIC_NUMBER);
+
+   buffer.writeInt(secureCookie.length());
--- End diff --

Here you're writing `cookie.length()` but early you write calculate with 
`secureCookie.getBytes().length`. I think this causes issues with non ASCII 
chars.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588380#comment-15588380
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84028789
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobServerProtocol.java
 ---
@@ -53,6 +53,9 @@
/** Internal code to identify a reference via jobId as the key */
static final byte JOB_ID_SCOPE = 2;
 
+   /** The maximum length of secure cookie. */
+   static final int MAX_LENGTH_SECURE_COOKIE = 1024;
--- End diff --

Shouldn't this be tied to the buffer size which limits the cookie length?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588386#comment-15588386
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84029066
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobUtils.java ---
@@ -393,6 +399,24 @@ static void copyFromRecoveryPath(String recoveryPath, 
File localBlobFile) throws
}
 
/**
+* Utility method to validate secure cookie from Flink configuration 
instance
+* @throws
--- End diff --

Throw description is missing.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588403#comment-15588403
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84034258
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -131,6 +157,31 @@ protected void decode(ChannelHandlerContext ctx, 
ByteBuf msg, List out)
throw new IllegalStateException("Network stream 
corrupted: received incorrect magic number.");
}
 
+   //read cookie based on the cookie length passed
+   int cookieLength = msg.readInt();
+
+   LOG.debug("Cookie Length Read: {}, Source Cookie 
Length: {}", cookieLength, secureCookie.length);
+
+   if(cookieLength != secureCookie.length) {
+   String message = "Cookie length does not match 
with source cookie. Invalid secure cookie passed.";
+   LOG.error(message);
+   throw new IllegalStateException(message);
--- End diff --

Exceptions are always logged. No need to do the logging here.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588418#comment-15588418
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84039893
  
--- Diff: 
flink-runtime/src/test/java/org/apache/flink/runtime/blob/BlobServerPutTest.java
 ---
@@ -18,6 +18,7 @@
 
 package org.apache.flink.runtime.blob;
 
+import org.apache.flink.configuration.ConfigConstants;
--- End diff --

Unused import


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588370#comment-15588370
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84020950
  
--- Diff: docs/setup/cli.md ---
@@ -239,6 +241,7 @@ Action "run" compiles and runs a program.
 Zookeeper sub-paths 
for high
 availability mode
   Options for yarn-cluster mode:
+ -k,--cookie Secure cookie to authenticate
--- End diff --

Should be removed.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588387#comment-15588387
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84030215
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyConfig.java
 ---
@@ -91,6 +94,14 @@ public NettyConfig(
 
this.config = checkNotNull(config);
 
+   boolean security = 
config.getBoolean(ConfigConstants.SECURITY_ENABLED, false);
+   this.secureCookie = 
config.getString(ConfigConstants.SECURITY_COOKIE, "");
+
+   if(security && this.secureCookie == "") {
--- End diff --

Strings have to be compared with the `equals(String other)` method.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588374#comment-15588374
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84024718
  
--- Diff: flink-dist/src/main/resources/flink-conf.yaml ---
@@ -172,4 +173,14 @@ jobmanager.web.port: 8081
 
 # Override below configuration to provide custom ZK service name if 
configured
 #
-# zookeeper.sasl.service-name: zookeeper
\ No newline at end of file
+# zookeeper.sasl.service-name: zookeeper
+

+#==
+# Service Authorization Configuration (optional configuration)

+#==
+
+# Flag to enable/disable service level authorization (disabled by default)
+#security.enabled: false
+
+#secure random cookie to be used (auto-generated or static if value 
supplied)
+#security.cookie: foo
--- End diff --

Could we change `foo` to something like `notsecure` or `changeme`?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588402#comment-15588402
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84034051
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -123,6 +140,15 @@ static LengthFieldBasedFrameDecoder 
createFrameLengthDecoder() {
@ChannelHandler.Sharable
static class NettyMessageDecoder extends 
MessageToMessageDecoder {
 
+   private static final Logger LOG = 
LoggerFactory.getLogger(NettyMessageDecoder.class);
+
+   final byte[] secureCookie;
+
+   public NettyMessageDecoder(String secureCookie) {
+   secureCookie = (secureCookie == null || 
secureCookie.length() == 0) ? "": secureCookie;
--- End diff --

String should be checked for non null.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588415#comment-15588415
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84041338
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -108,6 +111,11 @@
 
private final Options ALL_OPTIONS;
 
+   private static final String fileName = "yarn-app.ini";
+   private static final String cookieKey = "secureCookie";
+
+   private final Option SECURE_COOKIE_OPTION;
--- End diff --

This option can be retrieved from the main options. No need for yarn 
specific option. Please remove.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588411#comment-15588411
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84036664
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/PartitionRequestProtocol.java
 ---
@@ -30,16 +30,29 @@
 
private final NettyMessageEncoder messageEncoder = new 
NettyMessageEncoder();
 
-   private final NettyMessage.NettyMessageDecoder messageDecoder = new 
NettyMessage.NettyMessageDecoder();
+   private final NettyMessage.NettyMessageDecoder serverMessageDecoder;
+
+   private final NettyMessage.NettyMessageDecoder clientMessageDecoder;
 
private final ResultPartitionProvider partitionProvider;
private final TaskEventDispatcher taskEventDispatcher;
private final NetworkBufferPool networkbufferPool;
+   private final String secureCookie;
 
-   PartitionRequestProtocol(ResultPartitionProvider partitionProvider, 
TaskEventDispatcher taskEventDispatcher, NetworkBufferPool networkbufferPool) {
+   PartitionRequestProtocol(ResultPartitionProvider partitionProvider, 
TaskEventDispatcher taskEventDispatcher,
+   NetworkBufferPool 
networkbufferPool, String secureCookie) {
this.partitionProvider = partitionProvider;
this.taskEventDispatcher = taskEventDispatcher;
this.networkbufferPool = networkbufferPool;
+   this.secureCookie = (secureCookie == null || 
secureCookie.length() == 0) ? "": secureCookie;
+
+   serverMessageDecoder = new 
NettyMessage.NettyMessageDecoder(secureCookie);
+
+   /*
+* Client decoder does not validate the secure cookie from 
server since
+* the server protocol does not transmit the secure cookie on 
the wire
+*/
+   clientMessageDecoder = new 
NettyMessage.NettyMessageDecoder(null);
--- End diff --

But it still sends an empty cookie?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588366#comment-15588366
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84024166
  
--- Diff: 
flink-core/src/main/java/org/apache/flink/configuration/ConfigConstants.java ---
@@ -871,6 +871,19 @@
@Deprecated
public static final String ZOOKEEPER_MAX_RETRY_ATTEMPTS = 
"recovery.zookeeper.client.max-retry-attempts";
 
+   //  Secure Cookie Authentication 
---
+
+   /** Flag that specify whether service authentication is enabled or not 
**/
+   public static final String SECURITY_ENABLED = "security.enabled";
--- End diff --

When security is enabled, encryption should also be turned on. It probably 
makes sense to disable encryption for debugging purposes but please make sure 
it is enabled by default. Please see `SECURITY_SSL_ENABLED`.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588406#comment-15588406
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84042013
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -703,6 +796,93 @@ public static File 
getYarnPropertiesLocation(Configuration conf) {
return new File(propertiesFileLocation, YARN_PROPERTIES_FILE + 
currentUser);
}
 
+   public static void persistAppState(String appId, String cookie) {
--- End diff --

Please use the Yarn properties file for that.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588385#comment-15588385
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84032194
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -57,24 +61,37 @@
// constructor in order to work with the generic deserializer.
// 

 
-   static final int HEADER_LENGTH = 4 + 4 + 1; // frame length (4), magic 
number (4), msg ID (1)
+   static final int HEADER_LENGTH = 4 + 4 + 4 + 1; // frame length (4), 
magic number (4), Cookie (4), msg ID (1)
--- End diff --

4 bytes for the cookie or cookie **length**? How is this in line with the 
size restrictions assumed in other places? 


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588400#comment-15588400
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84035347
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -424,13 +481,17 @@ public String toString() {
 
ResultPartitionID partitionId;
 
+   String secureCookie = "";
+
public TaskEventRequest() {
}
 
-   TaskEventRequest(TaskEvent event, ResultPartitionID 
partitionId, InputChannelID receiverId) {
+   TaskEventRequest(TaskEvent event, ResultPartitionID 
partitionId, InputChannelID receiverId,
+   String secureCookie) {
this.event = event;
this.receiverId = receiverId;
this.partitionId = partitionId;
+   this.secureCookie = (secureCookie == null || 
secureCookie.length() == 0) ? "": secureCookie;
--- End diff --

Please pass a proper non-null secureCookie instead.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588371#comment-15588371
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84024238
  
--- Diff: 
flink-core/src/main/java/org/apache/flink/configuration/ConfigConstants.java ---
@@ -871,6 +871,19 @@
@Deprecated
public static final String ZOOKEEPER_MAX_RETRY_ATTEMPTS = 
"recovery.zookeeper.client.max-retry-attempts";
 
+   //  Secure Cookie Authentication 
---
--- End diff --

Could we move all secure related settings to the same section in 
ConfigConstants?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588381#comment-15588381
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84029158
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobUtils.java ---
@@ -393,6 +399,24 @@ static void copyFromRecoveryPath(String recoveryPath, 
File localBlobFile) throws
}
 
/**
+* Utility method to validate secure cookie from Flink configuration 
instance
+* @throws
+*/
+   public static String validateAndGetSecureCookie(Configuration 
configuration) {
+   String secureCookie = null;
+   if(configuration.getBoolean(ConfigConstants.SECURITY_ENABLED, 
DEFAULT_SECURITY_ENABLED) == true) {
+   secureCookie = 
configuration.getString(ConfigConstants.SECURITY_COOKIE, null);
+   if(secureCookie == null) {
+   String message = "Missing " + 
ConfigConstants.SECURITY_COOKIE +
+   " configuration in Flink 
configuration file";
+   LOG.error(message);
+   throw new RuntimeException(message);
--- End diff --

- Exceptions are logged anyways.
- This should be `IllegalConfigurationException`


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588422#comment-15588422
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84035560
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -527,13 +591,17 @@ void readFrom(ByteBuf buffer) throws Exception {
static class CloseRequest extends NettyMessage {
 
private static final byte ID = 5;
+   String secureCookie = "";
+
+   public CloseRequest() {}
 
-   public CloseRequest() {
+   public CloseRequest(String secureCookie) {
+   this.secureCookie = (secureCookie == null) ? "": 
secureCookie;
--- End diff --

Please no checks like this. You can use 
`Preconditions.checkNotNull(secureCookie)`.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588384#comment-15588384
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84030447
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobClient.java ---
@@ -88,6 +93,19 @@
 */
public BlobClient(InetSocketAddress serverAddress, Configuration 
clientConfig) throws IOException {
 
+   this.socket = new Socket();
+
+   if(clientConfig != null) {
+   boolean securityEnabled = 
clientConfig.getBoolean(ConfigConstants.SECURITY_ENABLED,
+   
ConfigConstants.DEFAULT_SECURITY_ENABLED);
+
+   this.secureCookie = 
clientConfig.getString(ConfigConstants.SECURITY_COOKIE, "");
+
+   if (securityEnabled && this.secureCookie == "") {
--- End diff --

Strings have to be compared with the `equals(String other)` method.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588373#comment-15588373
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84025149
  
--- Diff: 
flink-runtime-web/src/main/java/org/apache/flink/runtime/webmonitor/HttpRequestHandler.java
 ---
@@ -99,7 +110,43 @@ public void channelRead0(ChannelHandlerContext ctx, 
HttpObject msg) {
currentDecoder.destroy();
currentDecoder = null;
}
-   
+
+   if(secureCookie != null) {
--- End diff --

I agree with Robert, we need a to check the config whether security is 
enabled. This requires passing the config here.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588378#comment-15588378
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84027778
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobClient.java ---
@@ -725,7 +755,21 @@ else if (response != RETURN_OKAY) {
Object msg = 
JobManagerMessages.getRequestBlobManagerPort();
Future futureBlobPort = jobManager.ask(msg, 
askTimeout);
 
+   Object secureCookieMsg = 
JobManagerMessages.getRequestBlobManagerSecureCookie();
+   Future futureSecureCookie = 
jobManager.ask(secureCookieMsg, askTimeout);
+
try {
+   String secureCookie = null;
+
+   Object cookie = 
Await.result(futureSecureCookie, askTimeout);
+   if(cookie instanceof String) {
+   secureCookie = (String) cookie;
+   }
--- End diff --

We are transferring the cookie here from the JobManager? That should never 
be the case. The client has to provide the cookie, otherwise a client must not 
be able to communicate with the JobManager.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588420#comment-15588420
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84039884
  
--- Diff: 
flink-runtime/src/test/java/org/apache/flink/runtime/blob/BlobServerGetTest.java
 ---
@@ -18,6 +18,7 @@
 
 package org.apache.flink.runtime.blob;
 
+import org.apache.flink.configuration.ConfigConstants;
--- End diff --

Unused import


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588419#comment-15588419
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84036090
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/PartitionRequestProtocol.java
 ---
@@ -30,16 +30,29 @@
 
private final NettyMessageEncoder messageEncoder = new 
NettyMessageEncoder();
 
-   private final NettyMessage.NettyMessageDecoder messageDecoder = new 
NettyMessage.NettyMessageDecoder();
+   private final NettyMessage.NettyMessageDecoder serverMessageDecoder;
+
+   private final NettyMessage.NettyMessageDecoder clientMessageDecoder;
 
private final ResultPartitionProvider partitionProvider;
private final TaskEventDispatcher taskEventDispatcher;
private final NetworkBufferPool networkbufferPool;
+   private final String secureCookie;
 
-   PartitionRequestProtocol(ResultPartitionProvider partitionProvider, 
TaskEventDispatcher taskEventDispatcher, NetworkBufferPool networkbufferPool) {
+   PartitionRequestProtocol(ResultPartitionProvider partitionProvider, 
TaskEventDispatcher taskEventDispatcher,
+   NetworkBufferPool 
networkbufferPool, String secureCookie) {
this.partitionProvider = partitionProvider;
this.taskEventDispatcher = taskEventDispatcher;
this.networkbufferPool = networkbufferPool;
+   this.secureCookie = (secureCookie == null || 
secureCookie.length() == 0) ? "": secureCookie;
--- End diff --

See above comments about this.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588376#comment-15588376
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84028705
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobServerConnection.java
 ---
@@ -463,6 +482,39 @@ private static String readKey(byte[] buf, InputStream 
inputStream) throws IOExce
return new String(buf, 0, keyLength, BlobUtils.DEFAULT_CHARSET);
}
 
+
+   /**
+* Reads secure cookie from the given input stream.
+*
+* @param inputStream
+*the input stream to read the secure cookie from
+* @param keyLength
+*buffer length to read
+* @return
+* @throws IOException
+* thrown if an I/O error occurs while reading the secure 
cookie data from the input stream
+*/
+
+   private void validateSecureCookie(InputStream inputStream, int 
keyLength) throws IOException {
+
+   if (keyLength > MAX_LENGTH_SECURE_COOKIE) {
+   throw new IOException("Unexpected secure cookie length 
" + keyLength);
+   }
+
+   final byte[] buffer = new byte[BUFFER_SIZE];
+
+   readFully(inputStream, buffer, 0, keyLength, "SecureCookie");
+
+   final String cookie = new String(buffer, 0, keyLength, 
BlobUtils.DEFAULT_CHARSET);
+
+   if(blobServer.isSecurityEnabled()) {
+   if(StringUtils.isBlank(cookie) || 
!cookie.equals(blobServer.getSecureCookie())) {
+   LOG.error("Missing valid secure cookie");
+   throw new IOException("Missing valid secure 
cookie");
--- End diff --

Exceptions will be logged anyways, you can remove the logging.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588416#comment-15588416
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84039201
  
--- Diff: 
flink-runtime/src/main/scala/org/apache/flink/runtime/akka/AkkaUtils.scala ---
@@ -389,7 +396,22 @@ object AkkaUtils {
   ""
 }
 
-ConfigFactory.parseString(configString + hostnameConfigString + 
sslConfigString).resolve()
+val cookieConfigString = if(securityEnabled){
+  s"""
+ |akka {
+ |  remote {
+ |require-cookie = $requireCookie
+ |secure-cookie = "$secureCookie"
+ |  }
+ |}
+ """.stripMargin
+}else{
--- End diff --

No need for the else block. We set set `require-cookie` to `off` in case it 
shouldn't be used


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588379#comment-15588379
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84028453
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobServerConnection.java
 ---
@@ -463,6 +482,39 @@ private static String readKey(byte[] buf, InputStream 
inputStream) throws IOExce
return new String(buf, 0, keyLength, BlobUtils.DEFAULT_CHARSET);
}
 
+
+   /**
+* Reads secure cookie from the given input stream.
+*
+* @param inputStream
+*the input stream to read the secure cookie from
+* @param keyLength
+*buffer length to read
+* @return
+* @throws IOException
+* thrown if an I/O error occurs while reading the secure 
cookie data from the input stream
+*/
+
+   private void validateSecureCookie(InputStream inputStream, int 
keyLength) throws IOException {
+
+   if (keyLength > MAX_LENGTH_SECURE_COOKIE) {
+   throw new IOException("Unexpected secure cookie length 
" + keyLength);
+   }
+
+   final byte[] buffer = new byte[BUFFER_SIZE];
--- End diff --

Does this oppose an upper limit on the cookie size?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588408#comment-15588408
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84035615
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -527,13 +591,17 @@ void readFrom(ByteBuf buffer) throws Exception {
static class CloseRequest extends NettyMessage {
 
private static final byte ID = 5;
+   String secureCookie = "";
--- End diff --

Initialization can never used.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588397#comment-15588397
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84035178
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -369,21 +423,24 @@ void readFrom(ByteBuf buffer) throws Exception {
 
InputChannelID receiverId;
 
+   String secureCookie = "";
--- End diff --

The `""` initialization is always overridden, please remove.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588421#comment-15588421
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84039769
  
--- Diff: 
flink-runtime/src/test/java/org/apache/flink/runtime/blob/BlobClientTest.java 
---
@@ -48,19 +49,18 @@
private static final int TEST_BUFFER_SIZE = 17 * 1000;
 
/** The instance of the BLOB server used during the tests. */
-   private static BlobServer BLOB_SERVER;
+   protected static BlobServer BLOB_SERVER;
 
-   /** The blob service client and server configuration */
-   private static Configuration blobServiceConfig;
--- End diff --

These renamings are not necessary. Please revert.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588368#comment-15588368
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84021839
  
--- Diff: 
flink-clients/src/main/java/org/apache/flink/client/cli/CliFrontendParser.java 
---
@@ -90,6 +90,9 @@
"directory is optional. If no directory is specified, 
the configured default " +
"directory (" + ConfigConstants.SAVEPOINT_DIRECTORY_KEY 
+ ") is used.");
 
+   static final Option SECURE_COOKIE_OPTION = new Option("k", "cookie", 
true,
+   "Secure cookie to authenticate");
--- End diff --

Description string should be updated (see above).


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588392#comment-15588392
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84034738
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -292,9 +344,10 @@ ByteBuf write(ByteBufAllocator allocator) throws 
IOException {
ByteBuf result = null;
 
ObjectOutputStream oos = null;
+   final String NO_SECURE_COOKIE= "";
--- End diff --

Please consolidate the variable with same definition above.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588367#comment-15588367
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84020927
  
--- Diff: docs/setup/cli.md ---
@@ -239,6 +241,7 @@ Action "run" compiles and runs a program.
 Zookeeper sub-paths 
for high
 availability mode
   Options for yarn-cluster mode:
+ -k,--cookie Secure cookie to authenticate
--- End diff --

Why is this added here again? This option is already present in the general 
options.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588393#comment-15588393
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84033402
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -57,24 +61,37 @@
// constructor in order to work with the generic deserializer.
// 

 
-   static final int HEADER_LENGTH = 4 + 4 + 1; // frame length (4), magic 
number (4), msg ID (1)
+   static final int HEADER_LENGTH = 4 + 4 + 4 + 1; // frame length (4), 
magic number (4), Cookie (4), msg ID (1)
 
static final int MAGIC_NUMBER = 0xBADC0FFE;
 
+   static final int BUFFER_SIZE = 65536;
+
+   static final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
+
abstract ByteBuf write(ByteBufAllocator allocator) throws Exception;
 
abstract void readFrom(ByteBuf buffer) throws Exception;
 
// 

 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id) {
-   return allocateBuffer(allocator, id, 0);
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie) {
+   return allocateBuffer(allocator, id, secureCookie, 0);
}
 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, int length) {
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie, int length) {
+   secureCookie = (secureCookie == null || secureCookie.length() 
== 0) ? "": secureCookie;
+   length+=secureCookie.getBytes().length;
--- End diff --

This seems inefficient, always getting the byte array. The length should be 
supplied and just be calculated once.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588417#comment-15588417
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84041744
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -442,8 +453,10 @@ public static void runInteractiveCli(YarnClusterClient 
yarnCluster, boolean read
case "quit":
case "stop":

yarnCluster.shutdownCluster();
+   if 
(yarnCluster.hasBeenShutdown()) {
+   
removeAppState(applicationId);
--- End diff --

Cleanup is handled in the shutdown method. Please remove this. The cluster 
client is always in state running if the user calls stop.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588414#comment-15588414
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84037462
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/PartitionRequestQueue.java
 ---
@@ -215,7 +222,8 @@ private void handleException(Channel channel, Throwable 
cause) throws IOExceptio
releaseAllResources();
 
if (channel.isActive()) {
-   channel.writeAndFlush(new 
NettyMessage.ErrorResponse(cause)).addListener(ChannelFutureListener.CLOSE);
+   channel.writeAndFlush(new 
NettyMessage.ErrorResponse(cause))
+   
.addListener(ChannelFutureListener.CLOSE);
--- End diff --

just reformatting, no code changes (but i still have to check).


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588369#comment-15588369
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84020724
  
--- Diff: docs/setup/cli.md ---
@@ -217,6 +217,8 @@ Action "run" compiles and runs a program.
 
java.net.URLClassLoader}.
  -d,--detached  If present, runs the 
job in
 detached mode
+ -k,--cookie  Secure cookie to
+authenticate
--- End diff --

The description could be a bit more elaborate. For example,

> String to authorize Akka-based RPC communication



> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588398#comment-15588398
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84034660
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -226,8 +277,9 @@ ByteBuf write(ByteBufAllocator allocator) throws 
IOException {
int length = 16 + 4 + 1 + 4 + buffer.getSize();
 
ByteBuf result = null;
+   final String NO_SECURE_COOKIE= "";
--- End diff --

space after variable name


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588395#comment-15588395
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84033982
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -112,9 +129,9 @@ public void write(ChannelHandlerContext ctx, Object 
msg, ChannelPromise promise)
 
// Create the frame length decoder here as it depends on the 
encoder
//
-   // 
+--+--++++
-   // | FRAME LENGTH (4) | MAGIC NUMBER (4) | ID (1) || CUSTOM 
MESSAGE |
-   // 
+--+--++++
+   // 
+--+--+++++
+   // | FRAME LENGTH (4) | MAGIC NUMBER (4) | COOKIE (4) | ID (1) 
|| CUSTOM MESSAGE |
+   // 
+--+--+++++
static LengthFieldBasedFrameDecoder createFrameLengthDecoder() {
return new 
LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, 4, -4, 4);
--- End diff --

You didn't adjust the frame decoder. How is this supposed to work?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588375#comment-15588375
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84025817
  
--- Diff: 
flink-runtime-web/src/main/java/org/apache/flink/runtime/webmonitor/WebRuntimeMonitor.java
 ---
@@ -148,7 +148,7 @@
private MetricFetcher metricFetcher;
 
public WebRuntimeMonitor(
-   Configuration config,
+   final Configuration config,
--- End diff --

`final` modifier seems redundant here.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588407#comment-15588407
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84041916
  
--- Diff: 
flink-yarn/src/main/java/org/apache/flink/yarn/cli/FlinkYarnSessionCli.java ---
@@ -607,6 +680,18 @@ public int run(String[] args) {
return 1;
}
 
+   boolean securityEnabled = 
yarnDescriptor.getFlinkConfiguration()
+   
.getBoolean(ConfigConstants.SECURITY_ENABLED,
+   
DEFAULT_SECURITY_ENABLED);
+   LOG.debug("Security Enabled ? {}", securityEnabled);
+
+   //override cookie configuration if supplied through CLI
+   if(securityEnabled && secureCookieArg != null) {
+   LOG.debug("Secure cookie is provided as CLI 
argument and will be used");
+   
yarnDescriptor.getFlinkConfiguration().setBoolean(ConfigConstants.SECURITY_ENABLED,
 true);
+   
yarnDescriptor.getFlinkConfiguration().setString(ConfigConstants.SECURITY_COOKIE,
 secureCookieArg);
+   }
--- End diff --

So much duplicate code here. Could be extracted to a method to avoid that.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588401#comment-15588401
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84034881
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -369,21 +423,24 @@ void readFrom(ByteBuf buffer) throws Exception {
 
InputChannelID receiverId;
 
+   String secureCookie = "";
+
public PartitionRequest() {
}
 
-   PartitionRequest(ResultPartitionID partitionId, int queueIndex, 
InputChannelID receiverId) {
+   PartitionRequest(ResultPartitionID partitionId, int queueIndex, 
InputChannelID receiverId, String secureCookie) {
this.partitionId = partitionId;
this.queueIndex = queueIndex;
this.receiverId = receiverId;
+   this.secureCookie = (secureCookie == null || 
secureCookie.length() == 0) ? "": secureCookie;
--- End diff --

These checks should not be necessary. Please remove.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588377#comment-15588377
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84026759
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/blob/BlobCache.java ---
@@ -272,4 +284,8 @@ private void closeSilently(Closeable closeable) {
}
}
}
+
+   /* Secure cookie to authenticate */
--- End diff --

> authorize


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588413#comment-15588413
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84037454
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/PartitionRequestQueue.java
 ---
@@ -170,7 +176,8 @@ else if (currentPartitionQueue.isReleased()) {
}
}
else {
-   BufferResponse resp = new 
BufferResponse(buffer, currentPartitionQueue.getSequenceNumber(), 
currentPartitionQueue.getReceiverId());
+   BufferResponse resp = new 
BufferResponse(buffer, currentPartitionQueue.getSequenceNumber(),
+   
currentPartitionQueue.getReceiverId());
--- End diff --

just reformatting, no code changes (but i still have to check).


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588382#comment-15588382
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84031908
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -57,24 +61,37 @@
// constructor in order to work with the generic deserializer.
// 

 
-   static final int HEADER_LENGTH = 4 + 4 + 1; // frame length (4), magic 
number (4), msg ID (1)
+   static final int HEADER_LENGTH = 4 + 4 + 4 + 1; // frame length (4), 
magic number (4), Cookie (4), msg ID (1)
 
static final int MAGIC_NUMBER = 0xBADC0FFE;
 
+   static final int BUFFER_SIZE = 65536;
+
+   static final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
--- End diff --

This should be read from somewhere else. If this is fixed anyways, then 
please just use this in the allocateBuffer method.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588365#comment-15588365
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84021449
  
--- Diff: docs/setup/yarn_setup.md ---
@@ -101,13 +101,19 @@ Usage:
Optional
  -D Dynamic properties
  -d,--detached   Start detached
+ -id,--applicationIdAttach to running YARN session
+ -j,--jar   Path to Flink jar file
  -jm,--jobManagerMemory Memory for JobManager Container [in 
MB]
- -nm,--name  Set a custom name for the application 
on YARN
+ -k,--cookieSecure cookie to authenticate
--- End diff --

Should not be present in the Yarn options.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588390#comment-15588390
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84032768
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -57,24 +61,37 @@
// constructor in order to work with the generic deserializer.
// 

 
-   static final int HEADER_LENGTH = 4 + 4 + 1; // frame length (4), magic 
number (4), msg ID (1)
+   static final int HEADER_LENGTH = 4 + 4 + 4 + 1; // frame length (4), 
magic number (4), Cookie (4), msg ID (1)
 
static final int MAGIC_NUMBER = 0xBADC0FFE;
 
+   static final int BUFFER_SIZE = 65536;
+
+   static final Charset DEFAULT_CHARSET = Charset.forName("utf-8");
+
abstract ByteBuf write(ByteBufAllocator allocator) throws Exception;
 
abstract void readFrom(ByteBuf buffer) throws Exception;
 
// 

 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id) {
-   return allocateBuffer(allocator, id, 0);
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie) {
+   return allocateBuffer(allocator, id, secureCookie, 0);
}
 
-   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, int length) {
+   private static ByteBuf allocateBuffer(ByteBufAllocator allocator, byte 
id, String secureCookie, int length) {
+   secureCookie = (secureCookie == null || secureCookie.length() 
== 0) ? "": secureCookie;
--- End diff --

This check seems unncecessary. The cookie should always be a valid String 
when it is passed. Also, what is the purpose of assigning `""` when 
`secureCookie.length() == 0`?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588372#comment-15588372
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84024531
  
--- Diff: 
flink-core/src/main/java/org/apache/flink/configuration/GlobalConfiguration.java
 ---
@@ -144,8 +144,15 @@ private static Configuration loadYAMLResource(File 
file) {
continue;
}
 
-   LOG.debug("Loading configuration 
property: {}, {}", key, value);
config.setString(key, value);
+
+   //to prevent logging the secure cookie
+   
if(key.equals(ConfigConstants.SECURITY_COOKIE) && value != null) {
+   value = "**";
--- End diff --

Could you also do that for the other security-related passwords?


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3930) Implement Service-Level Authorization

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/FLINK-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15588396#comment-15588396
 ] 

ASF GitHub Bot commented on FLINK-3930:
---

Github user mxm commented on a diff in the pull request:

https://github.com/apache/flink/pull/2425#discussion_r84035425
  
--- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/io/network/netty/NettyMessage.java
 ---
@@ -492,19 +553,22 @@ public void readFrom(ByteBuf buffer) {
 
InputChannelID receiverId;
 
+   String secureCookie = "";
--- End diff --

The `""` initialization is always overridden, please remove.


> Implement Service-Level Authorization
> -
>
> Key: FLINK-3930
> URL: https://issues.apache.org/jira/browse/FLINK-3930
> Project: Flink
>  Issue Type: New Feature
>  Components: Security
>Reporter: Eron Wright 
>Assignee: Vijay Srinivasaraghavan
>  Labels: security
>   Original Estimate: 672h
>  Remaining Estimate: 672h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> Service-level authorization is the initial authorization mechanism to ensure 
> clients (or servers) connecting to the Flink cluster are authorized to do so. 
>   The purpose is to prevent a cluster from being used by an unauthorized 
> user, whether to execute jobs, disrupt cluster functionality, or gain access 
> to secrets stored within the cluster.
> Implement service-level authorization as described in the design doc.
> - Introduce a shared secret cookie
> - Enable Akka security cookie
> - Implement data transfer authentication
> - Secure the web dashboard



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)