Re: [DISCUSS] Service Authorization (redux)

2018-05-11 Thread Stephan Ewen
Hi! Reviving this thread, thank you, Eron, for starting this and for the preparation of the FLIP. I am sharing some thoughts below, and some input based on what has changed with FLIP-6 and the evolution of queryable state. Best, Stephan --- *Internal vs. External

Re: [DISCUSS] Service Authorization (redux)

2017-09-26 Thread Eron Wright
Hi folks, I'm happy to share with you a draft of a FLIP for service authorization. As I mentioned at the top of this thread, the goal is to protect a deployed Flink cluster/session from unauthorized use. In the doc, I propose the use of SSL client authentication for internal communication,

Re: [DISCUSS] Service Authorization (redux)

2017-08-03 Thread Eron Wright
Till, with (c) are you suggesting that we'd use Akka 2.3 for Scala 2.10 and Akka 2.4+ for Scala 2.11+? Sounds reasonable but I don't know how feasible it is. I will say I'm optimistic because a) Akka 2.4 is said to be binary compatible, and b) the Flakka fork appears to be subsumed by 2.4.

Re: [DISCUSS] Service Authorization (redux)

2017-08-03 Thread Ufuk Celebi
I haven't followed this discussion in detail nor am I familiar with the service authorization topic or Flakka, but a) sounds like a lot of maintenance work to me. If possible I would go with c) and maybe start a discussion about dropping Scala 2.10 support to check whether that is a viable option

Re: [DISCUSS] Service Authorization (redux)

2017-08-03 Thread Till Rohrmann
Alternatively there would also be an option c) only support mutual auth for Akka 2.4+ if the backport is unrealistic to do But this of course would break security for Scala 2.10. On the other hand people are already using Flink without this feature. Cheers, Till On Wed, Aug 2, 2017 at 7:21 PM,

Re: [DISCUSS] Service Authorization (redux)

2017-08-02 Thread Eron Wright
Thanks Till and Aljoscha for the feedback. Seems there are two ways to proceed here, if we accept mutual SSL as the basis. a) Backport mutual-auth support from Akka 2.4 to Flakka. b) Drop support for Scala 2.10 (FLINK-?), move to Akka 2.4 (FLINK-3662). Let's assume (a) for now. On Tue, Aug

Re: [DISCUSS] Service Authorization (redux)

2017-08-01 Thread Till Rohrmann
Dropping Java 7 alone is not enough to move to Akka 2.4+. For that we need at least Scala 2.11. Cheers, Till On Tue, Aug 1, 2017 at 4:22 PM, Aljoscha Krettek wrote: > Hi Eron, > > I think after Dropping support for Java 7 we will move to Akka 2.4+, so we > should be good

Re: [DISCUSS] Service Authorization (redux)

2017-08-01 Thread Aljoscha Krettek
Hi Eron, I think after Dropping support for Java 7 we will move to Akka 2.4+, so we should be good there. I think quite some users should find a (more) secure Flink interesting. Best, Aljoscha > On 24. Jul 2017, at 03:11, Eron Wright wrote: > > Hello, now might be a

[DISCUSS] Service Authorization (redux)

2017-07-23 Thread Eron Wright
Hello, now might be a good time to revisit an important enhancement to Flink security, so-called service authorization. This means the hardening of a Flink cluster against unauthorized use with some sort of authentication and authorization scheme. Today, Flink relies entirely on network