可以web ui去监听一个内部地址,然后部署一个"side car proxy"对外暴露,在这个proxy上做鉴权,这也是官方推荐的方式:
“Simple mutual authentication may be enabled by configuration if authentication of connections to the REST endpoint is required, but we recommend to deploy a “side car proxy”: Bind the REST endpoint to the loopback interface (or the pod-local interface in Kubernetes) and start a REST proxy that authenticates and forwards the requests to Flink. Examples for proxies that Flink users have deployed are Envoy Proxy or NGINX with MOD_AUTH. The rationale behind delegating authentication to a proxy is that such proxies offer a wide variety of authentication options and thus better integration into existing infrastructures.” https://ci.apache.org/projects/flink/flink-docs-release-1.13/docs/deployment/security/security-ssl/#external--rest-connectivity 如果你的JM是静态部署的,那么可以配置:https://ci.apache.org/projects/flink/flink-docs-release-1.13/docs/deployment/config/#rest-bind-address 如果是动态调度的,那么就要看编排引擎了,比如K8s要做就很容易。 在 2021-08-24 21:42:46,"yidan zhao" <hinobl...@gmail.com> 写道: >如上是个思路,但是对于原始地址是不是还是可以直接访问,这样本质还是会被扫描出问题。我这边是有专门部门扫描内网,扫描到要求改。 > >东东 <dongdongking...@163.com> 于2021年8月24日周二 下午6:01写道: > >> 前面挂一个反向代理,在代理上配置简单的鉴权? >> >> >> 在 2021-08-24 17:25:49,"yidan zhao" <hinobl...@gmail.com> 写道: >> >如题,请问当前有什么简单的鉴权方案不,针对flink的web ui,目前这部分存在安全风险如果不鉴权。 >>
