我刚刚仔细看了下flink文档那段话,发现好像我之前理解错了? 虽然flink推荐加个代理去鉴权,但从那段英文来看,貌似flink支持开启双向认证? 如下: Simple mutual authentication may be enabled by configuration if authentication of connections to the REST endpoint is required, but...
同时,在flink的配置文档中有个参数如下,我计划做个实验,从该参数描述来看,是支持开启双向认证的。 security.ssl.rest.authentication-enabled <https://ci.apache.org/projects/flink/flink-docs-release-1.13/docs/deployment/config/#security-ssl-rest-authentication-enabled> false Boolean Turns on mutual SSL authentication for external communication via the REST endpoints. 东东 <dongdongking...@163.com> 于2021年8月25日周三 上午11:08写道: > 可以web ui去监听一个内部地址,然后部署一个"side car proxy"对外暴露,在这个proxy上做鉴权,这也是官方推荐的方式: > > > > “Simple mutual authentication may be enabled by configuration if > authentication of connections to the REST endpoint is required, but we > recommend to deploy a “side car proxy”: Bind the REST endpoint to the > loopback interface (or the pod-local interface in Kubernetes) and start a > REST proxy that authenticates and forwards the requests to Flink. Examples > for proxies that Flink users have deployed are Envoy Proxy or NGINX with > MOD_AUTH. > > The rationale behind delegating authentication to a proxy is that such > proxies offer a wide variety of authentication options and thus better > integration into existing infrastructures.” > > > https://ci.apache.org/projects/flink/flink-docs-release-1.13/docs/deployment/security/security-ssl/#external--rest-connectivity > > > > 如果你的JM是静态部署的,那么可以配置: > https://ci.apache.org/projects/flink/flink-docs-release-1.13/docs/deployment/config/#rest-bind-address > > > > 如果是动态调度的,那么就要看编排引擎了,比如K8s要做就很容易。 > > > > > > > > > > 在 2021-08-24 21:42:46,"yidan zhao" <hinobl...@gmail.com> 写道: > >如上是个思路,但是对于原始地址是不是还是可以直接访问,这样本质还是会被扫描出问题。我这边是有专门部门扫描内网,扫描到要求改。 > > > >东东 <dongdongking...@163.com> 于2021年8月24日周二 下午6:01写道: > > > >> 前面挂一个反向代理,在代理上配置简单的鉴权? > >> > >> > >> 在 2021-08-24 17:25:49,"yidan zhao" <hinobl...@gmail.com> 写道: > >> >如题,请问当前有什么简单的鉴权方案不,针对flink的web ui,目前这部分存在安全风险如果不鉴权。 > >> >
