You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/09/20 16:25:00 UTC

[jira] [Commented] (FLINK-10371) Allow to enable SSL mutual authentication on REST endpoints by configuration

    [ https://issues.apache.org/jira/browse/FLINK-10371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16622292#comment-16622292 ] 

ASF GitHub Bot commented on FLINK-10371:
----------------------------------------

kleingeist opened a new pull request #6727: [FLINK-10371] Allow to enable SSL mutual authentication on REST endpoints by configuration
URL: https://github.com/apache/flink/pull/6727
 
 
   # [[FLINK-10371]: Allow to enable SSL mutual authentication on REST endpoints by configuration](https://issues.apache.org/jira/browse/FLINK-10371)
   
   ## What is the purpose of the change
   
   This PR adds a config option to enable SSL mutual authentication on the REST endpoints and clients. 
   By default mutual authentication is disabled, so the default behaviour does not changes. 
   If `security.ssl.rest.authentication-enabled` is set to `true`, mutual authentication will be enabled and both the `rest.trustore` as well as the `rest.keystore` will be used for the REST endpoint and clients. This is equivalent to the mutual authentication on the internal communication.
   
   ## Brief change log
   - *Introduce `security.ssl.rest.authentication-enabled` to enable mutual authentication for REST*
   
   ## Verifying this change
   This change added tests and can be verified as follows:
   - *Extended SSLUtil tests to ensure the config option is interpreted correctly*
   - *Extended the REST endpoint integration tests to run with mutual auth enabled*
   - *Added an integration test to validate the connection denied if the client uses an untrusted certificate*
   
   ## Does this pull request potentially affect one of the following parts:
   
     - Dependencies (does it add or upgrade a dependency): no
     - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: no
     - The serializers: no
     - The runtime per-record code paths (performance sensitive): don't know
     - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: yes
     - The S3 file system connector: no
   
   ## Documentation
   
     - Does this pull request introduce a new feature? yes
     - If yes, how is the feature documented? docs

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Allow to enable SSL mutual authentication on REST endpoints by configuration
> ----------------------------------------------------------------------------
>
>                 Key: FLINK-10371
>                 URL: https://issues.apache.org/jira/browse/FLINK-10371
>             Project: Flink
>          Issue Type: Improvement
>          Components: Client, REST, Security
>    Affects Versions: 1.6.0, 1.7.0
>            Reporter: Johannes Dillmann
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.7.0, 1.6.2
>
>
> With Flink 1.6 SSL mutual authentication was introduced for internal connectivity in FLINK-9312. 
>  SSL support for external connectivity was also introduced in regard to encryption of the connection and verification of the Flink REST endpoint from the client side.
> But _mutual authentication between the REST endpoint and clients is not supported yet_.
>  The [documentation suggests |https://ci.apache.org/projects/flink/flink-docs-release-1.6/ops/security-ssl.html] using a side car proxy to enable SSL mutual auth on the REST endpoint and points out the advantages of using a feature rich proxy.
> While this is a good rationale, there are still important use cases for support of  simple mutual authentication directly in Flink: Mainly support for using standard images in a containerized environment.
> There are tools used to setup Flink Jobs (for example on Kubernetes clusters) and act as gateways to the Flink REST endpoint and the Flink web interface. To prevent unauthorised access to Flink the connectivity has to be secured. As the tools acts as gateway it is easy to create and pass a shared keystore  and truststore used for mutual authentication to the Flink instances configurations.
> To enable for SSL mutual authentication on REST endpoints, I am suggesting to add a the configuration parameter `security.ssl.rest.authentication-enabled` which defaults to `false`.
>  If it is set to `true` the `SSLUtils` factories for creating the REST server endpoint and the REST clients should set authentication to required and share `security.ssl.rest.keystore` and `security.ssl.rest.truststore` to setup SSL mutual authenticated connections.
>  
> I have a working prototype which I would gladly submit as a PR to get further feedback. The changes to Flink are minimal and the default behaviour won't change.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)