You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@flink.apache.org by avivros <av...@iqpiot.com> on 2017/09/04 11:00:52 UTC
Securing Flink Monitoring REST API
What is the best way to secure the Monitoring REST API?
I am using the monitoring rest API in a production environment (
starting/stopping jobs, etc...). I should only allow authenticated calls to
be executed ( called from a Java sever process ).
What's the best way to go about this ( Kerberos? SSL Client Authentication?
Other?).
--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
Re: Securing Flink Monitoring REST API
Posted by Fabian Hueske <fh...@gmail.com>.
Thanks for the correction and the pointers Eron!
Cheers, Fabian
2017-09-18 18:34 GMT+02:00 Eron Wright <er...@gmail.com>:
> Unfortunately Flink does not yet support SSL mutual authentication nor any
> form of client authentication. There is an ongoing discussion about it:
> http://apache-flink-mailing-list-archive.1008284.n3.
> nabble.com/DISCUSS-Service-Authorization-redux-td18890.html
>
> A workaround that I've seen is to use nginx as a frontend proxy. Be sure
> to lock down the underlying endpoints somehow. If you choose to go this
> route, Patrick Lucas gave a related talk recently (Flink in Containerland):
> https://youtu.be/w721NI-mtAA
>
> -Eron
>
>
> On Mon, Sep 18, 2017 at 1:30 AM, Fabian Hueske <fh...@gmail.com> wrote:
>
>> Hi,
>>
>> sorry for the late response.
>> Flink uses Netty for network communication which supports SSL client
>> authentication.
>> I haven't tried it myself, but would think that this should work in Flink
>> as well if you configure the certificates correctly.
>>
>> We should update the docs to cover this aspect.
>> Feedback on this would be very welcome
>>
>> Thanks, Fabian
>>
>> 2017-09-06 14:23 GMT+02:00 avivros <av...@iqpiot.com>:
>>
>>> Does jobmanager.web.ssl.enabled supports Client SSL Authentication?
>>>
>>>
>>>
>>>
>>> --
>>> Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nab
>>> ble.com/
>>>
>>
>>
>
Re: Securing Flink Monitoring REST API
Posted by Eron Wright <er...@gmail.com>.
Unfortunately Flink does not yet support SSL mutual authentication nor any
form of client authentication. There is an ongoing discussion about it:
http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Service-Authorization-redux-td18890.html
A workaround that I've seen is to use nginx as a frontend proxy. Be sure
to lock down the underlying endpoints somehow. If you choose to go this
route, Patrick Lucas gave a related talk recently (Flink in Containerland):
https://youtu.be/w721NI-mtAA
-Eron
On Mon, Sep 18, 2017 at 1:30 AM, Fabian Hueske <fh...@gmail.com> wrote:
> Hi,
>
> sorry for the late response.
> Flink uses Netty for network communication which supports SSL client
> authentication.
> I haven't tried it myself, but would think that this should work in Flink
> as well if you configure the certificates correctly.
>
> We should update the docs to cover this aspect.
> Feedback on this would be very welcome
>
> Thanks, Fabian
>
> 2017-09-06 14:23 GMT+02:00 avivros <av...@iqpiot.com>:
>
>> Does jobmanager.web.ssl.enabled supports Client SSL Authentication?
>>
>>
>>
>>
>> --
>> Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.
>> nabble.com/
>>
>
>
Re: Securing Flink Monitoring REST API
Posted by Fabian Hueske <fh...@gmail.com>.
Hi,
sorry for the late response.
Flink uses Netty for network communication which supports SSL client
authentication.
I haven't tried it myself, but would think that this should work in Flink
as well if you configure the certificates correctly.
We should update the docs to cover this aspect.
Feedback on this would be very welcome
Thanks, Fabian
2017-09-06 14:23 GMT+02:00 avivros <av...@iqpiot.com>:
> Does jobmanager.web.ssl.enabled supports Client SSL Authentication?
>
>
>
>
> --
> Sent from: http://apache-flink-user-mailing-list-archive.2336050.
> n4.nabble.com/
>
Re: Securing Flink Monitoring REST API
Posted by avivros <av...@iqpiot.com>.
Does jobmanager.web.ssl.enabled supports Client SSL Authentication?
--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
Re: Securing Flink Monitoring REST API
Posted by Fabian Hueske <fh...@gmail.com>.
Hi,
you can configure SSL for Flink's network communication [1] (see
jobmanager.web.ssl.enabled).
However, Flink does not manage different user accounts or allows to grant
permissions yet.
Best, Fabian
[1]
https://ci.apache.org/projects/flink/flink-docs-release-1.3/setup/security-ssl.html
2017-09-04 13:00 GMT+02:00 avivros <av...@iqpiot.com>:
> What is the best way to secure the Monitoring REST API?
> I am using the monitoring rest API in a production environment (
> starting/stopping jobs, etc...). I should only allow authenticated calls to
> be executed ( called from a Java sever process ).
> What's the best way to go about this ( Kerberos? SSL Client Authentication?
> Other?).
>
>
>
> --
> Sent from: http://apache-flink-user-mailing-list-archive.2336050.
> n4.nabble.com/
>