Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 3E6C72009EE for ; Wed, 18 May 2016 23:33:36 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 3D002160A00; Wed, 18 May 2016 21:33:36 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 85D1C1609B0 for ; Wed, 18 May 2016 23:33:35 +0200 (CEST) Received: (qmail 30962 invoked by uid 500); 18 May 2016 21:33:34 -0000 Mailing-List: contact dev-help@flink.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@flink.apache.org Delivered-To: mailing list dev@flink.apache.org Received: (qmail 30951 invoked by uid 99); 18 May 2016 21:33:34 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2016 21:33:34 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id E5896C9DF9 for ; Wed, 18 May 2016 21:33:33 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.721 X-Spam-Level: X-Spam-Status: No, score=-0.721 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id z2esbArAUDaw for ; Wed, 18 May 2016 21:33:32 +0000 (UTC) Received: from BLU004-OMC3S23.hotmail.com (blu004-omc3s23.hotmail.com [65.55.116.98]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 416BA5F4EC for ; Wed, 18 May 2016 21:33:30 +0000 (UTC) Received: from BLU436-SMTP42 ([65.55.116.73]) by BLU004-OMC3S23.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Wed, 18 May 2016 14:33:23 -0700 X-TMN: [QfvVdkt14YiFA3WzkhDtFDtvU638HVhk] X-Originating-Email: [ewright@live.com] Message-ID: Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: [DISCUSS] Secure Flink clusters From: "Wright, Eron" In-Reply-To: Date: Wed, 18 May 2016 14:33:18 -0700 Content-Transfer-Encoding: quoted-printable References: To: dev@flink.apache.org X-Mailer: Apple Mail (2.3124) X-OriginalArrivalTime: 18 May 2016 21:33:21.0778 (UTC) FILETIME=[E6C55D20:01D1B14C] archived-at: Wed, 18 May 2016 21:33:36 -0000 Update, the following issues were filed: - [FLINK-3929] Support for Kerberos Authentication with Keytab = Credential - [FLINK-3930] Implement Service-Level Authorization - [FLINK-3931] Implement Transport Encryption (SSL/TLS) - [FLINK-3932] Implement State Backend Security > On May 17, 2016, at 11:10 AM, Wright, Eron wrote: >=20 > Thanks to all who reviewed the document. It appears we have a good = plan and I'm filing JIRA issues accordingly. >=20 > Robert, I'm in touch with Max, Stephan, and Stefano. I=E2=80=99ll = update the thread when we have a better sense of the timing. The work = will clearly span a couple of releases. >=20 > Eron >=20 >=20 >> On May 17, 2016, at 8:35 AM, Robert Metzger = wrote: >>=20 >> Hi Eron, >>=20 >> thanks a lot for putting so much effort into the design document. = You've >> probably spend a lot of time to come up with it! >> I have to admit that I'm not that familiar with the topic, so I = probably >> need to re-read it again to digest it completely. >>=20 >> What are your plans for implementing the proposed changes? (time-wise = and >> people-wise?) I'm asking to get an idea of when we can expect the = changes >> in the master, in releases, ... >>=20 >> I think Stefano Baghino also had some discussions about improving = Flink's >> security on the mailing list recently. Maybe you guys can sync your = efforts >> and collaborate on this. >>=20 >> Regards, >> Robert >>=20 >>=20 >> On Fri, May 13, 2016 at 12:47 PM, Maximilian Michels = wrote: >>=20 >>> Hi Eron, >>>=20 >>> Thank you for this comprehensive design document. Really great read. >>> I've left some minor comments. >>>=20 >>> +1 for breaking down the tasks into many JIRA issues; we have quite >>> some ambitious plans now :) It would be great to get some more = people >>> from the community involved as well. >>>=20 >>> Best, >>> Max >>>=20 >>> On Wed, May 11, 2016 at 9:09 AM, Wright, Eron = wrote: >>>> Hello! >>>>=20 >>>> There=E2=80=99s been a few discussions lately on how to improve the = Kerberos >>> support in Flink. I=E2=80=99ve drafted a design document that lays = out a plan to >>> support keytab-based authentication for HDFS, Kafka, and ZooKeeper. = In >>> addition, the plan contemplates secure, TLS-based communication = between >>> cluster components. >>>>=20 >>>> The main goals are secure data access for Kerberized connectors and >>> cluster authentication to prevent unauthorized access to cluster = secrets. >>>>=20 >>>> Here is the document: >>>>=20 >>> = https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8= oPaAs/edit?usp=3Dsharing >>>>=20 >>>> I anticipate filing a multitude of JIRAs following a design = discussion. >>> It is a big task and there will be opportunities for others in the >>> community to help. >>>>=20 >>>> Thanks, >>>> Eron Wright >>>> EMC >>>=20 >=20