Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 6D86B2009A8 for ; Tue, 17 May 2016 20:11:07 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6C15B1609F5; Tue, 17 May 2016 18:11:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B416E1607A8 for ; Tue, 17 May 2016 20:11:06 +0200 (CEST) Received: (qmail 29084 invoked by uid 500); 17 May 2016 18:11:05 -0000 Mailing-List: contact dev-help@flink.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@flink.apache.org Delivered-To: mailing list dev@flink.apache.org Received: (qmail 29069 invoked by uid 99); 17 May 2016 18:11:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 May 2016 18:11:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 373C91803EA for ; Tue, 17 May 2016 18:11:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.298 X-Spam-Level: * X-Spam-Status: No, score=1.298 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id ojaknvgSjqfl for ; Tue, 17 May 2016 18:11:03 +0000 (UTC) Received: from BLU004-OMC3S4.hotmail.com (blu004-omc3s4.hotmail.com [65.55.116.79]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id C00E65F4E6 for ; Tue, 17 May 2016 18:11:02 +0000 (UTC) Received: from BLU437-SMTP13 ([65.55.116.73]) by BLU004-OMC3S4.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 17 May 2016 11:10:56 -0700 X-TMN: [PXrCpfQkooJPCNde5tIwhwdwV2bgI2LZ] X-Originating-Email: [ewright@live.com] Message-ID: From: "Wright, Eron" Content-Type: multipart/alternative; boundary="Apple-Mail=_29DA97B7-3421-48B5-B22A-FC2D0D7AF7C4" MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: [DISCUSS] Secure Flink clusters Date: Tue, 17 May 2016 11:10:52 -0700 References: To: dev@flink.apache.org In-Reply-To: X-Mailer: Apple Mail (2.3124) X-OriginalArrivalTime: 17 May 2016 18:10:54.0947 (UTC) FILETIME=[74484B30:01D1B067] archived-at: Tue, 17 May 2016 18:11:07 -0000 --Apple-Mail=_29DA97B7-3421-48B5-B22A-FC2D0D7AF7C4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Thanks to all who reviewed the document. It appears we have a good = plan and I'm filing JIRA issues accordingly. Robert, I'm in touch with Max, Stephan, and Stefano. I=E2=80=99ll = update the thread when we have a better sense of the timing. The work = will clearly span a couple of releases. Eron > On May 17, 2016, at 8:35 AM, Robert Metzger = wrote: >=20 > Hi Eron, >=20 > thanks a lot for putting so much effort into the design document. = You've > probably spend a lot of time to come up with it! > I have to admit that I'm not that familiar with the topic, so I = probably > need to re-read it again to digest it completely. >=20 > What are your plans for implementing the proposed changes? (time-wise = and > people-wise?) I'm asking to get an idea of when we can expect the = changes > in the master, in releases, ... >=20 > I think Stefano Baghino also had some discussions about improving = Flink's > security on the mailing list recently. Maybe you guys can sync your = efforts > and collaborate on this. >=20 > Regards, > Robert >=20 >=20 > On Fri, May 13, 2016 at 12:47 PM, Maximilian Michels = wrote: >=20 >> Hi Eron, >>=20 >> Thank you for this comprehensive design document. Really great read. >> I've left some minor comments. >>=20 >> +1 for breaking down the tasks into many JIRA issues; we have quite >> some ambitious plans now :) It would be great to get some more people >> from the community involved as well. >>=20 >> Best, >> Max >>=20 >> On Wed, May 11, 2016 at 9:09 AM, Wright, Eron = wrote: >>> Hello! >>>=20 >>> There=E2=80=99s been a few discussions lately on how to improve the = Kerberos >> support in Flink. I=E2=80=99ve drafted a design document that lays = out a plan to >> support keytab-based authentication for HDFS, Kafka, and ZooKeeper. = In >> addition, the plan contemplates secure, TLS-based communication = between >> cluster components. >>>=20 >>> The main goals are secure data access for Kerberized connectors and >> cluster authentication to prevent unauthorized access to cluster = secrets. >>>=20 >>> Here is the document: >>>=20 >> = https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8= oPaAs/edit?usp=3Dsharing >>>=20 >>> I anticipate filing a multitude of JIRAs following a design = discussion. >> It is a big task and there will be opportunities for others in the >> community to help. >>>=20 >>> Thanks, >>> Eron Wright >>> EMC >>=20 --Apple-Mail=_29DA97B7-3421-48B5-B22A-FC2D0D7AF7C4--