Return-Path: <dev-return-19380-archive-asf-public=cust-asf.ponee.io@flink.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 6944D200CD9
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  3 Aug 2017 20:12:12 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 67B9216BDD9; Thu,  3 Aug 2017 18:12:12 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 8761516BD4D
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  3 Aug 2017 20:12:11 +0200 (CEST)
Received: (qmail 50301 invoked by uid 500); 3 Aug 2017 18:12:05 -0000
Mailing-List: contact dev-help@flink.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@flink.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@flink.apache.org>
List-Post: <mailto:dev@flink.apache.org>
List-Id: <dev.flink.apache.org>
Reply-To: dev@flink.apache.org
Delivered-To: mailing list dev@flink.apache.org
Received: (qmail 50282 invoked by uid 99); 3 Aug 2017 18:12:05 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Aug 2017 18:12:05 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id D05A3180415
	for <dev@flink.apache.org>; Thu,  3 Aug 2017 18:12:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level: 
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8,
	SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id N8iCC_VE4f-B for <dev@flink.apache.org>;
	Thu,  3 Aug 2017 18:12:02 +0000 (UTC)
Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com [209.85.218.48])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 613395F56A
	for <dev@flink.apache.org>; Thu,  3 Aug 2017 18:12:02 +0000 (UTC)
Received: by mail-oi0-f48.google.com with SMTP id x3so20215323oia.1
        for <dev@flink.apache.org>; Thu, 03 Aug 2017 11:12:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=tmm8RCUAqv5pKEYnGawISEMsgh7c6jpavNgBg5t3fkA=;
        b=PqvwjlY8VBlKp1aOMYcBYHZeBoEvlWKMp9mt5N8HPp6JqbrKFf8t70mO26b2NN2sQ/
         I/TxikuN3ZWdIlwxPILL5TRA1W78ngXQi4cGlk7tY6eBjUNDOxtSLeRqSdKOdnKcigA5
         qhJjF2x24YbFho0xL73L8uKfzZ6CoyvuJQZmNLB3NgowewAllgvke67cGEKRAhi7h+Qq
         DDdTfV1h+kqNfpfP5MLGh5n5kXGdfeiWaAH4/t6AjA+ohfjeA+txgWkMf/6ERGzzhcDu
         /df1WpoRtCVcirPdvvR9Se112B8loQNVw/CB6G7v8JOYrlg35MZUhcKp0Csnc9MZ88bS
         T3ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=tmm8RCUAqv5pKEYnGawISEMsgh7c6jpavNgBg5t3fkA=;
        b=rOg68wVAkRtaUX9mj+S4iDo0til855SddP+XRLPJ7Q2BLt90kWUgSGoWY5ffp9qIOR
         dUCJphOkg+nBCAtv8UXFAevmqzJIB6VEmCEcPaKswMNDsimWvl+PAJCjpUg7i4NRQxsQ
         fL/80COFby0O9iZPyMom3Ehf5v83oxRqFp+DwtaIy5V6vQWb6fULMksNMmjP4g9cm4hF
         Ho/4IYWfD4DinsrOfMZVVJum1BD0XyyZItWDOxxX7u0NxyAwqYcvntOSUVA/fEskVb8T
         KtNL0/3MFPaC9bEl7DVfpENIbs7dmkDG7y+tyiCwGqDEcTVwIpeQQQksa2dcKkltmnAJ
         xHDw==
X-Gm-Message-State: AHYfb5g5EU0QjrrTmnuPZjiaASYF+1b5anhigRPlRvz5rlGgZJER3HLd
	Oml1R+gp/AC7ctVb7PpSo7Vfde1bdw==
X-Received: by 10.202.96.138 with SMTP id u132mr2544403oib.265.1501783916236;
 Thu, 03 Aug 2017 11:11:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.137.214 with HTTP; Thu, 3 Aug 2017 11:11:55 -0700 (PDT)
In-Reply-To: <CAKiyyaGRwvXEy6wS7hpqD0S-dw+c+EjA_T7Kn0pEFi7VgfXG5g@mail.gmail.com>
References: <CAGKOEz25smFBoWhvZ-YtNjRcZXmfD4Yv15-wtFJcJA9wUW97yg@mail.gmail.com>
 <B7DB26F7-6A6B-440B-9C82-D70A0AE6FF11@apache.org> <CAC27z=O1=kD+9bo8==Rn7Qya1jg-ueEtkWv7LU8dP+G-6O9kpw@mail.gmail.com>
 <CAGKOEz00R_Zq46br-D=CPPby2zoFk6icEUJe1g3iNuOuxuSAFA@mail.gmail.com>
 <CAC27z=MEUvVxOmS1f+gY_c57Bg3vdig_-GnuZeVSo3bDB-raTQ@mail.gmail.com> <CAKiyyaGRwvXEy6wS7hpqD0S-dw+c+EjA_T7Kn0pEFi7VgfXG5g@mail.gmail.com>
From: Eron Wright <eronwright@gmail.com>
Date: Thu, 3 Aug 2017 11:11:55 -0700
Message-ID: <CAGKOEz38BK7ZSKxPNFyisSEBJyh=V4ecLnpk_C0PnyvQpMP2aQ@mail.gmail.com>
Subject: Re: [DISCUSS] Service Authorization (redux)
To: dev@flink.apache.org
Content-Type: multipart/alternative; boundary="001a113d5246db53790555dd504d"
archived-at: Thu, 03 Aug 2017 18:12:12 -0000

--001a113d5246db53790555dd504d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Till, with (c) are you suggesting that we'd use Akka 2.3 for Scala 2.10 and
Akka 2.4+ for Scala 2.11+?   Sounds reasonable but I don't know how
feasible it is.   I will say I'm optimistic because a) Akka 2.4 is said to
be binary compatible, and b) the Flakka fork appears to be subsumed by 2.4.

Let us then take (c) as the tentative plan.

I agree the community should discuss dropping Scala 2.10 but I don't want
to drive that conversation.

Thanks


On Thu, Aug 3, 2017 at 6:24 AM, Ufuk Celebi <uce@apache.org> wrote:

> I haven't followed this discussion in detail nor am I familiar with
> the service authorization topic or Flakka, but a) sounds like a lot of
> maintenance work to me.
>
> If possible I would go with c) and maybe start a discussion about
> dropping Scala 2.10 support to check whether that is a viable option
> or not.
>
> =E2=80=93 Ufuk
>
>
> On Thu, Aug 3, 2017 at 1:59 PM, Till Rohrmann <trohrmann@apache.org>
> wrote:
> > Alternatively there would also be an option
> >
> > c) only support mutual auth for Akka 2.4+ if the backport is unrealisti=
c
> to
> > do
> >
> > But this of course would break security for Scala 2.10. On the other ha=
nd
> > people are already using Flink without this feature.
> >
> > Cheers,
> > Till
> >
> > On Wed, Aug 2, 2017 at 7:21 PM, Eron Wright <eronwright@gmail.com>
> wrote:
> >
> >> Thanks Till and Aljoscha for the feedback.
> >>
> >> Seems there are two ways to proceed here, if we accept mutual SSL as t=
he
> >> basis.
> >>
> >> a) Backport mutual-auth support from Akka 2.4 to Flakka.
> >> b) Drop support for Scala 2.10 (FLINK-?), move to Akka 2.4 (FLINK-3662=
).
> >>
> >> Let's assume (a) for now.
> >>
> >>
> >>
> >> On Tue, Aug 1, 2017 at 3:05 PM, Till Rohrmann <trohrmann@apache.org>
> >> wrote:
> >>
> >> > Dropping Java 7 alone is not enough to move to Akka 2.4+. For that w=
e
> >> need
> >> > at least Scala 2.11.
> >> >
> >> > Cheers,
> >> > Till
> >> >
> >> > On Tue, Aug 1, 2017 at 4:22 PM, Aljoscha Krettek <aljoscha@apache.or=
g
> >
> >> > wrote:
> >> >
> >> > > Hi Eron,
> >> > >
> >> > > I think after Dropping support for Java 7 we will move to Akka
> 2.4+, so
> >> > we
> >> > > should be good there. I think quite some users should find a (more=
)
> >> > secure
> >> > > Flink interesting.
> >> > >
> >> > > Best,
> >> > > Aljoscha
> >> > > > On 24. Jul 2017, at 03:11, Eron Wright <eronwright@gmail.com>
> wrote:
> >> > > >
> >> > > > Hello, now might be a good time to revisit an important
> enhancement
> >> to
> >> > > > Flink security, so-called service authorization.   This means th=
e
> >> > > hardening
> >> > > > of a Flink cluster against unauthorized use with some sort of
> >> > > > authentication and authorization scheme.   Today, Flink relies
> >> entirely
> >> > > on
> >> > > > network isolation to protect itself from unauthorized job
> submission
> >> > and
> >> > > > control, and to protect the secrets contained within a Flink
> cluster.
> >> > > > This is a problem in multi-user environments like YARN/Mesos/K8.
> >> > > >
> >> > > > Last fall, an effort was made to implement service authorization
> but
> >> > the
> >> > > PR
> >> > > > was ultimately rejected.   The idea was to add a simple secret
> key to
> >> > all
> >> > > > network communication between the client, JM, and TM.   Akka
> itself
> >> has
> >> > > > such a feature which formed the basis of the solution.  There ar=
e
> >> > > usability
> >> > > > challenges with this solution, including a dependency on SSL.
> >> > > >
> >> > > > Since then, the situation has evolved somewhat, and the use of S=
SL
> >> > mutual
> >> > > > authentication is more viable.   Mutual auth is supported in Akk=
a
> >> > 2.4.12+
> >> > > > (or could be backported to Flakka).  My proposal is:
> >> > > >
> >> > > > 1. Upgrade Akka or backport the functionality to Flakka (see
> commit
> >> > > > 5d03902c5ec3212cd28f26c9b3ef7c3b628b9451).
> >> > > > 2. Implement SSL on any endpoint that doesn't yet support it (e.=
g.
> >> > > > queryable state).
> >> > > > 3. Enable mutual auth in Akka and implement it on non-Akka
> endpoints.
> >> > > > 4. Implement a simple authorization layer that accepts any
> >> > authenticated
> >> > > > connection.
> >> > > > 5. (stretch) generate and store a certificate automatically in
> YARN
> >> > mode.
> >> > > > 6. (stretch) Develop an alternate authentication method for the
> Web
> >> UI.
> >> > > >
> >> > > > Are folks interested in this capability?  Thoughts on the use of
> SSL
> >> > > mutual
> >> > > > auth versus something else?  Thanks!
> >> > > >
> >> > > > -Eron
> >> > >
> >> > >
> >> >
> >>
>

--001a113d5246db53790555dd504d--