flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eron Wright (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-5850) implement OAuth 2.0 check in Web Backend API
Date Wed, 01 Mar 2017 00:49:45 GMT

    [ https://issues.apache.org/jira/browse/FLINK-5850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15889227#comment-15889227
] 

Eron Wright  commented on FLINK-5850:
-------------------------------------

Something to keep in mind is that the web frontend is proxied in the YARN and Mesos deployment
modes.

Here's some Mesos specifics:
The DCOS distribution of Mesos uses OpenID Connect and I think the "admin router" proxy will
pass the token to the webapp.

Here's some YARN specifics:

When you click on the 'tracking URL' for a running YARN application, the browser opens to
the Flink WebUI indirectly via YARN's RM Proxy.   The proxy doesn't pass thru arbitrary headers
nor the `Authorization` header.  The webapp (in this case, Flink) should use `org.apache.hadoop.yarn.server.webproxy.amfilter.AmIpFilter`
to delegate authentication to the RM proxy.  The filter does make available the username for
app-specific authorization logic.

Some references:
[https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
[https://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/HttpAuthentication.html]
[https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java#L71]
[https://github.com/apache/hadoop/tree/release-2.7.1/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter]

> implement OAuth 2.0 check in Web Backend API
> --------------------------------------------
>
>                 Key: FLINK-5850
>                 URL: https://issues.apache.org/jira/browse/FLINK-5850
>             Project: Flink
>          Issue Type: Improvement
>          Components: Web Client
>    Affects Versions: 1.2.0, 1.1.4
>            Reporter: Fabian Wollert
>
> currently the web frontend is open to public. it would be helpful for us to have the
frontend and the backend secured by OAuth 2.0.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message