flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eron Wright (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-5850) implement OAuth 2.0 check in Web Backend API
Date Wed, 01 Mar 2017 00:49:45 GMT

    [ https://issues.apache.org/jira/browse/FLINK-5850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15889227#comment-15889227

Eron Wright  commented on FLINK-5850:

Something to keep in mind is that the web frontend is proxied in the YARN and Mesos deployment

Here's some Mesos specifics:
The DCOS distribution of Mesos uses OpenID Connect and I think the "admin router" proxy will
pass the token to the webapp.

Here's some YARN specifics:

When you click on the 'tracking URL' for a running YARN application, the browser opens to
the Flink WebUI indirectly via YARN's RM Proxy.   The proxy doesn't pass thru arbitrary headers
nor the `Authorization` header.  The webapp (in this case, Flink) should use `org.apache.hadoop.yarn.server.webproxy.amfilter.AmIpFilter`
to delegate authentication to the RM proxy.  The filter does make available the username for
app-specific authorization logic.

Some references:

> implement OAuth 2.0 check in Web Backend API
> --------------------------------------------
>                 Key: FLINK-5850
>                 URL: https://issues.apache.org/jira/browse/FLINK-5850
>             Project: Flink
>          Issue Type: Improvement
>          Components: Web Client
>    Affects Versions: 1.2.0, 1.1.4
>            Reporter: Fabian Wollert
> currently the web frontend is open to public. it would be helpful for us to have the
frontend and the backend secured by OAuth 2.0.

This message was sent by Atlassian JIRA

View raw message