flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Till Rohrmann (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (FLINK-10371) Allow to enable SSL mutual authentication on REST endpoints by configuration
Date Mon, 24 Sep 2018 09:29:00 GMT

     [ https://issues.apache.org/jira/browse/FLINK-10371?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Till Rohrmann reassigned FLINK-10371:
-------------------------------------

    Assignee: Johannes Dillmann

> Allow to enable SSL mutual authentication on REST endpoints by configuration
> ----------------------------------------------------------------------------
>
>                 Key: FLINK-10371
>                 URL: https://issues.apache.org/jira/browse/FLINK-10371
>             Project: Flink
>          Issue Type: Improvement
>          Components: Client, REST, Security
>    Affects Versions: 1.6.0, 1.7.0
>            Reporter: Johannes Dillmann
>            Assignee: Johannes Dillmann
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.7.0, 1.6.2
>
>
> With Flink 1.6 SSL mutual authentication was introduced for internal connectivity in FLINK-9312. 
>  SSL support for external connectivity was also introduced in regard to encryption of
the connection and verification of the Flink REST endpoint from the client side.
> But _mutual authentication between the REST endpoint and clients is not supported yet_.
>  The [documentation suggests |https://ci.apache.org/projects/flink/flink-docs-release-1.6/ops/security-ssl.html] using
a side car proxy to enable SSL mutual auth on the REST endpoint and points out the advantages
of using a feature rich proxy.
> While this is a good rationale, there are still important use cases for support of  simple
mutual authentication directly in Flink: Mainly support for using standard images in a containerized
environment.
> There are tools used to setup Flink Jobs (for example on Kubernetes clusters) and act
as gateways to the Flink REST endpoint and the Flink web interface. To prevent unauthorised
access to Flink the connectivity has to be secured. As the tools acts as gateway it is easy
to create and pass a shared keystore  and truststore used for mutual authentication to the
Flink instances configurations.
> To enable for SSL mutual authentication on REST endpoints, I am suggesting to add a the
configuration parameter `security.ssl.rest.authentication-enabled` which defaults to `false`.
>  If it is set to `true` the `SSLUtils` factories for creating the REST server endpoint
and the REST clients should set authentication to required and share `security.ssl.rest.keystore`
and `security.ssl.rest.truststore` to setup SSL mutual authenticated connections.
>  
> I have a working prototype which I would gladly submit as a PR to get further feedback.
The changes to Flink are minimal and the default behaviour won't change.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message