(DEPRECATED) Apache Flink User Mailing List archive.

Securing Flink Monitoring REST API

classic Classic list List threaded Threaded
6 messages Options
avivros
Reply | Threaded
Open this post in threaded view
|

Securing Flink Monitoring REST API

avivros
What is the best way to secure the Monitoring REST API?
I am using the monitoring rest API in a production environment (
starting/stopping jobs, etc...). I should only allow authenticated calls to
be executed ( called from a Java sever process ).
What's the best way to go about this ( Kerberos? SSL Client Authentication?
Other?).



--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
Fabian Hueske-2
Reply | Threaded
Open this post in threaded view
|

Re: Securing Flink Monitoring REST API

Fabian Hueske-2
Hi,

you can configure SSL for Flink's network communication [1] (see jobmanager.web.ssl.enabled).
However, Flink does not manage different user accounts or allows to grant permissions yet.

Best, Fabian

2017-09-04 13:00 GMT+02:00 avivros <[hidden email]>:
What is the best way to secure the Monitoring REST API?
I am using the monitoring rest API in a production environment (
starting/stopping jobs, etc...). I should only allow authenticated calls to
be executed ( called from a Java sever process ).
What's the best way to go about this ( Kerberos? SSL Client Authentication?
Other?).



--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
avivros
Reply | Threaded
Open this post in threaded view
|

Re: Securing Flink Monitoring REST API

avivros
Does  jobmanager.web.ssl.enabled supports Client SSL Authentication?
 



--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
Fabian Hueske-2
Reply | Threaded
Open this post in threaded view
|

Re: Securing Flink Monitoring REST API

Fabian Hueske-2
Hi,

sorry for the late response.
Flink uses Netty for network communication which supports SSL client authentication.
I haven't tried it myself, but would think that this should work in Flink as well if you configure the certificates correctly.

We should update the docs to cover this aspect.
Feedback on this would be very welcome

Thanks, Fabian

2017-09-06 14:23 GMT+02:00 avivros <[hidden email]>:
Does  jobmanager.web.ssl.enabled supports Client SSL Authentication?




--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
Eron Wright
Reply | Threaded
Open this post in threaded view
|

Re: Securing Flink Monitoring REST API

Eron Wright
Unfortunately Flink does not yet support SSL mutual authentication nor any form of client authentication.   There is an ongoing discussion about it:

A workaround that I've seen is to use nginx as a frontend proxy.  Be sure to lock down the underlying endpoints somehow.  If you choose to go this route, Patrick Lucas gave a related talk recently (Flink in Containerland): https://youtu.be/w721NI-mtAA

-Eron


On Mon, Sep 18, 2017 at 1:30 AM, Fabian Hueske <[hidden email]> wrote:
Hi,

sorry for the late response.
Flink uses Netty for network communication which supports SSL client authentication.
I haven't tried it myself, but would think that this should work in Flink as well if you configure the certificates correctly.

We should update the docs to cover this aspect.
Feedback on this would be very welcome

Thanks, Fabian

2017-09-06 14:23 GMT+02:00 avivros <[hidden email]>:
Does  jobmanager.web.ssl.enabled supports Client SSL Authentication?




--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
Fabian Hueske-2
Reply | Threaded
Open this post in threaded view
|

Re: Securing Flink Monitoring REST API

Fabian Hueske-2
Thanks for the correction and the pointers Eron!

Cheers, Fabian

2017-09-18 18:34 GMT+02:00 Eron Wright <[hidden email]>:
Unfortunately Flink does not yet support SSL mutual authentication nor any form of client authentication.   There is an ongoing discussion about it:

A workaround that I've seen is to use nginx as a frontend proxy.  Be sure to lock down the underlying endpoints somehow.  If you choose to go this route, Patrick Lucas gave a related talk recently (Flink in Containerland): https://youtu.be/w721NI-mtAA

-Eron


On Mon, Sep 18, 2017 at 1:30 AM, Fabian Hueske <[hidden email]> wrote:
Hi,

sorry for the late response.
Flink uses Netty for network communication which supports SSL client authentication.
I haven't tried it myself, but would think that this should work in Flink as well if you configure the certificates correctly.

We should update the docs to cover this aspect.
Feedback on this would be very welcome

Thanks, Fabian

2017-09-06 14:23 GMT+02:00 avivros <[hidden email]>:
Does  jobmanager.web.ssl.enabled supports Client SSL Authentication?




--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/
Free forum by Nabble Edit this page