[DISCUSS] Service Authorization (SSL client authentication)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[DISCUSS] Service Authorization (SSL client authentication)

Eron Wright-2
I'd like to make some progress on hardening Flink using SSL client
authentication.   Here's the FLIP proposal:
https://docs.google.com/document/d/13IRPb2GdL842rIzMgEn0ibOQHNku6W8aMf1p7gCPJjg/edit?usp=sharing

1. What is the next step to have this FLIP be accepted?
2. Does anyone have any objections to the technical plan?

Thanks!
Eron Wright
Dell EMC
Reply | Threaded
Open this post in threaded view
|

Re: [DISCUSS] Service Authorization (SSL client authentication)

Eron Wright-2
Folks, what is the next step to formally submit a FLIP?    i.e. assign a
number, drive to 'accepted' state?

Given the introduction of new RPC and REST endpoints with FLIP-6, now is a
good time to agree on the approach to securing Flink.

Thanks!
Eron

On Mon, Nov 27, 2017 at 11:52 AM, Eron Wright <[hidden email]> wrote:

> I'd like to make some progress on hardening Flink using SSL client
> authentication.   Here's the FLIP proposal:
> https://docs.google.com/document/d/13IRPb2GdL842rIzMgEn0ibOQHNku6
> W8aMf1p7gCPJjg/edit?usp=sharing
>
> 1. What is the next step to have this FLIP be accepted?
> 2. Does anyone have any objections to the technical plan?
>
> Thanks!
> Eron Wright
> Dell EMC
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [DISCUSS] Service Authorization (SSL client authentication)

Till Rohrmann
Thanks for drafting the service authorization FLIP Eron. It is a very
important feature which Flink is still lacking and hinders some people to
deploy Flink in their cluster environments.

The overall design looks really good to me. I would suggest to make a FLIP
out of it by adding it to the Flink wiki [1].

The next step would be to refine the implementation plan a little bit. In
general one could split the Flip into external and internal authentication.
The latter is less of a moving target right now, since Flink does not
support communication via the Yarn proxy yet (which is should eventually
do). But I think it would also be ok to say that we first concentrate on
subset of all deployment options (e.g. Kubernetes and Standalone). Once the
implementation plan is a bit clearer, we should create the corresponding
JIRAs and start with the implementation work.

[1]
https://cwiki.apache.org/confluence/display/FLINK/Flink+Improvement+Proposals

Cheers,
Till

On Tue, Dec 19, 2017 at 7:16 PM, Eron Wright <[hidden email]> wrote:

> Folks, what is the next step to formally submit a FLIP?    i.e. assign a
> number, drive to 'accepted' state?
>
> Given the introduction of new RPC and REST endpoints with FLIP-6, now is a
> good time to agree on the approach to securing Flink.
>
> Thanks!
> Eron
>
> On Mon, Nov 27, 2017 at 11:52 AM, Eron Wright <[hidden email]>
> wrote:
>
> > I'd like to make some progress on hardening Flink using SSL client
> > authentication.   Here's the FLIP proposal:
> > https://docs.google.com/document/d/13IRPb2GdL842rIzMgEn0ibOQHNku6
> > W8aMf1p7gCPJjg/edit?usp=sharing
> >
> > 1. What is the next step to have this FLIP be accepted?
> > 2. Does anyone have any objections to the technical plan?
> >
> > Thanks!
> > Eron Wright
> > Dell EMC
> >
> >
> >
>