Dropping Java 7 alone is not enough to move to Akka 2.4+. For that we need at least Scala 2.11.
Cheers, Till On Tue, Aug 1, 2017 at 4:22 PM, Aljoscha Krettek <aljos...@apache.org> wrote: > Hi Eron, > > I think after Dropping support for Java 7 we will move to Akka 2.4+, so we > should be good there. I think quite some users should find a (more) secure > Flink interesting. > > Best, > Aljoscha > > On 24. Jul 2017, at 03:11, Eron Wright <eronwri...@gmail.com> wrote: > > > > Hello, now might be a good time to revisit an important enhancement to > > Flink security, so-called service authorization. This means the > hardening > > of a Flink cluster against unauthorized use with some sort of > > authentication and authorization scheme. Today, Flink relies entirely > on > > network isolation to protect itself from unauthorized job submission and > > control, and to protect the secrets contained within a Flink cluster. > > This is a problem in multi-user environments like YARN/Mesos/K8. > > > > Last fall, an effort was made to implement service authorization but the > PR > > was ultimately rejected. The idea was to add a simple secret key to all > > network communication between the client, JM, and TM. Akka itself has > > such a feature which formed the basis of the solution. There are > usability > > challenges with this solution, including a dependency on SSL. > > > > Since then, the situation has evolved somewhat, and the use of SSL mutual > > authentication is more viable. Mutual auth is supported in Akka 2.4.12+ > > (or could be backported to Flakka). My proposal is: > > > > 1. Upgrade Akka or backport the functionality to Flakka (see commit > > 5d03902c5ec3212cd28f26c9b3ef7c3b628b9451). > > 2. Implement SSL on any endpoint that doesn't yet support it (e.g. > > queryable state). > > 3. Enable mutual auth in Akka and implement it on non-Akka endpoints. > > 4. Implement a simple authorization layer that accepts any authenticated > > connection. > > 5. (stretch) generate and store a certificate automatically in YARN mode. > > 6. (stretch) Develop an alternate authentication method for the Web UI. > > > > Are folks interested in this capability? Thoughts on the use of SSL > mutual > > auth versus something else? Thanks! > > > > -Eron > >
