Thanks, Chesney - I totally missed that. Answered on the ticket too, let us continue there then.
Till, I agree that we should keep this codepath as slim as possible. It is an important design decision that we aim to keep the list of authentication protocols to a minimum. We believe that this should not be a primary concern of Flink and a trusted proxy service (for example Apache Knox) should be used to enable a multitude of enduser authentication mechanisms. The bare minimum of authentication mechanisms to support consequently consist of a single strong authentication protocol for which Kerberos is the enterprise solution and HTTP Basic primary for development and light-weight scenarios. Added the above wording to G's doc. https://docs.google.com/document/d/1NMPeJ9H0G49TGy3AzTVVJVKmYC0okwOtqLTSPnGqzHw/edit On Tue, Jun 1, 2021 at 11:47 AM Chesnay Schepler <ches...@apache.org> wrote: > There's a related effort: > https://issues.apache.org/jira/browse/FLINK-21108 > > On 6/1/2021 10:14 AM, Till Rohrmann wrote: > > Hi Gabor, welcome to the Flink community! > > > > Thanks for sharing this proposal with the community Márton. In general, I > > agree that authentication is missing and that this is required for using > > Flink within an enterprise. The thing I am wondering is whether this > > feature strictly needs to be implemented inside of Flink or whether a > proxy > > setup could do the job? Have you considered this option? If yes, then it > > would be good to list it under the point of rejected alternatives. > > > > I do see the benefit of implementing this feature inside of Flink if many > > users need it. If not, then it might be easier for the project to not > > increase the surface area since it makes the overall maintenance harder. > > > > Cheers, > > Till > > > > On Mon, May 31, 2021 at 4:57 PM Márton Balassi <mbala...@apache.org> > wrote: > > > >> Hi team, > >> > >> Firstly I would like to introduce Gabor or G [1] for short to the > >> community, he is a Spark committer who has recently transitioned to the > >> Flink Engineering team at Cloudera and is looking forward to > contributing > >> to Apache Flink. Previously G primarily focused on Spark Streaming and > >> security. > >> > >> Based on requests from our customers G has implemented Kerberos and HTTP > >> Basic Authentication for the Flink Dashboard and HistoryServer. > Previously > >> lacked an authentication story. > >> > >> We are looking to contribute this functionality back to the community, > we > >> believe that given Flink's maturity there should be a common code > solution > >> for this general pattern. > >> > >> We are looking forward to your feedback on G's design. [2] > >> > >> [1] http://gaborsomogyi.com/ > >> [2] > >> > >> > https://docs.google.com/document/d/1NMPeJ9H0G49TGy3AzTVVJVKmYC0okwOtqLTSPnGqzHw/edit > >> > >