Ethan Li created FLINK-17641:
--------------------------------
Summary: How to secure flink applications on yarn on multi-tenant
environment
Key: FLINK-17641
URL: https://issues.apache.org/jira/browse/FLINK-17641
Project: Flink
Issue Type: Wish
Reporter: Ethan Li
This is a question I wish to get some insights on.
We are trying to support and secure flink on shared yarn cluster. Besides the
security provided by yarn side (queueACL, kerberos), what I noticed is that
flink CLI can still interact with the flink job as long as it knows the
jobmanager rpc port/hostname and rest.port, which can be obtained easily with
yarn command.
Also on the UI side, on yarn cluster, users can visit flink job UI via yarn
proxy using browser. As long as the user can authenticate and view yarn
resourcemanager webpage, he/she can visit the flink UI without any problem.
This basically means Flink UI is wide-open to corp internal users.
On the internal connection side, I am aware of the support added in 1.10 to
limit the mTLS connection by configuring security.ssl.internal.cert.fingerprint
(https://ci.apache.org/projects/flink/flink-docs-stable/ops/security-ssl.html)
This works but it is not very flexible. Users need to update the config if the
cert changes before they submit a new job.
I asked the similar question on the mailing list before. I am really interested
in how other folks deal with this issue. Thanks.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
