[
https://issues.apache.org/jira/browse/FLINK-27900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yu Wang updated FLINK-27900:
----------------------------
Description:
Currently the Flink Rest api does not have authentication, according to the doc
[https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/security/security-ssl/#external--rest-connectivity]
# We set up the Flink cluster in k8s
# We set up a nginx sidecar to enable auth for Flink Rest api.
# We set *rest.bind-address* to localhost to hide the original Flink address
and port
# We enabled the ssl for the Flink Rest api
It works fine wen the client tried to call the Flink Rest api with *https*
scheme.
But if the client using *http* scheme, the *RedirectingSslHandler* will try to
redirect the address to the advertised url. According to
{*}RestServerEndpoint{*}, Flink will use the value of *rest.bind-address* as
the {*}advertisedAddress{*}. So the client will be redirect to *127.0.0.1* and
failed to connect the url.
So we hope the advertisedAddress can be decoupled with rest.bind-addres, to
provide more flexibility to the Flink deployment.
was:
Currently the Flink Rest api does not have authentication, according to the doc
[https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/security/security-ssl/#external--rest-connectivity]
# We set up the Flink cluster in k8s
# We set up a nginx sidecar to enable auth for Flink Rest api.
# We set *rest.bind-address* to localhost to hide the original Flink address
and port
# We enabled the ssl for the Flink Rest api
It works fine wen the client tried to call the Flink Rest api with *https*
scheme.
But if the client using *http* scheme, the *RedirectingSslHandler* will try to
redirect the address to the advertised url. According to the code of
{*}RestServerEndpoint{*}, Flink will use the value of *rest.bind-address* as
the {*}advertisedAddress{*}. So the client will be redirect to *127.0.0.1* and
failed to connect the url.
So we hope the advertisedAddress can be decoupled with rest.bind-addres, to
provide more flexibility to the Flink deployment.
> Decouple the advertisedAddress and rest.bind-address
> ----------------------------------------------------
>
> Key: FLINK-27900
> URL: https://issues.apache.org/jira/browse/FLINK-27900
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / REST
> Affects Versions: 1.10.3, 1.12.0, 1.11.6, 1.13.6, 1.14.4
> Environment: Flink 1.13, 1.12, 1.11, 1.10
> Deploy Flink in Kubernetes pod with a nginx sidecar for auth
> Reporter: Yu Wang
> Priority: Minor
>
> Currently the Flink Rest api does not have authentication, according to the
> doc
> [https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/security/security-ssl/#external--rest-connectivity]
> # We set up the Flink cluster in k8s
> # We set up a nginx sidecar to enable auth for Flink Rest api.
> # We set *rest.bind-address* to localhost to hide the original Flink address
> and port
> # We enabled the ssl for the Flink Rest api
> It works fine wen the client tried to call the Flink Rest api with *https*
> scheme.
> But if the client using *http* scheme, the *RedirectingSslHandler* will try
> to redirect the address to the advertised url. According to
> {*}RestServerEndpoint{*}, Flink will use the value of *rest.bind-address* as
> the {*}advertisedAddress{*}. So the client will be redirect to *127.0.0.1*
> and failed to connect the url.
> So we hope the advertisedAddress can be decoupled with rest.bind-addres, to
> provide more flexibility to the Flink deployment.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
