Github user StephanEwen commented on a diff in the pull request:
https://github.com/apache/flink/pull/2425#discussion_r86540839
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on <a
href="https://github.com/apache/
## Token Renewal
-UGI and Kafka/ZK login module implementations takes care of auto-renewing
the tickets upon reaching expiry and no further action is needed on the part of
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing
the tickets upon reaching expiry and no further action is needed on the part of
Flink.
+
+# Authorization Support
+
+Service-level authorization is the initial authorization mechanism to
ensure clients (or servers) connecting to the Flink cluster are authorized to
do so. The purpose is to prevent a cluster from being used by an unauthorized
user, whether to execute jobs, disrupt cluster functionality, or gain access to
secrets stored within the cluster.
+
+The primary goal is to secure the following components by introducing a
shared secret mechanism to control the authorization. When security is enabled,
the configured shared secret will be used as the basis to validate all the
incoming/outgoing request.
+
+- Akka Endpoints
--- End diff --
How about describing these parts by their role? I do not expect users to
generally know that Flink uses Akka for distributed coordination. How about
- Coordination / RPC communication between JobManager, ResourceManager,
and TaskManager *(via Akka)*
- Flink Web Module
- File distribution, like JAR files, etc *(BLOB Service)*
- Data exchange between TaskManagers *(via Netty)*
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
