Ethan Li created FLINK-17641:
--------------------------------

             Summary: How to secure flink applications on yarn on multi-tenant 
environment
                 Key: FLINK-17641
                 URL: https://issues.apache.org/jira/browse/FLINK-17641
             Project: Flink
          Issue Type: Wish
            Reporter: Ethan Li


This is a question I wish to get some insights on. 

We are trying to support and secure flink on shared yarn cluster. Besides the 
security provided by yarn side (queueACL, kerberos), what I noticed is that 
flink CLI can still interact with the flink job as long as it knows the 
jobmanager rpc port/hostname and rest.port, which can be obtained easily with 
yarn command. 

Also on the UI side, on yarn cluster, users can visit flink job UI via yarn 
proxy using browser. As long as the user can authenticate and view yarn 
resourcemanager webpage, he/she can visit the flink UI without any problem. 
This basically means Flink UI is wide-open to corp internal users.

On the internal connection side, I am aware of the support added in 1.10 to 
limit the mTLS connection by configuring security.ssl.internal.cert.fingerprint 
(https://ci.apache.org/projects/flink/flink-docs-stable/ops/security-ssl.html)

This works but it is not very flexible. Users need to update the config if the 
cert changes before they submit a new job.

I asked the similar question on the mailing list before. I am really interested 
in how other folks deal with this issue. Thanks.












--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to