AFAIK, there are no granular permissions like that built into Flink. Limiting access to the REST API seems like a good place to start. The web UI uses the API, but controlling it there means you’re locking down all means of access. The designers of the API were disciplined about what HTTP verbs were used, so allowing all GET requests and denying PUT/POST/DELETE/PATCH would mean read only access, and I think that would be straightforward to implement with an HTTP proxy
From: uday bhaskar [mailto:uday...@gmail.com] Sent: Thursday, April 25, 2019 6:57 AM To: user@flink.apache.org Subject: EXT :read only mode for Flink UI Hi We are looking at running Flink on Kubernetes in Job cluster mode. As part of our plans we do not want to allow modifications to the job cluster once a job is running. For this we are looking at a "read-only" Flink UI, that does not allow users to cancel a job or submit a job. My question is, 1. Is there such an option when we bring up a Flink cluster currently 2. If no, is this something we can contribute? I can imagine another solution where the "cancel" and "submit job" options mutates the job clusters. Wanted to check what are the general guidelines on this. Any pointers would be appreciated Uday ________________________________ Notice: This e-mail is intended solely for use of the individual or entity to which it is addressed and may contain information that is proprietary, privileged and/or exempt from disclosure under applicable law. If the reader is not the intended recipient or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. This communication may also contain data subject to U.S. export laws. If so, data subject to the International Traffic in Arms Regulation cannot be disseminated, distributed, transferred, or copied, whether incorporated or in its original form, to foreign nationals residing in the U.S. or abroad, absent the express prior approval of the U.S. Department of State. Data subject to the Export Administration Act may not be disseminated, distributed, transferred or copied contrary to U. S. Department of Commerce regulations. If you have received this communication in error, please notify the sender by reply e-mail and destroy the e-mail message and any physical copies made of the communication. Thank you. ********************* ------------------------------------------------------------------------------ Notice: This e-mail is intended solely for use of the individual or entity to which it is addressed and may contain information that is proprietary, privileged and/or exempt from disclosure under applicable law. If the reader is not the intended recipient or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. This communication may also contain data subject to U.S. export laws. If so, data subject to the International Traffic in Arms Regulation cannot be disseminated, distributed, transferred, or copied, whether incorporated or in its original form, to foreign nationals residing in the U.S. or abroad, absent the express prior approval of the U.S. Department of State. Data subject to the Export Administration Act may not be disseminated, distributed, transferred or copied contrary to U. S. Department of Commerce regulations. If you have received this communication in error, please notify the sender by reply e-mail and destroy the e-mail message and any physical copies made of the communication. Thank you. *********************
