Github user EronWright commented on the issue:
https://github.com/apache/flink/pull/2425
Note to future self: to generate a self-signed certificate, use
`CertAndKeyGen` and see
[OPENDJ-2247](https://bugster.forgerock.org/jira/browse/OPENDJ-2247).
---
If your project is set up for
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@StephanEwen It's absolutely fine with me and I will cancel this PR.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your
Github user StephanEwen commented on the issue:
https://github.com/apache/flink/pull/2425
@vijikarthi I hope you are okay with exploring that option - this is not
saying that this pull request is not a good solution, but whenever we have to
maintain less code it makes things easier.
Github user StephanEwen commented on the issue:
https://github.com/apache/flink/pull/2425
Thanks Eron, that makes a lot of sense.
My first thought would be: Let's add SSL mutual authentication. That seems
desirable anyways and we would not need another mechanism (shared
Github user EronWright commented on the issue:
https://github.com/apache/flink/pull/2425
@StephanEwen keep in mind that Flink's current SSL support in Flink doesn't
achieve _mutual authentication_ - there's no client certificate there.With
SSL enabled, an untrusted client can
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@StephanEwen The shared secret serves can be considered as an additional
security extension on top of TLS integration, thus it designates only an
authorized identity to execute actions on a
Github user StephanEwen commented on the issue:
https://github.com/apache/flink/pull/2425
Sorry for chiming in a bit late here with this more fundamental question.
I would like to understand from a security architecture, what additional
security this shared secret gives us:
Github user Rucongzhang commented on the issue:
https://github.com/apache/flink/pull/2425
@vijikarthi ,when you will push this issue to the master? I can help you,
if you need any help. Thanks!
---
If your project is set up for it, you can reply to this email and have your
reply
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@StephanEwen, @mxm I have updated the documentation changes as suggested,
moved common code from BlobUtils to SecurityContext, added new ConfigOptions
class for security configurations lookup.
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@StephanEwen @mxm - Could you please review the proposed change and let me
know if you are okay with it.
---
If your project is set up for it, you can reply to this email and have your
reply
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
>
The cookie is added to every single message/buffer that is transferred.
That is too much - securing the integrity of the stream is responsibility of
the encryption layer. The cookie should
Github user mxm commented on the issue:
https://github.com/apache/flink/pull/2425
Thank you for the changes. I wonder, could we remove the cookie header
completely for Netty or the BlobServer in case the authorization is turned off?
The Netty protocol has a `MAGIC_NUMBER` which is
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@mxm - Sorry that I have missed to address some of your comments. Attached
patch that includes Netty code null precondition validation and fixes the Blob
service cookie length issue. Please take
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
Addressed multiple application support/Yarn configuration file changes as
part of FLINK-4950 patch.
---
If your project is set up for it, you can reply to this email and have your
reply appear
Github user mxm commented on the issue:
https://github.com/apache/flink/pull/2425
CC @uce to check out the network layer changes. This is a very sensitive
and performance critical part of Flink. We should be very sure nothing breaks
it with the changes.
@vijikarthi Please
Github user mxm commented on the issue:
https://github.com/apache/flink/pull/2425
@vijikarthi I haven't forgotten about your PR. Thanks for the feedback.
I'll get back to you today.
---
If your project is set up for it, you can reply to this email and have your
reply appear on
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@mxm - Please take a look when you get a chance?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
Thanks @mxm for the review. I will incorporate your feedback and attach the
patch.
>
When security is enabled, encryption should also be turned on by default.
Otherwise we will
Github user mxm commented on the issue:
https://github.com/apache/flink/pull/2425
Thank you for your work so far @vijikarthi. I'll take a final look before
we merge this.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well.
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
Resolved merge conflicts and squashed commits to rebase with master
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project
Github user rmetzger commented on the issue:
https://github.com/apache/flink/pull/2425
I'll take a look.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so,
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@rmetzger can you please take a look at the updated patch
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
Addressed [FLINK-4635] Netty data transfer authentication (missing piece of
FLINK-3930)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
Thanks @StephanEwen
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes
Github user StephanEwen commented on the issue:
https://github.com/apache/flink/pull/2425
I think we are waiting for @rmetzger to follow up. He is out of office for
a few days...
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@rmetzger @StephanEwen are you guys waiting for any inputs from my side?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@rmetzger I have added internals documentation section and provided details
on how secure cookie is implemented. I will address the missing Netty data
transfer secure cookie part in FLINK-4635.
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
>
How is the secret transferred to the TaskManagers on YARN?
Cookie is transferred to TM container through container environment
variable and further gets populated to in-memory Flink
Github user rmetzger commented on the issue:
https://github.com/apache/flink/pull/2425
Thank you for addressing my comments.
I've looked into the design document [1] again and some details are missing
there. In particular its not clearly specified how and where the shared
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
>
T2-3 is not about the web interface netty, its about the data transfer netty
In Flink, we are using netty for (at least) three things:
- Akka is using Netty. This is addressed in
Github user rmetzger commented on the issue:
https://github.com/apache/flink/pull/2425
T2-3 is not about the web interface netty, its about the data transfer
netty
In Flink, we are using netty for (at least) three things:
- Akka is using Netty. This is addressed in the pull
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
>
According to the design document, netty authentication is also part of this
JIRA. Why was it not addressed?
The netty layer is addressed as part of web layer authentication (T2-3 &
Github user rmetzger commented on the issue:
https://github.com/apache/flink/pull/2425
According to the design document, netty authentication is also part of this
JIRA. Why was it not addressed?
---
If your project is set up for it, you can reply to this email and have your
reply
Github user rmetzger commented on the issue:
https://github.com/apache/flink/pull/2425
I'm done with my initial review.
If you have a minute @mxm, it would be good if you could check the
CliFrontend changes, to see if they fit the architecture well.
---
If your project is set up
Github user rmetzger commented on the issue:
https://github.com/apache/flink/pull/2425
I manually tested the code. Taskmanagers are properly rejected on
missmatching cookies, it works when they match.
One thing I found was that the error reporting is not very good:
Github user rmetzger commented on the issue:
https://github.com/apache/flink/pull/2425
It seems that some of the YARN tests are failing because the jobmanager /
application master is logging:
```
2016-08-27 08:48:54,858 INFO org.apache.flink.yarn.YarnJobManager
Github user rmetzger commented on the issue:
https://github.com/apache/flink/pull/2425
Thank you for opening a pull request for this. I'll check it out now.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project
Github user vijikarthi commented on the issue:
https://github.com/apache/flink/pull/2425
@mxm - The patch is available for your review. Please take a look.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project
38 matches
Mail list logo
