[
https://issues.apache.org/jira/browse/FLINK-10371?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Till Rohrmann reopened FLINK-10371:
-----------------------------------
> Allow to enable SSL mutual authentication on REST endpoints by configuration
> ----------------------------------------------------------------------------
>
> Key: FLINK-10371
> URL: https://issues.apache.org/jira/browse/FLINK-10371
> Project: Flink
> Issue Type: Improvement
> Components: Client, REST, Security
> Affects Versions: 1.6.0, 1.7.0
> Reporter: Johannes Dillmann
> Assignee: Johannes Dillmann
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.6.2, 1.7.0
>
>
> With Flink 1.6 SSL mutual authentication was introduced for internal
> connectivity in FLINK-9312.
> SSL support for external connectivity was also introduced in regard to
> encryption of the connection and verification of the Flink REST endpoint from
> the client side.
> But _mutual authentication between the REST endpoint and clients is not
> supported yet_.
> The [documentation suggests
> |https://ci.apache.org/projects/flink/flink-docs-release-1.6/ops/security-ssl.html]
> using a side car proxy to enable SSL mutual auth on the REST endpoint and
> points out the advantages of using a feature rich proxy.
> While this is a good rationale, there are still important use cases for
> support of simple mutual authentication directly in Flink: Mainly support
> for using standard images in a containerized environment.
> There are tools used to setup Flink Jobs (for example on Kubernetes clusters)
> and act as gateways to the Flink REST endpoint and the Flink web interface.
> To prevent unauthorised access to Flink the connectivity has to be secured.
> As the tools acts as gateway it is easy to create and pass a shared keystore
> and truststore used for mutual authentication to the Flink instances
> configurations.
> To enable for SSL mutual authentication on REST endpoints, I am suggesting to
> add a the configuration parameter `security.ssl.rest.authentication-enabled`
> which defaults to `false`.
> If it is set to `true` the `SSLUtils` factories for creating the REST server
> endpoint and the REST clients should set authentication to required and share
> `security.ssl.rest.keystore` and `security.ssl.rest.truststore` to setup SSL
> mutual authenticated connections.
>
> I have a working prototype which I would gladly submit as a PR to get further
> feedback. The changes to Flink are minimal and the default behaviour won't
> change.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
