[
https://issues.apache.org/jira/browse/FLINK-21108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17272950#comment-17272950
]
Xiaoguang Sun edited comment on FLINK-21108 at 1/27/21, 3:53 PM:
-----------------------------------------------------------------
At this time, anybody who knows the endpoint of a running Flink cluster can
access it. This makes it easier to be compromised when there is vulnerability,
CVE-2020-17518 for example. In addition, people who has access to web console
can terminate or even submit new job which essentially makes it possible to run
arbitrary code on production environment. In addition, people can introspect
configuration of running jobs which might contain sensitive information as well.
For these reasons, it is kind of important to restrict Flink console to be only
available to authenticated users. Reverse proxy is one way of doing it, but we
probably need to figure out a way to completely hide the real server behind
such authentication proxy so malicious users can't by pass proxy and access
Flink console directly. This problem is getting worse when users are running
Flink on Kubernetes, the highly dynamic nature of Kubernetes will make
hardening Flink console a tough job because the address of Kubernetes ingress
server might change as well. If restricting access to Flink console is
something we have to do, we will have to
deal with this scenario eventually.
was (Author: xexplorer):
At this time, anybody who knows the endpoint of a running Flink cluster can
access it. This makes it easier to be compromised when there is vulnerability,
CVE-2020-17518 for example. In addition, people who has access to web console
can terminate or even submit new job which essentially make it possible to run
arbitrary code on production environment. In addition, people can introspect
configuration of running jobs which might contain sensitive information as well.
For these reasons, it is kind of important to restrict Flink console to be only
available to authenticated users. Reverse proxy is one way of doing it, but we
probably need to figure out a way to completely hide the real server behind
such authentication proxy so malicious users can't by pass proxy and access
Flink console directly. This problem is getting worse when users are running
Flink on Kubernetes, the highly dynamic nature of Kubernetes will make
hardening Flink console a tough job because the address of Kubernetes ingress
server might change as well. If restricting access to Flink console is
something we have to do, we will have to
deal with this scenario eventually.
> Flink runtime rest server and history server webmonitor do not require
> authentication.
> --------------------------------------------------------------------------------------
>
> Key: FLINK-21108
> URL: https://issues.apache.org/jira/browse/FLINK-21108
> Project: Flink
> Issue Type: New Feature
> Components: Runtime / REST, Runtime / Web Frontend
> Reporter: Xiaoguang Sun
> Priority: Major
> Labels: pull-request-available
>
> Flink runtime rest server and history server webmonitor do not require
> authentication. At certain scenarios, prohibiting unauthorized access is
> desired. Http basic authentication can be used here.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
