Github user StephanEwen commented on a diff in the pull request:
https://github.com/apache/flink/pull/2425#discussion_r86540326
--- Diff: docs/internals/flink_security.md ---
@@ -84,4 +86,79 @@ Security implementation details are based on <a
href="https://github.com/apache/
## Token Renewal
-UGI and Kafka/ZK login module implementations takes care of auto-renewing
the tickets upon reaching expiry and no further action is needed on the part of
Flink.
\ No newline at end of file
+UGI and Kafka/ZK login module implementations takes care of auto-renewing
the tickets upon reaching expiry and no further action is needed on the part of
Flink.
+
+# Authorization Support
+
+Service-level authorization is the initial authorization mechanism to
ensure clients (or servers) connecting to the Flink cluster are authorized to
do so. The purpose is to prevent a cluster from being used by an unauthorized
user, whether to execute jobs, disrupt cluster functionality, or gain access to
secrets stored within the cluster.
+
+The primary goal is to secure the following components by introducing a
shared secret mechanism to control the authorization. When security is enabled,
the configured shared secret will be used as the basis to validate all the
incoming/outgoing request.
--- End diff --
This section first talks about a shared secret then about a cookie. It
would be good to say somewhere that the cookie is the shared secret.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
