+1 for d) don't print any env vars in the web UI
In the longer term, instead of a flag to hide/show certain variables, I
would be more inclined to move towards role based access for the Flink
dashboard.
Thanks,
On Wed, Nov 16, 2022 at 10:22 PM Thomas Weise wrote:
> +1 for d) don't print any en
+1 for d) don't print any env vars in the web UI (at least by default)
There could be an option to allow-list printing of env vars but it should
be off by default.
Generally I think that those that should be able to see env vars probably
can get there by other means, like kubetcl exec
Thanks,
Th
Hi everyone,
thanks a lot for your feedback so far. Right now, we have pretty much a
consensus to not show environment variables at all in the Web UI going
forward.
I think, we can address this in 1.16.1, as I consider this a vulnerability
that should be addressed in a patch release rather than w
I am not opposed to removing this completely based on Chesnay's reasoning.
In general I agree that this feature probably does more harm than good.
Gyula
On Wed, Nov 16, 2022 at 9:13 AM Chesnay Schepler wrote:
> I'm inclined to go with d), removing it entirely.
>
> I must admit that I liked the
I'm inclined to go with d), removing it entirely.
I must admit that I liked the idea behind the change; exposing more
information about what might impact Flink's behavior is a good thing,
although I'm irked that the statement in the FLIP about env variables
already being exposed in the logs ju
Hi everyone,
important correction, this is since 1.16.0, not 1.17+.
Best,
Konstantin
Am Di., 15. Nov. 2022 um 14:25 Uhr schrieb Gyula Fóra :
> Thanks for bringing this important issue to discussion Konstantin!
>
> I am in favor of not showing them by default with an optional configuration
> to
Thanks for bringing this important issue to discussion Konstantin!
I am in favor of not showing them by default with an optional configuration
to enable it.
Otherwise this poses a big security risk of exposing previously hidden
information after upgrade.
Gyula
On Tue, Nov 15, 2022 at 2:15 PM Max
Hey Konstantin,
I'd be in favor of not printing them at all, i.e. option (d). We have the
configuration page which lists the effective config and already removes any
known secrets.
-Max
On Tue, Nov 15, 2022 at 11:26 AM Konstantin Knauf wrote:
> Hi all,
>
> since Flink 1.17 [1] the Flink Web UI
Hi all,
since Flink 1.17 [1] the Flink Web UI prints *all* environment variables of
the Taskmanager or Jobmanagers hosts (Jobmanager -> Configuration ->
Environment). Given that environment variables are often used to store
sensitive information, I think, it is wrong and dangerous to print those i
