Presentation is loading. Please wait.

Presentation is loading. Please wait.

Flink Security Enhancements

Published byPauline Gardner Modified over 6 years ago

Similar presentations

Presentation on theme: "Flink Security Enhancements"— Presentation transcript:

1 Flink Security Enhancements
Eron Wright – DELL EMC @eronwright

2 New Security Features Kerberos Authentication Support
Service-Level Authorization Transport Security (SSL/TLS)

3 Existing Capability Hadoop Delegation Token (DT) Limitations
CLI uses Kerberos to authenticate to HDFS HDFS provides a DT, which CLI passes to the Flink cluster Cluster is able to access HDFS files on behalf of the user Limitations YARN mode only Not useful to non-Hadoop services, e.g. Kafka. Note: Still supported TM DATA AKKA JM CLI WEB BROWSER KAFKA HDFS ZK HTTP Flink Cluster delegation token

4 Kerberos Authentication Support
“Cluster-Level Kerberos Identity” Keytab-based Shared by all jobs, not job-specific Enables Kerberos authentication Data Sources and Sinks (HDFS, Kafka…) State Backends (ZooKeeper…) Protects state data ACL on znodes, files Supported in standalone and YARN deployment modes TM DATA AKKA JM CLI WEB BROWSER KAFKA HDFS ZK HTTP Flink Cluster keytab

5 Service-Level Authorization
“Restrict access to your Flink cluster” Protects all endpoints: Akka System (control path) Intra-Cluster Data Transfer Web UI Blob Transfer (JARs…) Simple shared secret Configured or generated Stored on client (~/.flink/…) Stored in cluster Supported in standalone and YARN TM DATA AKKA JM CLI WEB BROWSER KAFKA HDFS ZK HTTP Flink Cluster keytab secret

6 Transport-Level Security (SSL/TLS)
“SSL for all connections” May be enabled on a per-endpoint basis WebUI is problematic Supported in standalone and YARN TM DATA AKKA JM CLI WEB BROWSER KAFKA HDFS ZK HTTPS Flink Cluster keytab secret TLS cert(s)

7 Demo

8 Configuration Configure Kerberos Identity:
security.enabled: true security.keytab: /path/to/keytab security.principal: Configure Service-Level Authorization: security.cookie: (secret cookie) Configure Transport-Level Security: security.ssl.enabled: true security.ssl.keystore: /path/to/keystore security.ssl.keystore-password: (password) security.ssl.key-password: (password) security.ssl.truststore: /path/to/truststore security.ssl.truststore-password: (password) TM DATA AKKA JM CLI WEB BROWSER KAFKA HDFS ZK HTTPS Flink Cluster keytab secret TLS cert(s)

9 Summary

10 Project Status Targeted for: Flink 1.2 Contributors:
Vijay Srinivasaraghavan (Dell EMC) Suresh Krishnappa (Dell EMC) Design Doc: Secure Data Access on Google Docs JIRAs: FLINK Support for Kerberos Authentication with Keytab Credential FLINK Implement Service-Level Authorization FLINK Implement Transport Encryption (SSL/TLS) FLINK Implement State Backend Security Code: Github:

11

Download ppt "Flink Security Enhancements"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.

5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.

Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Your storage on the ground; Your files in the cloud.

Your storage on the ground; Your files in the cloud.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Similar presentations

Ads by Google