Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-10497

More fine grained control over access to REST endpoints

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.7.0
    • Fix Version/s: None
    • Component/s: Runtime / REST
    • Labels:
      None

      Description

      At the moment, the REST endpoint can be secured by configuring mutual authentication. This, however, defines the access for all available REST calls (reads as well as writes). In some situations, it is desired that only the writes calls are access restricted whereas the read accesses are permitted (e.g. no job submission but the web UI can display the cluster state).

      A solution could be to specify ACLs for the different REST calls. This would allow to disable state changing operations like cancelling a job from the web UI, for example. Moreover, it could allow to specify different rights for different users.

      An alternative could be to separate the REST calls relevant for the web UI (read operations) from the cluster state changing REST calls. By allowing different security configurations (e.g. endpoint with read operations is not secured whereas the endpoint with write operations is secured) one could effectively achieve the same.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                till.rohrmann Till Rohrmann
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: