Enabling security for Apache Flink

Since Flink is essentially just a YARN application, you mainly need to configure service level security settings for the Flink Dashboard and Gateway in Cloudera Manager. You can configure security during the installation or later in the Configuration menu for Flink.

Kerberos

Kerberos authentication can be enabled for Flink by simply checking the corresponding checkbox in the service wizard while adding the service or later in the service configuration page in Cloudera Manager. The service wizard in Cloudera Manager enables the Kerberos service, and no further action is required to be able to use the authentication with Flink.

For more information about enabling Kerberos authentication using the service wizard, see the Cloudera Manager documentation.

TLS encryption

If AutoTLS is enabled on the cluster, the TLS-related configuration fields are auto-populated for the Flink Dashboard and Gateway. You can set {{CM_AUTO_TLS}} as value for the security properties when using AutoTLS in Cloudera Manager. If AutoTLS is not used, the settings have to be configured manually.

Ensure that you have set up TLS for Cloudera Manager:
  • Generate TLS certificates
  • Configure TLS for Admin Console and Agents
  • Enable server certificate verification on Agents
  • Configure agent certificate authentication
  • Configure agent certificate authentication
  1. Click Flink service on your Cluster.
  2. Click the Configuration tab.
  3. Select Category > Security.
    All the security related properties are displayed.
  4. Edit the security properties according to the cluster configuration.
    Security property Description
    Enable TLS/SSL for Flink Dashboard Select the checkbox to enable TLS/SSL for Flink Dashboard to encrypt communication between the clients and Flink Dashboard.
    Flink Dashboard TLS/SSL Server JKS Keystore File Location Path to the keystore file containing the server certificate and private key used for TLS/SSL. The keystore must be in JKS format.
    Flink Dashboard TLS/SSL Server JKS Keystore File Password Password for the Flink Dashboard JKS keystore file.
    Flink Dashboard TLS/SSL Server JKS Keystore Key Password Password that protects the private key contained in the JKS keystore.
    Flink Dashboard TLS/SSL Client Trust Store File Location of the truststore file on disk. The truststore file must be in JKS format. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    Flink Dashboard TLS/SSL Client Trust Store Password Password for the Flink Dashboard TLS/SSL Certificate Trust Store File. Provides optional integrity checking of the file. This password is not required to access the trust store, this field can be left blank.
    Gateway TLS/SSL Client Trust Store File Location of the truststore file on disk. The truststore file must be in JKS format. This is used when Gateway is the client in a TLS/SSL connection. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    Gateway TLS/SSL Client Trust Store Password The password for the Gateway TLS/SSL Certificate Trust Store. Provides optional integrity checking of the file. This password is not required to access the trust store, this field can be left blank.
  5. Click Save Changes.