Enabling security for Apache Flink
Since Flink is essentially just a YARN application, you mainly need to configure service level security settings for the Flink Dashboard and Gateway in Cloudera Manager. You can configure security during the installation or later in the Configuration menu for Flink.
Kerberos
Kerberos authentication can be enabled for Flink by simply checking the corresponding checkbox in the service wizard while adding the service or later in the service configuration page in Cloudera Manager. The service wizard in Cloudera Manager enables the Kerberos service, and no further action is required to be able to use the authentication with Flink.
For more information about enabling Kerberos authentication using the service wizard, see the Cloudera Manager documentation.
TLS encryption
If AutoTLS is enabled on the cluster, the TLS-related configuration fields are auto-populated
for the Flink Dashboard and Gateway. You can set {{CM_AUTO_TLS}}
as value for
the security properties when using AutoTLS in Cloudera Manager. If AutoTLS is not used, the
settings have to be configured manually.
- Generate TLS certificates
- Configure TLS for Admin Console and Agents
- Enable server certificate verification on Agents
- Configure agent certificate authentication
- Configure agent certificate authentication