Hi SeungMin The FIP looks good to me. The mirror question I am curious is that how to use kerberos authentication in flink sql?
Best, Hongshun On Fri, Sep 5, 2025 at 7:17 PM SeungMin Lee <[email protected]> wrote: > Hi Hongshun Wang, > > Thanks for the update-no worries about the delay. Whenever you have time, > I'd appreciate your comments. > > Best regards, > SeungMin Lee > > > 2025년 8월 28일 (목) 오후 9:12, Hongshun Wang <[email protected]>님이 작성: > >> Hi SeungMin, >> >> Thank you for your excellent work on this proposal. The community has a >> strong demand for this functionality. I sincerely apologize for the delay >> in reviewing your FIP because I am busy recently. I will do it in next week. >> >> Best >> Hongshun >> > 2025年8月24日 15:25,SeungMin Lee <[email protected]> 写道: >> > >> > Hi, dev >> > >> > I have updated the FIP-7 proposal based on the feedback. The document >> has >> > been expanded to include: >> > >> > 1. >> > >> > A plan for securing both *external (client-to-server)* and *internal >> > (coordinator↔tablet server)* communications with Kerberos. >> > 2. >> > >> > An enhanced test plan that includes *integration tests using a >> MiniKDC*, >> > a standard approach also used by projects like Kafka and Pulsar. >> > >> > >> > [1]: >> > >> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=373885589 >> > >> > Best regards, >> > SeungMin Lee >> > >> > 2025년 7월 22일 (화) 오전 2:12, SeungMin Lee <[email protected]>님이 작성: >> > >> >> Hi Wang Chen, >> >> >> >> Yes, Kafka and Pulsar both support internal authentication, and we >> believe >> >> Fluss also should support the same. We're starting with client-server >> >> Kerberos auth first, and plan to add intra-cluster authentication >> (e.g., >> >> coordinator ↔ tablet) as future work, which will also be added in the >> >> proposal FIP-7. >> >> >> >> Best regards, >> >> SeungMin Lee >> >> >> >> >> >> On 2025/07/21 05:43:28 Wang Cheng wrote: >> >>> Hi Lee, >> >>> >> >>> >> >>> How about authentication between the coordinator and tablet servers? >> Do >> >> we have an intra-cluster membership encryption/authentication plan? >> >>> >> >>> >> >>> >> >>> Regards, >> >>> Cheng >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> ------------------ Original ------------------ >> >>> From: >> >> "dev" >> >> < >> >> [email protected]>; >> >>> Date: Sun, Jul 20, 2025 03:49 PM >> >>> To: "dev"<[email protected]>; >> >>> >> >>> Subject: [DISCUSS] FIP-7: Support Kerberos Authentication via >> >> SASL/GSSAPI >> >>> >> >>> >> >>> >> >>> Hi all, >> >>> >> >>> Currently, Fluss supports SASL/PLAIN authentication and ACL-based >> >>> authorization, but lacks support for Kerberos-based authentication. >> This >> >>> makes it difficult for enterprises with existing Kerberos >> infrastructure >> >> to >> >>> adopt Fluss securely. >> >>> >> >>> This proposal introduces a new SASL mechanism, GSSAPI, to enable >> >>> Kerberos-based mutual authentication between Fluss clients and >> servers. >> >> The >> >>> implementation leverages Java's built-in GSSAPI and JAAS APIs to >> validate >> >>> Kerberos service tickets, and integrates with Fluss’s pluggable >> >>> authentication framework and ACL-based authorization layer. Only >> external >> >>> client-server communication is affected; internal RPCs (e.g., >> coordinator >> >>> <-> tablet server) remain unauthenticated by default. >> >>> >> >>> >> >>> This is my first FIP proposal, so any feedback, suggestions, or >> comments >> >> — >> >>> big or small — are truly welcome. >> >>> While I may not know all the answers immediately, I’ll do my best to >> >> study, >> >>> research, and respond thoughtfully. >> >>> >> >>> >> >>> [1]: >> >>> >> >> >> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=373885589 >> >>> >> >>> Best regards, >> >>> SeungMin Lee >> >>
