Accessing the Flink Web UI

LakeSail supports authenticated access to the Flink web UI. This allows you to monitor your Flink jobs easily, without the extra efforts to manage network connectivity or enforce access control. At a high level, accessing the web UI involves the following steps.

1. The user makes a request to the API server to generate a pre-signed URL for a Flink application or session. The pre-signed URL is typically valid for a short period of time (e.g. from a few seconds to a few minutes). The URL validity duration is configurable when generating the pre-signed URL.
2. The user either keeps the URL to themselves or shares it with others. Anyone with the pre-signed URL can use it to obtain authentication cookies and store them in the browser. The authentication cookies are typically valid for a longer period of time (e.g. a few hours). The cookie validity duration is configurable when generating the pre-signed URL.
3. When visiting the Flink web UI, the browser sends the authentication cookies along with the request. The Flink web UI address is actually a proxy endpoint in the API server. The API server verifies the cookies and forwards the request to the Flink service running in the Kubernetes cluster.

Creating a Pre-signed URL

• For Flink applications, you can use the CreateFlinkApplicationUrl operation to create a pre-signed URL for accessing the Flink web UI. Here is an example.

  POST /api/flink/v1/workspaces/{{ws}}/applications/{{app}}/urls
  
  {
    "expiresInSeconds": 5,
    "webSessionDurationInSeconds": 600
  }

• For Flink sessions, you can use the CreateFlinkSessionUrl operation to create a pre-signed URL for accessing the Flink web UI. Here is an example.

  POST /api/flink/v1/workspaces/{{ws}}/sessions/{{session}}/urls
  
  {
    "expiresInSeconds": 5,
    "webSessionDurationInSeconds": 600
  }

The expiresInSeconds field specifies the duration that the pre-signed URL is valid. The webSessionDurationInSeconds field specifies the duration of the Flink web UI session represented by authentication cookies.

The response of the Flink URL creation request contains a pre-signed URL that you can use to authenticate to the Flink web UI from your browser.

{
  "url": "/auth/proxy/flink/...?token=..."
}

The URL will expires after the duration specified in the expiresInSeconds field in the URL creation request.

INFO

The pre-signed URL is only valid for a short period of time. You should not store the URL in your application and use it later. Instead, you should create a new URL every time you need to access the Flink web UI.

WARNING

Please make sure to share the pre-signed URL with the intended users only. Anyone with the URL can access the Flink web UI. For extra safety, you can set a small value for the expiresInSeconds field in the URL creation request.

Accessing the Flink Web UI via the API Server Proxy

After generating the pre-signed URL, anyone with the URL can paste it in the browser. If the URL is valid, the response status code will be 302 which will redirect the user to the Flink web UI address. The response will also contain Set-Cookie HTTP headers to instruct the browser to set a few cookies for user authentication. The cookies will expire after the duration specified in the webSessionDurationInSeconds field in the URL creation request.

Access to the Flink web UI is proxyed through the API server. The API server verifies the authentication cookies and forwards the request to the Flink service running in the Kubernetes cluster.

INFO

• For Flink applications, the Flink web UI is available at the following location: /proxy/flink/v1/workspaces/{ws}/applications/{app}
• For Flink sessions, the Flink web UI is available at the following location: /proxy/flink/v1/workspaces/{ws}/sessions/{session}

Note that access to the locations above requires the presence of authentication cookies (generated after visiting a pre-signed URL).