You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/05/07 20:22:00 UTC
[jira] [Commented] (FLINK-9312) Perform mutual authentication
during SSL handshakes
[ https://issues.apache.org/jira/browse/FLINK-9312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16466431#comment-16466431 ]
ASF GitHub Bot commented on FLINK-9312:
---------------------------------------
GitHub user StephanEwen opened a pull request:
https://github.com/apache/flink/pull/5966
[FLINK-9312] [security] Add mutual authentication for RPC and data plane
## What is the purpose of the change
Currently, the Flink processes encrypted connections via SSL:
- Data exchange TM - TM
- RPC JM - TM
- Blob Service JM - TM
- (Optionally to ZooKeeper and connectors, this is connector specific and not in scope of this change)
However, the server side always accepts any client to build up the connection, meaning the connections are not strongly authenticated. Activating SSL mutual authentication strengthens this significantly - only processes that have access to the same certificate can connect.
## Brief change log
- Activate mutual auth in akka (via akka config)
- Activate mutual auth in Netty for data shuffles via `SSLContext` and `SSLEngine` parameters
## Verifying this change
- Adds a test to the `NettyClientServerSslTest`
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): (yes / **no**)
- The public API, i.e., is any changed class annotated with `@Public(Evolving)`: (yes / **no**)
- The serializers: (yes / **no** / don't know)
- The runtime per-record code paths (performance sensitive): (yes / **no** / don't know)
- Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: (yes / **no** / don't know)
- The S3 file system connector: (yes / **no** / don't know)
## Documentation
- Does this pull request introduce a new feature? (yes / **no**)
- If yes, how is the feature documented? (**not applicable** / docs / JavaDocs / not documented)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/StephanEwen/incubator-flink mutual_auth
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flink/pull/5966.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #5966
----
commit 8bceb03d5653c94247b72d6256f4e9e37b036e35
Author: Stephan Ewen <se...@...>
Date: 2018-05-07T17:44:33Z
[FLINK-9313] [security] Activate mutual authentication for RPC/akka
commit 59b017580d30904418e0867ac122a8183dc5db70
Author: Stephan Ewen <se...@...>
Date: 2018-05-07T19:28:41Z
[FLINK-9314] [security] Add mutual authentication for Netty / TaskManager's data plane
----
> Perform mutual authentication during SSL handshakes
> ---------------------------------------------------
>
> Key: FLINK-9312
> URL: https://issues.apache.org/jira/browse/FLINK-9312
> Project: Flink
> Issue Type: New Feature
> Components: Security
> Reporter: Stephan Ewen
> Priority: Major
> Fix For: 1.6.0
>
>
> Currently, the Flink processes encrypted connections via SSL:
> - Data exchange TM - TM
> - RPC JM - TM
> - Blob Service JM - TM
> However, the server side always accepts any client to build up the connection, meaning the connections are not strongly authenticated.
> Activating SSL mutual authentication solves that - only processes that have the same certificate can connect.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)