You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by tr...@apache.org on 2018/08/08 17:01:40 UTC
[flink] branch master updated (32e0d7c -> 53cf8f2)
This is an automated email from the ASF dual-hosted git repository.
trohrmann pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/flink.git.
from 32e0d7c [FLINK-9867] Add release notes file for Flink 1.7
new 31fbcfa [hotfix] [security] Fix error message when RestClientConfiguration cannot be created due to wrong SSL config.
new 53cf8f2 [FLINK-10069] [docs] Update SSL docs to reflect internal vs. external communication
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
docs/fig/ssl_internal_external.svg | 336 +++++++++++++++++++++
docs/ops/security-ssl.md | 274 +++++++++++------
.../runtime/rest/RestClientConfiguration.java | 2 +-
3 files changed, 527 insertions(+), 85 deletions(-)
create mode 100755 docs/fig/ssl_internal_external.svg
[flink] 02/02: [FLINK-10069] [docs] Update SSL docs to reflect
internal vs. external communication
Posted by tr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
trohrmann pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/flink.git
commit 53cf8f20c90cb9bc0b3af93a4755933d599e2aca
Author: Stephan Ewen <se...@apache.org>
AuthorDate: Mon Aug 6 02:10:22 2018 +0200
[FLINK-10069] [docs] Update SSL docs to reflect internal vs. external communication
This closes #6507.
---
docs/fig/ssl_internal_external.svg | 336 +++++++++++++++++++++++++++++++++++++
docs/ops/security-ssl.md | 274 ++++++++++++++++++++----------
2 files changed, 526 insertions(+), 84 deletions(-)
diff --git a/docs/fig/ssl_internal_external.svg b/docs/fig/ssl_internal_external.svg
new file mode 100755
index 0000000..04262d2
--- /dev/null
+++ b/docs/fig/ssl_internal_external.svg
@@ -0,0 +1,336 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ width="831.19"
+ height="364.59875"
+ id="svg2"
+ version="1.1"
+ inkscape:version="0.48.5 r10040">
+ <defs
+ id="defs4" />
+ <sodipodi:namedview
+ id="base"
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1.0"
+ inkscape:pageopacity="0.0"
+ inkscape:pageshadow="2"
+ inkscape:zoom="0.35"
+ inkscape:cx="514.76354"
+ inkscape:cy="76.03094"
+ inkscape:document-units="px"
+ inkscape:current-layer="layer1"
+ showgrid="false"
+ fit-margin-top="0"
+ fit-margin-left="0"
+ fit-margin-right="0"
+ fit-margin-bottom="0"
+ inkscape:window-width="1920"
+ inkscape:window-height="1178"
+ inkscape:window-x="-8"
+ inkscape:window-y="-8"
+ inkscape:window-maximized="1" />
+ <metadata
+ id="metadata7">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ inkscape:label="Layer 1"
+ inkscape:groupmode="layer"
+ id="layer1"
+ transform="translate(139.76354,-243.79437)">
+ <g
+ id="g3138"
+ transform="translate(-199.38854,144.82812)">
+ <path
+ id="path3140"
+ d="m 649.32426,123.89336 c 0,-6.97673 5.66391,-12.67815 12.67816,-12.67815 l 148.1244,0 c 7.01425,0 12.67816,5.70142 12.67816,12.67815 l 0,50.75015 c 0,7.01425 -5.66391,12.67816 -12.67816,12.67816 l -148.1244,0 c -7.01425,0 -12.67816,-5.66391 -12.67816,-12.67816 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3142"
+ style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="144.70425"
+ x="711.15765"
+ xml:space="preserve">Task </text>
+ <text
+ id="text3144"
+ style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="171.71098"
+ x="687.45178"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3146"
+ d="m 649.32426,256.45139 c 0,-7.01425 5.66391,-12.71567 12.67816,-12.71567 l 148.1244,0 c 7.01425,0 12.67816,5.70142 12.67816,12.71567 l 0,50.71263 c 0,7.01425 -5.66391,12.71567 -12.67816,12.71567 l -148.1244,0 c -7.01425,0 -12.67816,-5.70142 -12.67816,-12.71567 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3148"
+ style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="277.28275"
+ x="711.15765"
+ xml:space="preserve">Task </text>
+ <text
+ id="text3150"
+ style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="304.28949"
+ x="687.45178"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3152"
+ d="m 649.32426,389.12194 c 0,-7.01425 5.66391,-12.67816 12.67816,-12.67816 l 148.1244,0 c 7.01425,0 12.67816,5.66391 12.67816,12.67816 l 0,50.75014 c 0,7.01425 -5.66391,12.67816 -12.67816,12.67816 l -148.1244,0 c -7.01425,0 -12.67816,-5.66391 -12.67816,-12.67816 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3154"
+ style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="409.86127"
+ x="711.15765"
+ xml:space="preserve">Task </text>
+ <text
+ id="text3156"
+ style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="436.86801"
+ x="687.45178"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3158"
+ d="m 330.47608,331.77015 c 0,-6.15153 4.98874,-11.14027 11.14028,-11.14027 l 126.68781,0 c 6.15153,0 11.12152,4.98874 11.12152,11.14027 l 0,44.48608 c 0,6.13278 -4.96999,11.12153 -11.12152,11.12153 l -126.68781,0 c -6.15154,0 -11.14028,-4.98875 -11.14028,-11.12153 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3160"
+ style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="349.87692"
+ x="359.48764"
+ xml:space="preserve">Resource</text>
+ <text
+ id="text3162"
+ style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="373.8829"
+ x="361.88824"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3164"
+ d="m 330.47608,184.84605 c 0,-6.13278 4.98874,-11.12152 11.14028,-11.12152 l 126.68781,0 c 6.15153,0 11.12152,4.98874 11.12152,11.12152 l 0,44.48608 c 0,6.15153 -4.96999,11.12152 -11.12152,11.12152 l -126.68781,0 c -6.15154,0 -11.14028,-4.96999 -11.14028,-11.12152 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3166"
+ style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="202.97752"
+ x="388.14163"
+ xml:space="preserve">Job</text>
+ <text
+ id="text3168"
+ style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="226.98351"
+ x="361.8851"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3170"
+ d="m 315.00348,164.49723 173.48071,0 0,230.68247 -173.48071,0 z"
+ style="fill:none;stroke:#000000;stroke-width:1.25656307px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3172"
+ style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="418.32153"
+ x="334.40732"
+ xml:space="preserve">Master Process</text>
+ <path
+ id="path3174"
+ d="m 730.41947,194.37342 0,39.87244 -1.87547,0 0,-39.87244 z m 4.27606,32.85819 -5.2138,8.88971 -5.17629,-8.88971 c -0.26256,-0.45011 -0.11253,-1.05026 0.33759,-1.31283 0.45011,-0.26256 1.01275,-0.075 1.27531,0.33759 l 4.3886,7.50187 -1.6129,0 4.38859,-7.50187 c 0.22506,-0.41261 0.8252,-0.60015 1.27532,-0.33759 0.45011,0.26257 0.60015,0.86272 0.33758,1.31283 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3176"
+ d="m 743.54774,196.21138 0,39.90994 -1.87547,0 0,-39.90994 z m -6.11403,7.05176 5.17629,-8.88972 5.2138,8.88972 c 0.26257,0.45011 0.11253,1.01275 -0.33758,1.27532 -0.45011,0.26256 -1.05026,0.11252 -1.27532,-0.33759 l -4.38859,-7.50187 1.6129,0 -4.38859,7.50187 c -0.26257,0.45011 -0.82521,0.60015 -1.27532,0.33759 -0.45011,-0.26257 -0.60015,-0.82521 -0.33759,-1.27532 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3178"
+ d="m 730.41947,326.89394 0,39.87243 -1.87547,0 0,-39.87243 z m 4.27606,32.85818 -5.2138,8.88972 -5.17629,-8.88972 c -0.26256,-0.45011 -0.11253,-1.01275 0.33759,-1.27531 0.45011,-0.26257 1.01275,-0.11253 1.27531,0.33758 l 4.3886,7.50187 -1.6129,0 4.38859,-7.50187 c 0.22506,-0.45011 0.8252,-0.60015 1.27532,-0.33758 0.45011,0.26256 0.60015,0.8252 0.33758,1.27531 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3180"
+ d="m 743.54774,328.7694 0,39.87244 -1.87547,0 0,-39.87244 z m -6.11403,7.01425 5.17629,-8.88971 5.2138,8.88971 c 0.26257,0.45011 0.11253,1.01275 -0.33758,1.27532 -0.45011,0.26257 -1.05026,0.11253 -1.27532,-0.33758 l -4.38859,-7.50187 1.6129,0 -4.38859,7.50187 c -0.26257,0.45011 -0.82521,0.60015 -1.27532,0.33758 -0.45011,-0.26257 -0.60015,-0.82521 -0.33759,-1.27532 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3182"
+ d="m 614.32804,151.98786 -103.30073,62.04046 -0.93773,-1.6129 103.26322,-62.04046 z m -95.08618,62.07797 -10.27756,0.11253 4.95123,-9.03975 c 0.26256,-0.45012 0.8252,-0.60015 1.27532,-0.33759 0.45011,0.22506 0.60015,0.7877 0.37509,1.27532 l 0,0 -4.20105,7.6144 -0.8252,-1.38785 8.70217,-0.11253 c 0.48762,-0.0375 0.93773,0.3751 0.93773,0.90023 0,0.52513 -0.4126,0.93773 -0.93773,0.97524 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3184"
+ d="m 620.74214,166.24141 -103.30073,62.07797 -0.93774,-1.6129 103.26323,-62.04046 z m -9.18979,-1.6129 10.31507,-0.15003 -4.95123,9.03975 c -0.26257,0.45011 -0.82521,0.63766 -1.27532,0.37509 -0.45011,-0.26256 -0.63766,-0.8252 -0.37509,-1.27532 l 4.16354,-7.61439 0.8252,1.38784 -8.66466,0.11253 c -0.52513,0 -0.93773,-0.4126 -0.93773,-0.93773 -0.0375,-0.48762 0.37509,-0.93774 0.90022,-0.93774 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3186"
+ d="m 629.29427,273.29308 -120.48001,0 0,-1.87546 120.48001,0 z m -113.46576,4.23856 -8.88972,-5.17629 8.88972,-5.17629 c 0.45011,-0.26256 1.01275,-0.11253 1.27531,0.33759 0.26257,0.45011 0.11253,1.01275 -0.33758,1.27531 l 0,0 -7.50187,4.3886 0,-1.65042 7.50187,4.3886 c 0.45011,0.26256 0.60015,0.8252 0.33758,1.27532 -0.26256,0.45011 -0.8252,0.60015 -1.27531,0.33758 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3188"
+ d="m 627.41881,288.93448 -120.48002,0 0,-1.87547 120.48002,0 z m -7.01425,-6.15153 8.88971,5.2138 -8.88971,5.17629 c -0.45011,0.26256 -1.01275,0.11252 -1.27532,-0.33759 -0.26256,-0.45011 -0.11253,-1.01275 0.33758,-1.27532 l 7.50187,-4.38859 0,1.6129 -7.50187,-4.35108 c -0.45011,-0.26257 -0.60014,-0.86272 -0.33758,-1.31283 0.26257,-0.45011 0.82521,-0.60015 1.27532,-0.33758 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3190"
+ d="m 620.25452,393.28548 -104.351,-60.24001 0.93774,-1.6129 104.35099,60.24001 z m -100.375,-53.03822 -5.13879,-8.92722 10.31507,-0.075 c 0.52514,0 0.93774,0.4126 0.93774,0.93774 0,0.52513 -0.4126,0.93773 -0.93774,0.93773 l 0,0 -8.66465,0.0375 0.78769,-1.38785 4.31358,7.53938 c 0.26256,0.45011 0.11252,1.01275 -0.33759,1.27532 -0.45011,0.26256 -1.05026,0.11253 -1.27531,-0.33759 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3192"
+ d="m 610.87718,405.8136 -104.35099,-60.24001 0.93773,-1.6129 104.351,60.24001 z m -3.03825,-8.8147 5.10127,8.96474 -10.27756,0.0375 c -0.52513,0 -0.93774,-0.41261 -0.93774,-0.93774 0,-0.52513 0.41261,-0.93773 0.93774,-0.93773 l 8.66466,-0.0375 -0.7877,1.38784 -4.31357,-7.53937 c -0.26257,-0.45012 -0.11253,-1.01276 0.33758,-1.27532 0.45011,-0.26257 1.01275,-0.11253 1.27532,0.33758 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3194"
+ style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="254.02786"
+ x="506.90329"
+ xml:space="preserve">RPC / BLOB</text>
+ <text
+ id="text3196"
+ style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="222.93466"
+ x="772.27954"
+ xml:space="preserve">Data Plane</text>
+ <text
+ id="text3198"
+ style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="355.45471"
+ x="772.27954"
+ xml:space="preserve">Data Plane</text>
+ <path
+ id="path3200"
+ d="m 300.93747,462.86531 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-5.02625 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625 0, [...]
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3202"
+ d="m 293.13553,229.20085 0,101.91289 29.68864,0 0,-101.91289 -29.68864,0 z"
+ style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3204"
+ d="m 293.13553,229.20085 29.68864,0 0,101.91289 -29.68864,0 z"
+ style="fill:none;stroke:#000000;stroke-width:1.25656307px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3206"
+ style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Calibri"
+ y="302.33319"
+ x="315.52737"
+ xml:space="preserve">REST</text>
+ <text
+ id="text3208"
+ style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="130.10928"
+ x="316.13495"
+ xml:space="preserve">Internal</text>
+ <text
+ id="text3210"
+ style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="130.10928"
+ x="200.44704"
+ xml:space="preserve">External</text>
+ <path
+ id="path3212"
+ d="m 60.258762,197.50545 c 0,-4.50112 3.647784,-8.15828 8.148905,-8.15828 l 119.664183,0 c 4.5105,0 8.15829,3.65716 8.15829,8.15828 l 0,32.61438 c 0,4.50112 -3.64779,8.1489 -8.15829,8.1489 l -119.664183,0 c -4.501121,0 -8.148905,-3.64778 -8.148905,-8.1489 z"
+ style="fill:none;stroke:#7f7f7f;stroke-width:1.24718571px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3214"
+ style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="221.69411"
+ x="87.575058"
+ xml:space="preserve">Browser</text>
+ <path
+ id="path3216"
+ d="m 60.258762,260.51178 c 0,-4.5105 3.657161,-8.17704 8.177037,-8.17704 l 119.617301,0 c 4.5105,0 8.17704,3.66654 8.17704,8.17704 l 0,32.71752 c 0,4.51988 -3.66654,8.17704 -8.17704,8.17704 l -119.617301,0 c -4.519876,0 -8.177037,-3.65716 -8.177037,-8.17704 z"
+ style="fill:none;stroke:#7f7f7f;stroke-width:1.24718571px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3218"
+ style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="284.72891"
+ x="111.5811"
+ xml:space="preserve">CLI</text>
+ <path
+ id="path3220"
+ d="m 60.258762,323.49934 c 0,-4.51987 3.657161,-8.17704 8.177037,-8.17704 l 119.617301,0 c 4.51987,0 8.17704,3.65717 8.17704,8.17704 l 0,32.7269 c 0,4.51988 -3.65717,8.17704 -8.17704,8.17704 l -119.617301,0 c -4.519876,0 -8.177037,-3.65716 -8.177037,-8.17704 z"
+ style="fill:none;stroke:#7f7f7f;stroke-width:1.25656307px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3222"
+ style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="347.7637"
+ x="103.17585"
+ xml:space="preserve">Tools</text>
+ <path
+ id="path3224"
+ d="m 273.97763,266.09129 -59.94931,0 0,-1.87547 59.94931,0 z m -52.92569,4.24793 -8.88971,-5.18566 8.88971,-5.18567 c 0.45012,-0.26257 1.02213,-0.11253 1.2847,0.33758 0.26257,0.44074 0.11253,1.02213 -0.33758,1.2847 l -7.50187,4.36984 0,-1.62228 7.50187,4.37921 c 0.45011,0.26257 0.60015,0.83459 0.33758,1.2847 -0.26257,0.45011 -0.83458,0.60015 -1.2847,0.33758 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.00937734px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3226"
+ d="m 272.13029,295.94873 -59.95868,0 0,-1.87547 59.95868,0 z m -7.033,-6.13278 8.88972,5.19504 -8.88972,5.17629 c -0.45011,0.26257 -1.0315,0.11253 -1.29407,-0.33758 -0.24381,-0.45011 -0.0938,-1.01275 0.33758,-1.27532 l 7.50187,-4.36984 0,1.61291 -7.50187,-4.36984 c -0.43135,-0.26257 -0.58139,-0.84396 -0.33758,-1.29408 0.26257,-0.45011 0.84396,-0.60014 1.29407,-0.33758 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.01875467px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3228"
+ style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="288.96088"
+ x="218.86954"
+ xml:space="preserve">HTTP</text>
+ <path
+ id="path3230"
+ d="m 330.47608,258.3081 c 0,-6.15153 4.98874,-11.12152 11.14028,-11.12152 l 126.68781,0 c 6.15153,0 11.12152,4.96999 11.12152,11.12152 l 0,44.48608 c 0,6.15154 -4.96999,11.12152 -11.12152,11.12152 l -126.68781,0 c -6.15154,0 -11.14028,-4.96998 -11.14028,-11.12152 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3232"
+ style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="288.43024"
+ x="351.6857"
+ xml:space="preserve">Dispatcher</text>
+ </g>
+ </g>
+</svg>
diff --git a/docs/ops/security-ssl.md b/docs/ops/security-ssl.md
index 1a3c381..ed5f4d7 100644
--- a/docs/ops/security-ssl.md
+++ b/docs/ops/security-ssl.md
@@ -22,16 +22,111 @@ specific language governing permissions and limitations
under the License.
-->
-This page provides instructions on how to enable SSL for the network communication between different Flink components.
+This page provides instructions on how to enable TLS/SSL authentication and encryption for network communication with and between Flink processes.
-## SSL Configuration
+## Internal and External Connectivity
-SSL can be enabled for all network communication between Flink components. SSL keystores and truststore has to be deployed on each Flink node and configured (conf/flink-conf.yaml) using keys in the security.ssl.* namespace (Please see the [configuration page](config.html) for details). SSL can be selectively enabled/disabled for different transports using the following flags. These flags are only applicable when security.ssl.enabled is set to true.
+When securing network connections between machines processes through authentication and encryption, Apache Flink differentiates between *internal* and *external* connectivity.
+*Internal Connectivity* refers to all connections made between Flink processes. These connections run Flink custom protocols. Users never connect directly to internal connectivity endpoints.
+*External / REST Connectivity* endpoints refers to all connections made from the outside to Flink processes. This includes the web UI and REST commands to
+start and control running Flink jobs/applications, including the communication of the Flink CLI with the JobManager / Dispatcher.
-* **taskmanager.data.ssl.enabled**: SSL flag for data communication between task managers
-* **blob.service.ssl.enabled**: SSL flag for blob service client/server communication
-* **akka.ssl.enabled**: SSL flag for akka based control connection between the Flink client, jobmanager and taskmanager
-* **jobmanager.web.ssl.enabled**: Flag to enable https access to the jobmanager's web frontend
+For more flexibility, security for internal and external connectivity can be enabled and configured separately.
+
+<div style="text-align: center">
+ <img src="{{ site.baseurl }}/fig/ssl_internal_external.svg" alt="Internal and External Connectivity" style="width:75%; padding-top:10px; padding-bottom:10px;" />
+</div>
+
+#### Internal Connectivity
+
+Internal connectivity includes:
+
+ - Control messages: RPC between JobManager / TaskManager / Dispatcher / ResourceManager
+ - The data plane: The connections between TaskManagers to exchange data during shuffles, broadcasts, redistribution, etc.
+ - The Blob Service (distribution of libraries and other artifacts).
+
+All internal connections are SSL authenticated and encrypted. The connections use **mutual authentication**, meaning both server
+and client side of each connection need to present the certificate to each other. The certificate acts effectively as a shared
+secret.
+
+A common setup is to generate a dedicated certificate (may be self-signed) for a Flink deployment. The certificate for internal communication
+is not needed by any other party to interact with Flink, and can be simply added to the container images, or attached to the YARN deployment.
+
+*Note: Because internal connections are mutually authenticated with shared certificates, Flink can skip hostname verification. This makes container-based setups easier.*
+
+#### External / REST Connectivity
+
+All external connectivity is exposed via an HTTP/REST endpoint, used for example by the web UI and the CLI:
+
+ - Communication with the *Dispatcher* to submit jobs (session clusters)
+ - Communication with the *JobManager* to inspect and modify a running job/application
+
+The REST endpoints can be configured to require SSL connections. The server will, however, accept connections from any client, meaning the REST endpoint does not authenticate the client.
+
+If authentication of connections to the REST endpoint is required, we recommend to deploy a "side car proxy":
+Bind the REST endpoint to the loopback interface (or the pod-local interface in Kubernetes) and start a REST proxy that authenticates and forwards the requests to Flink.
+Examples for proxies that Flink users have deployed are [Envoy Proxy](https://www.envoyproxy.io/) or
+[NGINX with MOD_AUTH](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).
+
+The rationale behind delegating authentication to a proxy is that such proxies offer many more authentication options than the Flink project could reasonably implement itself,
+and thus offer better integration into existing infrastructures.
+
+
+#### Queryable State
+
+Connections to the queryable state endpoints is currently not authenticated or encrypted.
+
+
+## Configuring SSL
+
+SSL can be enabled separately for *internal* and *external* connectivity:
+
+ - **security.ssl.internal.enabled**: Enable SSL for all *internal* connections.
+ - **security.ssl.rest.enabled**: Enable SSL for *REST / external* connections.
+
+*Note: For backwards compatibility, the **security.ssl.enabled** option still exists and enables SSL for both internal and REST endpoints.*
+
+For internal connectivity, you can optionally disable security for different connection types separately.
+When `security.ssl.internal.enabled` is set to `true`, you can set the following parameters to `false` to disable SSL for that particular connection type:
+
+ - `taskmanager.data.ssl.enabled`: Data communication between TaskManagers
+ - `blob.service.ssl.enabled`: Transport of BLOBs from JobManager to TaskManager
+ - `akka.ssl.enabled`: Akka-based RPC connections between JobManager / TaskManager / ResourceManager
+
+#### Keystores and Truststores
+
+The SSL configuration requires to configure a **keystore** and a **truststore**. The *keystore* contains the public certificate
+(public key) and the private key, while the truststore contains the trusted certificates or the trusted authorities. Both stores
+need to be set up such that the truststore trusts the keystore's certificate.
+
+**Internal Connectivity**
+
+Because internal communication is mutually authenticated, keystore and truststore typically contain the same dedicated certificate.
+The certificate can use wild card hostnames or addresses, because the certificate is expected to be a shared secret and host
+names are not verified. It is even possible to use the same file (the keystore) also as the truststore.
+
+{% highlight yaml %}
+security.ssl.internal.keystore: /path/to/file.keystore
+security.ssl.internal.keystore-password: keystore_password
+security.ssl.internal.key-password: key_password
+security.ssl.internal.truststore: /path/to/file.truststore
+security.ssl.internal.truststore-password: truststore_password
+{% endhighlight %}
+
+**REST Endpoints (external connectivity)**
+
+For REST endpoints, the keystore is used by the server endpoint, and the truststore is used by the REST clients (including the CLI client)
+to accept the server's certificate. In the case where the REST keystore has a self-signed certificate, the truststore must trust that certificate directly.
+If the REST endpoint uses a certificate that is signed through a proper certification hierarchy, the roots of that hierarchy should
+be in the trust store.
+
+{% highlight yaml %}
+security.ssl.rest.keystore: /path/to/file.keystore
+security.ssl.rest.keystore-password: keystore_password
+security.ssl.rest.key-password: key_password
+security.ssl.rest.truststore: /path/to/file.truststore
+security.ssl.rest.truststore-password: truststore_password
+{% endhighlight %}
**IMPORTANT**
@@ -44,115 +139,126 @@ We recommend that SSL setups update to the stronger cipher suites, if possible,
security.ssl.algorithms: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
{% endhighlight %}
-If these suites are not supported on your setup, you will see that Flink processes will not be able to connect to each other.
+If these cipher suites are not supported on your setup, you will see that Flink processes will not be able to connect to each other.
-## Deploying Keystores and Truststores
-You need to have a Java Keystore generated and copied to each node in the Flink cluster. The common name or subject alternative names in the certificate should match the node's hostname and IP address. Keystores and truststores can be generated using the [keytool utility](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html). All Flink components should have read access to the keystore and truststore files.
+## Creating and Deploying Keystores and Truststores
-### Example: Creating self signed CA and keystores for a two-node cluster
+Keys, Certificates, and the Keystores and Truststores can be generated using the [keytool utility](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html).
+You need to have an appropriate Java Keystore and Truststore accessible from each node in the Flink cluster.
-Execute the following keytool commands to create a truststore with a self signed CA.
+ - For standalone setups, this means copying the files to each node, or adding them to a shared mounted directory.
+ - For container based setups, add the keystore and truststore files to the container images.
+ - For Yarn/Mesos setups, the cluster deployment phase can automatically distribute the keystore and truststore files.
-{% highlight bash %}
-keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA" -storepass password -keypass password -keyalg RSA -ext bc=ca:true
-keytool -keystore ca.keystore -storepass password -alias ca -exportcert > ca.cer
-keytool -importcert -keystore ca.truststore -alias ca -storepass password -noprompt -file ca.cer
-{% endhighlight %}
+For the externally facing REST endpoint, the common name or subject alternative names in the certificate should match the node's hostname and IP address.
-Now create keystores for each node with certificates signed by the above CA. Let node1.company.org and node2.company.org be the hostnames with IPs 192.168.1.1 and 192.168.1.2 respectively
-#### Node 1
+## Example SSL Setup Standalone and Kubernetes
+
+**Internal Connectivity**
+
+Execute the following keytool commands to create a key pair in a keystore:
+
{% highlight bash %}
-keytool -genkeypair -alias node1 -keystore node1.keystore -dname "CN=node1.company.org" -ext SAN=dns:node1.company.org,ip:192.168.1.1 -storepass password -keypass password -keyalg RSA
-keytool -certreq -keystore node1.keystore -storepass password -alias node1 -file node1.csr
-keytool -gencert -keystore ca.keystore -storepass password -alias ca -ext SAN=dns:node1.company.org,ip:192.168.1.1 -infile node1.csr -outfile node1.cer
-keytool -importcert -keystore node1.keystore -storepass password -file ca.cer -alias ca -noprompt
-keytool -importcert -keystore node1.keystore -storepass password -file node1.cer -alias node1 -noprompt
+keytool -genkeypair -alias flink.internal -keystore internal.keystore -dname "CN=flink.internal" -storepass internal_store_password -keypass internal_key_password -keyalg RSA -keysize 4096
{% endhighlight %}
-#### Node 2
-{% highlight bash %}
-keytool -genkeypair -alias node2 -keystore node2.keystore -dname "CN=node2.company.org" -ext SAN=dns:node2.company.org,ip:192.168.1.2 -storepass password -keypass password -keyalg RSA
-keytool -certreq -keystore node2.keystore -storepass password -alias node2 -file node2.csr
-keytool -gencert -keystore ca.keystore -storepass password -alias ca -ext SAN=dns:node2.company.org,ip:192.168.1.2 -infile node2.csr -outfile node2.cer
-keytool -importcert -keystore node2.keystore -storepass password -file ca.cer -alias ca -noprompt
-keytool -importcert -keystore node2.keystore -storepass password -file node2.cer -alias node2 -noprompt
+The single key/certificate in the keystore is used the same way by the server and client endpoints (mutual authentication).
+The key pair acts as the shared secret for internal security, and we can directly use it as keystore and truststore.
+
+{% highlight yaml %}
+security.ssl.internal.enabled: true
+security.ssl.internal.keystore: /path/to/flink/conf/internal.keystore
+security.ssl.internal.truststore: /path/to/flink/conf/internal.keystore
+security.ssl.internal.keystore-password: internal_store_password
+security.ssl.internal.truststore-password: internal_store_password
+security.ssl.internal.key-password: internal_key_password
{% endhighlight %}
-## Standalone Deployment
-Configure each node in the standalone cluster to pick up the keystore and truststore files present in the local file system.
+**REST Endpoint**
-### Example: Two-node cluster
+The REST endpoint may receive connections from external processes, including tools that are not part of Flink (for example curl request to the REST API).
+Setting up a proper certificate that is signed though a CA hierarchy may make sense for the REST endpoint.
-* Generate two keystores, one for each node, and copy them to the filesystem on the respective node. Also copy the public key of the CA (which was used to sign the certificates in the keystore) as a Java truststore on both the nodes.
-* Configure conf/flink-conf.yaml to pick up these files.
+However, as mentioned above, the REST endpoint does not authenticate clients and thus typically needs to be secured via a proxy anyways.
-#### Node 1
-{% highlight yaml %}
-security.ssl.enabled: true
-security.ssl.keystore: /usr/local/node1.keystore
-security.ssl.keystore-password: password
-security.ssl.key-password: password
-security.ssl.truststore: /usr/local/ca.truststore
-security.ssl.truststore-password: password
+**REST Endpoint (simple self signed certificate)**
+
+This example shows how to create a simple keystore / truststore pair. The truststore does not contain the primary key and can
+be shared with other applications. In this example, *myhost.company.org / ip:10.0.2.15* is the node (or service) for the Flink master.
+
+{% highlight bash %}
+keytool -genkeypair -alias flink.rest -keystore rest.keystore -dname "CN=myhost.company.org" -ext "SAN=dns:myhost.company.org,ip:10.0.2.15" -storepass rest_keystore_password -keypass rest_key_password -keyalg RSA -keysize 4096
+
+keytool -exportcert -keystore rest.keystore -alias flink.rest -storepass rest_keystore_password -file flink.cer
+
+keytool -importcert -keystore rest.truststore -alias flink.rest -storepass rest_truststore_password -file flink.cer -noprompt
{% endhighlight %}
-#### Node 2
{% highlight yaml %}
-security.ssl.enabled: true
-security.ssl.keystore: /usr/local/node2.keystore
-security.ssl.keystore-password: password
-security.ssl.key-password: password
-security.ssl.truststore: /usr/local/ca.truststore
-security.ssl.truststore-password: password
+security.ssl.rest.enabled: true
+security.ssl.rest.keystore: /path/to/flink/conf/rest.keystore
+security.ssl.rest.truststore: /path/to/flink/conf/rest.truststore
+security.ssl.rest.keystore-password: rest_keystore_password
+security.ssl.rest.truststore-password: rest_truststore_password
+security.ssl.rest.key-password: rest_key_password
{% endhighlight %}
-* Restart the Flink components to enable SSL for all of Flink's internal communication
-* Verify by accessing the jobmanager's UI using https url. The taskmanager's path in the UI should show akka.ssl.tcp:// as the protocol
-* The blob server and taskmanager's data communication can be verified from the log files
+**REST Endpoint (with a self signed CA)**
-## YARN Deployment
-The keystores and truststore can be deployed in a YARN setup in multiple ways depending on the cluster setup. Following are two ways to achieve this.
+Execute the following keytool commands to create a truststore with a self signed CA.
+
+{% highlight bash %}
+keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA" -storepass ca_keystore_password -keypass ca_key_password -keyalg RSA -keysize 4096 -ext "bc=ca:true"
-### 1. Deploy keystores before starting the YARN session
-The keystores and truststore should be generated and deployed on all nodes in the YARN setup where Flink components can potentially be executed. The same Flink config file from the Flink YARN client is used for all the Flink components running in the YARN cluster. Therefore we need to ensure the keystore is deployed and accessible using the same filepath in all the YARN nodes.
+keytool -exportcert -keystore ca.keystore -alias ca -storepass ca_keystore_password -file ca.cer
-#### Example config
-{% highlight yaml %}
-security.ssl.enabled: true
-security.ssl.keystore: /usr/local/node.keystore
-security.ssl.keystore-password: password
-security.ssl.key-password: password
-security.ssl.truststore: /usr/local/ca.truststore
-security.ssl.truststore-password: password
+keytool -importcert -keystore ca.truststore -alias ca -storepass ca_truststore_password -file ca.cer -noprompt
{% endhighlight %}
-Now you can start the YARN session from the CLI like you would normally do.
+Now create a keystore for the REST endpoint with a certificate signed by the above CA.
+Let *flink.company.org / ip:10.0.2.15* be the hostname of the Flink master (JobManager).
-### 2. Use YARN CLI to deploy the keystores and truststore
-We can use the YARN client's ship files option (-yt) to distribute the keystores and truststore. Since the same keystore will be deployed at all nodes, we need to ensure a single certificate in the keystore can be served for all nodes. This can be done by either using the Subject Alternative Name (SAN) extension in the certificate and setting it to cover all nodes (hostname and ip addresses) in the cluster or by using wildcard subdomain names (if the cluster is setup accordingly).
+{% highlight bash %}
+keytool -genkeypair -alias flink.rest -keystore rest.signed.keystore -dname "CN=flink.company.org" -ext "SAN=dns:flink.company.org" -storepass rest_keystore_password -keypass rest_key_password -keyalg RSA -keysize 4096
-#### Example
-* Supply the following parameters to the keytool command when generating the keystore: -ext SAN=dns:node1.company.org,ip:192.168.1.1,dns:node2.company.org,ip:192.168.1.2
-* Copy the keystore and the CA's truststore into a local directory (at the CLI's working directory), say deploy-keys/
-* Update the configuration to pick up the files from a relative path
+keytool -certreq -alias flink.rest -keystore rest.signed.keystore -storepass rest_keystore_password -keypass rest_key_password -file rest.csr
-{% highlight yaml %}
-security.ssl.enabled: true
-security.ssl.keystore: deploy-keys/node.keystore
-security.ssl.keystore-password: password
-security.ssl.key-password: password
-security.ssl.truststore: deploy-keys/ca.truststore
-security.ssl.truststore-password: password
+keytool -gencert -alias ca -keystore ca.keystore -storepass ca_keystore_password -keypass ca_key_password -ext "SAN=dns:flink.company.org,ip:10.0.2.15" -infile rest.csr -outfile rest.cer
+
+keytool -importcert -keystore rest.signed.keystore -storepass rest_keystore_password -file ca.cer -alias ca -noprompt
+
+keytool -importcert -keystore rest.signed.keystore -storepass rest_keystore_password -keypass rest_key_password -file rest.cer -alias flink.rest -noprompt
{% endhighlight %}
-* Start the YARN session using the -yt parameter
+Now add the following configuration to your `flink-conf.yaml`:
-{% highlight bash %}
-flink run -m yarn-cluster -yt deploy-keys/ TestJob.jar
+{% highlight yaml %}
+security.ssl.rest.enabled: true
+security.ssl.rest.keystore: /path/to/flink/conf/rest.signed.keystore
+security.ssl.rest.truststore: /path/to/flink/conf/ca.truststore
+security.ssl.rest.keystore-password: rest_keystore_password
+security.ssl.rest.key-password: rest_key_password
+security.ssl.rest.truststore-password: ca_truststore_password
{% endhighlight %}
-When deployed using YARN, Flink's web dashboard is accessible through YARN proxy's Tracking URL. To ensure that the YARN proxy is able to access Flink's https url you need to configure YARN proxy to accept Flink's SSL certificates. Add the custom CA certificate into Java's default truststore on the YARN Proxy node.
+
+## Tips for YARN / Mesos Deployment
+
+For YARN and Mesos, you can use the tools of Yarn and Mesos to help:
+
+ - Configuring security for internal communication is exactly the same as in the example above.
+
+ - To secure the REST endpoint, you need to issue the REST endpoint's certificate such that it is valid for all hosts
+ that the Flink master may get deployed to. This can be done with a wild card DNS name, or by adding multiple DNS names.
+
+ - The easiest way to deploy keystores and truststore is by YARN client's *ship files* option (`-yt`).
+ Copy the keystore and truststore files into a local directory (say `deploy-keys/`) and start the YARN session as
+ follows: `flink run -m yarn-cluster -yt deploy-keys/ flinkapp.jar`
+
+ - When deployed using YARN, Flink's web dashboard is accessible through YARN proxy's Tracking URL.
+ To ensure that the YARN proxy is able to access Flink's HTTPS URL, you need to configure YARN proxy to accept Flink's SSL certificates.
+ For that, add the custom CA certificate into Java's default truststore on the YARN Proxy node.
{% top %}
[flink] 01/02: [hotfix] [security] Fix error message when
RestClientConfiguration cannot be created due to wrong SSL config.
Posted by tr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
trohrmann pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/flink.git
commit 31fbcfa2b1eb2e0223f8332c33e9fb3e8cdd858f
Author: Stephan Ewen <se...@apache.org>
AuthorDate: Mon Aug 6 21:09:31 2018 +0200
[hotfix] [security] Fix error message when RestClientConfiguration cannot be created due to wrong SSL config.
---
.../java/org/apache/flink/runtime/rest/RestClientConfiguration.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestClientConfiguration.java b/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestClientConfiguration.java
index cbd888d..e09f357 100644
--- a/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestClientConfiguration.java
+++ b/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestClientConfiguration.java
@@ -94,7 +94,7 @@ public final class RestClientConfiguration {
try {
sslEngineFactory = SSLUtils.createRestClientSSLEngineFactory(config);
} catch (Exception e) {
- throw new ConfigurationException("Failed to initialize SSLContext for the web frontend", e);
+ throw new ConfigurationException("Failed to initialize SSLContext for the REST client", e);
}
} else {
sslEngineFactory = null;