You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by GitBox <gi...@apache.org> on 2019/02/12 21:32:39 UTC

[GitHub] NicoK opened a new pull request #7688: [FLINK-9816][network] add option to configure SSL engine provider for TM communication

NicoK opened a new pull request #7688: [FLINK-9816][network] add option to configure SSL engine provider for TM communication
URL: https://github.com/apache/flink/pull/7688
 
 
   ## What is the purpose of the change
   
   Netty has the ability to run with different `SSLEngine` implementations but with our current setup, we are fixed to the JDK implementation, although one based on OpenSSL is expected to be faster [1].
   We should make this configurable and ideally also provide everything needed to run with OpenSSL in the future (the last part is not part of this PR).
   
   [1] https://netty.io/wiki/requirements-for-4.x.html#benefits-of-using-openssl
   
   This PR subsumes #6328.
   
   ## Brief change log
   
   - netty-fy SSL configuration in `SSLUtils` by using Netty's `SslContextBuilder` (only a few places do not use netty SSL setups - provide a workaround there)
   - allow selecting the SSL engine provider via `security.ssl.provider`
   - add openSSL-based SSL tests (if available) - some may currently fail due to different behaviour (this may need to be fixed once the second part is done)
   - use `OpenSslX509KeyManagerFactory` for openSSL back-end
   
   ## Verifying this change
   
   This change can be verified as follows:
   
   - added unit tests
   - ran e2e SSL test
   - I verified by running an SSL setup with 2 TMs and submitting a job through the WebUI with the default `JDK` SSL engine and `OPENSSL`
   -> all using a custom build using `netty-tcnative` with statically linked boringssl libraries from http://netty.io/wiki/forked-tomcat-native.html (see https://github.com/NicoK/flink-shaded/tree/flink-9816.static-6.0)
   
   ## Does this pull request potentially affect one of the following parts:
   
     - Dependencies (does it add or upgrade a dependency): **no**
     - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: **no**
     - The serializers: **no**
     - The runtime per-record code paths (performance sensitive): **no**
     - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: **no**
     - The S3 file system connector: **no**
   
   ## Documentation
   
     - Does this pull request introduce a new feature? **no**
     - If yes, how is the feature documented? **docs, JavaDocs**
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services