You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flume.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/09/25 15:08:00 UTC

[jira] [Commented] (FLUME-3269) Support JSSE keystore/trustore -D system properties

    [ https://issues.apache.org/jira/browse/FLUME-3269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16627482#comment-16627482 ] 

ASF GitHub Bot commented on FLUME-3269:
---------------------------------------

GitHub user turcsanyip opened a pull request:

    https://github.com/apache/flume/pull/228

    FLUME-3269: Support JSSE keystore/trustore -D system properties

    It makes possible to specify global/common SSL keystore parameters (path,
    password and type) at Flume agent (process) level for all sources/sinks.
    In this way, it is not necessary to define (=copy) the SSL config for each
    component in the agent config.
    
    The global SSL parameters can be specified through the standard -D JSSE
    system properties or in environment variables.
    Component level configuration is still possible.
    
    Priority:
     1. component parameters in agent config
     2. -D system properties
     2. environment variables

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/turcsanyip/flume FLUME-3269

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flume/pull/228.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #228
    
----
commit 2aa65ae1c6bcd87844d17fffde84f6a058972c58
Author: turcsanyi <tu...@...>
Date:   2018-09-13T17:08:01Z

    FLUME-3269: Support JSSE keystore/trustore -D system properties
    
    It makes possible to specify global/common SSL keystore parameters (path,
    password and type) at Flume agent (process) level for all sources/sinks.
    In this way, it is not necessary to define (=copy) the SSL config for each
    component in the agent config.
    
    The global SSL parameters can be specified through the standard -D JSSE
    system properties or in environment variables.
    Component level configuration is still possible.
    
    Priority:
     1. component parameters in agent config
     2. -D system properties
     2. environment variables

----


> Support JSSE keystore/trustore -D system properties
> ---------------------------------------------------
>
>                 Key: FLUME-3269
>                 URL: https://issues.apache.org/jira/browse/FLUME-3269
>             Project: Flume
>          Issue Type: Improvement
>            Reporter: Peter Turcsanyi
>            Assignee: Peter Turcsanyi
>            Priority: Major
>
> Several Flume components support SSL, but they all have their own config parameters for specifying the location and password for keystore and truststore.
> These parameters could be passed as standard JSSE system properties (specified in flume-env.sh):
> {code}
> -Djavax.net.ssl.keyStore=/path/to/keystore
> -Djavax.net.ssl.keyStorePassword=keystore-password
> -Djavax.net.ssl.keyStoreType=keystore-type
> -Djavax.net.ssl.trustStore=/path/to/truststore
> -Djavax.net.ssl.trustStorePassword=truststore-password
> -Djavax.net.ssl.trustStoreType=truststore-type
> {code}
> This would be a more consistent and standard based configuration.
> Specifying passwords in system properties means that the passwords can be seen in the process list. For cases where it is not acceptable, it will also be possible to define the parameters in environment variables.
> {code}
> FLUME_SSL_KEYSTORE_PATH
> FLUME_SSL_KEYSTORE_PASSWORD
> FLUME_SSL_KEYSTORE_TYPE
> FLUME_SSL_TRUSTSTORE_PATH
> FLUME_SSL_TRUSTSTORE_PASSWORD
> FLUME_SSL_TRUSTSTORE_TYPE
> {code}
> The logic of applying the SSL config parameters for an SSL-enabled source/sink:
> - if the agent config defines the SSL parameter for the component, then they will be used (allowing customisation and backward compatibility)
> - if no SSL parameters are defined for the component, but the -D system properties are present, then they will be used
> - if neither the component SSL parameters nor the -D system properties are defined, but the environment variable are present, then they will be used 
> - otherwise config error
> So the priority:
> # component parameters in agent config
> # -D system properties
> # environment variables



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@flume.apache.org
For additional commands, e-mail: issues-help@flume.apache.org