flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From StephanEwen <...@git.apache.org>
Subject [GitHub] flink pull request #5966: [FLINK-9312] [security] Add mutual authentication ...
Date Mon, 07 May 2018 20:21:48 GMT
GitHub user StephanEwen opened a pull request:

    https://github.com/apache/flink/pull/5966

    [FLINK-9312] [security] Add mutual authentication for RPC and data plane

    ## What is the purpose of the change
    
    Currently, the Flink processes encrypted connections via SSL:
      - Data exchange TM - TM
      - RPC JM - TM
      - Blob Service JM - TM
    
      - (Optionally to ZooKeeper and connectors, this is connector specific and not in scope
of this change)
    
    However, the server side always accepts any client to build up the connection, meaning
the connections are not strongly authenticated. Activating SSL mutual authentication strengthens
this significantly - only processes that have access to the same certificate can connect.
    
    ## Brief change log
    
      - Activate mutual auth in akka (via akka config)
      - Activate mutual auth in Netty for data shuffles via `SSLContext` and `SSLEngine` parameters
    
    ## Verifying this change
    
      - Adds a test to the `NettyClientServerSslTest`
    
    ## Does this pull request potentially affect one of the following parts:
    
      - Dependencies (does it add or upgrade a dependency): (yes / **no**)
      - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: (yes
/ **no**)
      - The serializers: (yes / **no** / don't know)
      - The runtime per-record code paths (performance sensitive): (yes / **no** / don't know)
      - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing,
Yarn/Mesos, ZooKeeper: (yes / **no** / don't know)
      - The S3 file system connector: (yes / **no** / don't know)
    
    ## Documentation
    
      - Does this pull request introduce a new feature? (yes / **no**)
      - If yes, how is the feature documented? (**not applicable** / docs / JavaDocs / not
documented)


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/StephanEwen/incubator-flink mutual_auth

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flink/pull/5966.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #5966
    
----
commit 8bceb03d5653c94247b72d6256f4e9e37b036e35
Author: Stephan Ewen <sewen@...>
Date:   2018-05-07T17:44:33Z

    [FLINK-9313] [security] Activate mutual authentication for RPC/akka

commit 59b017580d30904418e0867ac122a8183dc5db70
Author: Stephan Ewen <sewen@...>
Date:   2018-05-07T19:28:41Z

    [FLINK-9314] [security] Add mutual authentication for Netty / TaskManager's data plane

----


---

Mime
View raw message