flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-9816) Support Netty SslEngine based on openSSL
Date Sat, 14 Jul 2018 05:42:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-9816?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16544032#comment-16544032
] 

ASF GitHub Bot commented on FLINK-9816:
---------------------------------------

Github user yanghua commented on a diff in the pull request:

    https://github.com/apache/flink/pull/6328#discussion_r202506709
  
    --- Diff: flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java ---
    @@ -163,80 +163,157 @@ public static void setSSLVerifyHostname(Configuration sslConfig,
SSLParameters s
     	}
     
     	/**
    -	 * Creates the SSL Context for the client if SSL is configured.
    +	 * SSL engine provider.
    +	 */
    +	public enum SSLProvider {
    +		JDK,
    +		/**
    +		 * OpenSSL with fallback to JDK if not available.
    +		 */
    +		OPENSSL;
    +
    +		public static SSLProvider fromString(String value) {
    +			Preconditions.checkNotNull(value);
    +			if (value.equalsIgnoreCase("OPENSSL")) {
    +				return OPENSSL;
    +			} else if (value.equalsIgnoreCase("JDK")) {
    +				return JDK;
    +			} else {
    +				throw new IllegalArgumentException("Unknown SSL provider: " + value);
    +			}
    +		}
    +	}
    +
    +	/**
    +	 * Instances needed to set up an SSL client connection.
    +	 */
    +	public static class SSLClientTools {
    +		public final SSLProvider preferredSslProvider;
    +		public final String sslProtocolVersion;
    +		public final TrustManagerFactory trustManagerFactory;
    +
    +		public SSLClientTools(
    +				SSLProvider preferredSslProvider,
    +				String sslProtocolVersion,
    +				TrustManagerFactory trustManagerFactory) {
    +			this.preferredSslProvider = preferredSslProvider;
    +			this.sslProtocolVersion = sslProtocolVersion;
    +			this.trustManagerFactory = trustManagerFactory;
    +		}
    +	}
    +
    +	/**
    +	 * Creates necessary helper objects to use for creating an SSL Context for the client
if SSL is
    +	 * configured.
     	 *
     	 * @param sslConfig
     	 *        The application configuration
    -	 * @return The SSLContext object which can be used by the ssl transport client
    -	 * 	       Returns null if SSL is disabled
    +	 * @return The SSLClientTools object which can be used for creating some SSL context
object;
    +	 * 	       returns <tt>null</tt> if SSL is disabled.
     	 * @throws Exception
     	 *         Thrown if there is any misconfiguration
     	 */
     	@Nullable
    -	public static SSLContext createSSLClientContext(Configuration sslConfig) throws Exception
{
    -
    +	public static SSLClientTools createSSLClientTools(Configuration sslConfig) throws Exception
{
     		Preconditions.checkNotNull(sslConfig);
    -		SSLContext clientSSLContext = null;
     
     		if (getSSLEnabled(sslConfig)) {
     			LOG.debug("Creating client SSL context from configuration");
     
     			String trustStoreFilePath = sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE);
     			String trustStorePassword = sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD);
     			String sslProtocolVersion = sslConfig.getString(SecurityOptions.SSL_PROTOCOL);
    +			SSLProvider sslProvider = SSLProvider.fromString(sslConfig.getString(SecurityOptions.SSL_PROVIDER));
     
     			Preconditions.checkNotNull(trustStoreFilePath, SecurityOptions.SSL_TRUSTSTORE.key()
+ " was not configured.");
     			Preconditions.checkNotNull(trustStorePassword, SecurityOptions.SSL_TRUSTSTORE_PASSWORD.key()
+ " was not configured.");
     
     			KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
     
    -			FileInputStream trustStoreFile = null;
    -			try {
    -				trustStoreFile = new FileInputStream(new File(trustStoreFilePath));
    +			try (FileInputStream trustStoreFile = new FileInputStream(new File(trustStoreFilePath)))
{
     				trustStore.load(trustStoreFile, trustStorePassword.toCharArray());
    -			} finally {
    -				if (trustStoreFile != null) {
    -					trustStoreFile.close();
    -				}
     			}
     
     			TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
     				TrustManagerFactory.getDefaultAlgorithm());
     			trustManagerFactory.init(trustStore);
     
    -			clientSSLContext = SSLContext.getInstance(sslProtocolVersion);
    -			clientSSLContext.init(null, trustManagerFactory.getTrustManagers(), null);
    +			return new SSLClientTools(sslProvider, sslProtocolVersion, trustManagerFactory);
     		}
     
    -		return clientSSLContext;
    +		return null;
     	}
     
     	/**
    -	 * Creates the SSL Context for the server if SSL is configured.
    +	 * Creates the SSL Context for the client if SSL is configured.
     	 *
     	 * @param sslConfig
     	 *        The application configuration
    -	 * @return The SSLContext object which can be used by the ssl transport server
    +	 * @return The SSLContext object which can be used by the ssl transport client
     	 * 	       Returns null if SSL is disabled
     	 * @throws Exception
     	 *         Thrown if there is any misconfiguration
     	 */
     	@Nullable
    -	public static SSLContext createSSLServerContext(Configuration sslConfig) throws Exception
{
    +	public static SSLContext createSSLClientContext(Configuration sslConfig) throws Exception
{
    +		Preconditions.checkNotNull(sslConfig);
    +		SSLContext clientSSLContext = null;
    +
    +		if (getSSLEnabled(sslConfig)) {
    +			SSLClientTools clientTools = createSSLClientTools(sslConfig);
     
    +			clientSSLContext = SSLContext.getInstance(clientTools.sslProtocolVersion);
    +			clientSSLContext.init(null, clientTools.trustManagerFactory.getTrustManagers(), null);
    +		}
    +
    +		return clientSSLContext;
    +	}
    +
    +	/**
    +	 * Instances needed to set up an SSL client connection.
    +	 */
    +	public static class SSLServerTools {
    +		public final SSLProvider preferredSslProvider;
    +		public final String sslProtocolVersion;
    +		public final String[] ciphers;
    +		public final KeyManagerFactory keyManagerFactory;
    +
    +		public SSLServerTools(
    +				SSLProvider preferredSslProvider,
    +				String sslProtocolVersion,
    +				String[] ciphers,
    +				KeyManagerFactory keyManagerFactory) {
    +			this.preferredSslProvider = preferredSslProvider;
    +			this.sslProtocolVersion = sslProtocolVersion;
    +			this.ciphers = ciphers;
    +			this.keyManagerFactory = keyManagerFactory;
    +		}
    +	}
    +
    +	/**
    +	 * Creates necessary helper objects to use for creating an SSL Context for the server
if SSL is
    +	 * configured.
    +	 *
    +	 * @param sslConfig
    +	 *        The application configuration
    --- End diff --
    
    do not need linefeed


> Support Netty SslEngine based on openSSL
> ----------------------------------------
>
>                 Key: FLINK-9816
>                 URL: https://issues.apache.org/jira/browse/FLINK-9816
>             Project: Flink
>          Issue Type: Improvement
>          Components: Network
>            Reporter: Nico Kruber
>            Assignee: Nico Kruber
>            Priority: Major
>              Labels: pull-request-available
>
> Since a while now, Netty does not only support the JDK's {{SSLEngine}} but also implements
one based on openSSL which, according to https://netty.io/wiki/requirements-for-4.x.html#wiki-h4-4
is significantly faster. We should add support for using that engine instead.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message