flink-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tzu-Li (Gordon) Tai" <tzuli...@apache.org>
Subject Re: In-transit Data Encryption in EMR
Date Mon, 05 Jun 2017 11:33:37 GMT
Hi Vinay!

 1. Will the existing functionality provided by Amazon to configure
in-transit data encrytion work for Flink as well. This is explained here:
http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-encryption-enable-security-configuration.html
http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-data-encryption-options.html#emr-encryption-intransit

I don’t think so. AFAIK, the AWS security configurations needs to be integrated for per-platform’s
specific security features, and as of now, there doesn’t seem to be an integration for Flink
SSL encryption features, yet.

 2. Using Flink SSL Setup: as we know only the IP address of master node
on EMR , should we pass only its ip address in the SAN list as given here ?
(I think it should work as the yarn-cli command will distribute the
truststore and keystore to each TM )
https://ci.apache.org/projects/flink/flink-docs-release-1.3/setup/security-ssl.html#use-yarn-cli-to-deploy-the-keystores-and-truststore

The generated certificate needs to cover all nodes (hostname and IP address). Is it possible
for you to use wildcard subdomain names to generate the certificate?
I’m not entirely sure of the subdomain patterns of EMR nodes, but this should be possible.

Cheers,
Gordon
On 5 June 2017 at 12:56:45 PM, vinay patil (vinay18.patil@gmail.com) wrote:

Thank you Till.

Gordon can you please help.

Regards,
Vinay Patil

On Fri, Jun 2, 2017 at 9:10 PM, Till Rohrmann [via Apache Flink User Mailing List archive.]
<[hidden email]> wrote:
Hi Vinay,

I've pulled my colleague Gordon into the conversation who can probably tell you more about
Flink's security features.

Cheers,
Till

On Fri, Jun 2, 2017 at 2:22 PM, vinay patil <[hidden email]> wrote:
Hi,

Currently I am looking into configuring in-transit data encryption either
using Flink SSL Setup or directly using EMR.

Few Doubts:
   1. Will the existing functionality provided by Amazon to configure
in-transit data encrytion work for Flink as well. This is explained here:
http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-encryption-enable-security-configuration.html
http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-data-encryption-options.html#emr-encryption-intransit

   2. Using Flink SSL Setup: as we know only the IP address of master node
on EMR , should we pass only its ip address in the SAN list as given here ?
(I think it should work as the yarn-cli command will distribute the
truststore and keystore to each TM )
https://ci.apache.org/projects/flink/flink-docs-release-1.3/setup/security-ssl.html#use-yarn-cli-to-deploy-the-keystores-and-truststore

Regards,
Vinay Patil



--
View this message in context: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/In-transit-Data-Encryption-in-EMR-tp13455.html
Sent from the Apache Flink User Mailing List archive. mailing list archive at Nabble.com.



If you reply to this email, your message will be added to the discussion below:
http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/In-transit-Data-Encryption-in-EMR-tp13455p13459.html
To start a new topic under Apache Flink User Mailing List archive., email [hidden email]
To unsubscribe from Apache Flink User Mailing List archive., click here.
NAML


View this message in context: Re: In-transit Data Encryption in EMR
Sent from the Apache Flink User Mailing List archive. mailing list archive at Nabble.com.

Mime
View raw message