Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7E56D200C7C for ; Mon, 5 Jun 2017 13:40:04 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 7D032160BD4; Mon, 5 Jun 2017 11:40:04 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 74390160BBF for ; Mon, 5 Jun 2017 13:40:03 +0200 (CEST) Received: (qmail 96502 invoked by uid 500); 5 Jun 2017 11:40:01 -0000 Mailing-List: contact user-help@flink.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list user@flink.apache.org Received: (qmail 96493 invoked by uid 99); 5 Jun 2017 11:40:01 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Jun 2017 11:40:01 +0000 Received: from Tzu-Lis-MBP.fritz.box.mail (ip-109-45-2-196.web.vodafone.de [109.45.2.196]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 8F19F1A002E for ; Mon, 5 Jun 2017 11:39:55 +0000 (UTC) Date: Mon, 5 Jun 2017 13:33:37 +0200 From: "Tzu-Li (Gordon) Tai" To: user@flink.apache.org Message-ID: In-Reply-To: References: <1496406135048-13455.post@n4.nabble.com> Subject: Re: In-transit Data Encryption in EMR X-Mailer: Airmail (420) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="593542f3_f2cec0e_1625d" archived-at: Mon, 05 Jun 2017 11:40:04 -0000 --593542f3_f2cec0e_1625d Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi Vinay=21 =C2=A01. Will the existing functionality provided by Amazon to configure in-transit data encrytion work for =46link as well. This is explained her= e: http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-encryption-enable-= security-configuration.html http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-data-encryption-op= tions.html=23emr-encryption-intransit I don=E2=80=99t think so. A=46AIK, the AWS security configurations needs = to be integrated for per-platform=E2=80=99s specific security features, a= nd as of now, there doesn=E2=80=99t seem to be an integration for =46link= SSL encryption features, yet. =C2=A02. Using =46link SSL Setup: as we know only the IP address of maste= r node on EMR , should we pass only its ip address in the SAN list as given here= =3F (I think it should work as the yarn-cli command will distribute the truststore and keystore to each TM ) https://ci.apache.org/projects/flink/flink-docs-release-1.3/setup/securit= y-ssl.html=23use-yarn-cli-to-deploy-the-keystores-and-truststore The generated certificate needs to cover all nodes (hostname and IP addre= ss). Is it possible for you to use wildcard subdomain names to generate t= he certificate=3F I=E2=80=99m not entirely sure of the subdomain patterns of EMR nodes, but= this should be possible. Cheers, Gordon On 5 June 2017 at 12:56:45 PM, vinay patil (vinay18.patil=40gmail.com) wr= ote: Thank you Till. Gordon can you please help. Regards, Vinay Patil On =46ri, Jun 2, 2017 at 9:10 PM, Till Rohrmann =5Bvia Apache =46link Use= r Mailing List archive.=5D <=5Bhidden email=5D> wrote: Hi Vinay, I've pulled my colleague Gordon into the conversation who can probably te= ll you more about =46link's security features. Cheers, Till On =46ri, Jun 2, 2017 at 2:22 PM, vinay patil <=5Bhidden email=5D> wrote:= Hi, Currently I am looking into configuring in-transit data encryption either= using =46link SSL Setup or directly using EMR. =46ew Doubts: =C2=A0 =C2=A01. Will the existing functionality provided by Amazon to con= figure in-transit data encrytion work for =46link as well. This is explained her= e: http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-encryption-enable-= security-configuration.html http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-data-encryption-op= tions.html=23emr-encryption-intransit =C2=A0 =C2=A02. Using =46link SSL Setup: as we know only the IP address o= f master node on EMR , should we pass only its ip address in the SAN list as given here= =3F (I think it should work as the yarn-cli command will distribute the truststore and keystore to each TM ) https://ci.apache.org/projects/flink/flink-docs-release-1.3/setup/securit= y-ssl.html=23use-yarn-cli-to-deploy-the-keystores-and-truststore Regards, Vinay Patil -- View this message in context: http://apache-flink-user-mailing-list-archi= ve.2336050.n4.nabble.com/In-transit-Data-Encryption-in-EMR-tp13455.html Sent from the Apache =46link User Mailing List archive. mailing list arch= ive at Nabble.com. If you reply to this email, your message will be added to the discussion = below: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/In-tr= ansit-Data-Encryption-in-EMR-tp13455p13459.html To start a new topic under Apache =46link User Mailing List archive., ema= il =5Bhidden email=5D To unsubscribe from Apache =46link User Mailing List archive., click here= . NAML View this message in context: Re: In-transit Data Encryption in EMR Sent from the Apache =46link User Mailing List archive. mailing list arch= ive at Nabble.com. --593542f3_f2cec0e_1625d Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline