flume-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLUME-3269) Support JSSE keystore/trustore -D system properties
Date Fri, 05 Oct 2018 09:43:00 GMT

    [ https://issues.apache.org/jira/browse/FLUME-3269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639561#comment-16639561

ASF subversion and git services commented on FLUME-3269:

Commit c5168c902634e8ea1f25ec578ed0b7055b246d68 in flume's branch refs/heads/trunk from [~turcsanyip]
[ https://git-wip-us.apache.org/repos/asf?p=flume.git;h=c5168c9 ]

FLUME-3269: Support JSSE keystore/trustore -D system properties

It makes possible to specify global/common SSL keystore parameters (path,
password and type) at Flume agent (process) level for all sources/sinks.
In this way, it is not necessary to define (=copy) the SSL config for each
component in the agent config.

The global SSL parameters can be specified through the standard -D JSSE
system properties or in environment variables.
Component level configuration is still possible.

 1. component parameters in agent config
 2. -D system properties
 2. environment variables

This closes #228

Reviewers: Ferenc Szabo, Tristan Stevens, Endre Major

(Peter Turcsanyi via Ferenc Szabo)

> Support JSSE keystore/trustore -D system properties
> ---------------------------------------------------
>                 Key: FLUME-3269
>                 URL: https://issues.apache.org/jira/browse/FLUME-3269
>             Project: Flume
>          Issue Type: Improvement
>            Reporter: Peter Turcsanyi
>            Assignee: Peter Turcsanyi
>            Priority: Major
> Several Flume components support SSL, but they all have their own config parameters for
specifying the location and password for keystore and truststore.
> These parameters could be passed as standard JSSE system properties (specified in flume-env.sh):
> {code}
> -Djavax.net.ssl.keyStore=/path/to/keystore
> -Djavax.net.ssl.keyStorePassword=keystore-password
> -Djavax.net.ssl.keyStoreType=keystore-type
> -Djavax.net.ssl.trustStore=/path/to/truststore
> -Djavax.net.ssl.trustStorePassword=truststore-password
> -Djavax.net.ssl.trustStoreType=truststore-type
> {code}
> This would be a more consistent and standard based configuration.
> Specifying passwords in system properties means that the passwords can be seen in the
process list. For cases where it is not acceptable, it will also be possible to define the
parameters in environment variables.
> {code}
> {code}
> The logic of applying the SSL config parameters for an SSL-enabled source/sink:
> - if the agent config defines the SSL parameter for the component, then they will be
used (allowing customisation and backward compatibility)
> - if no SSL parameters are defined for the component, but the -D system properties are
present, then they will be used
> - if neither the component SSL parameters nor the -D system properties are defined, but
the environment variable are present, then they will be used 
> - otherwise config error
> So the priority:
> # component parameters in agent config
> # -D system properties
> # environment variables

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: issues-unsubscribe@flume.apache.org
For additional commands, e-mail: issues-help@flume.apache.org

View raw message