[
https://issues.apache.org/jira/browse/FLINK-9261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16468802#comment-16468802
]
ASF GitHub Bot commented on FLINK-9261:
---------------------------------------
Github user StephanEwen commented on a diff in the pull request:
https://github.com/apache/flink/pull/5973#discussion_r187025268
--- Diff:
flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java ---
@@ -81,16 +85,62 @@ public static void
setSSLVerAndCipherSuites(ServerSocket socket, Configuration c
}
}
+ /**
+ * Creates a {@link SSLEngineFactory} to be used by the Server.
+ *
+ * @param config The application configuration.
+ */
+ public static SSLEngineFactory createServerSSLEngineFactory(final
Configuration config) throws Exception {
+ return createSSLEngineFactory(config, false);
+ }
+
+ /**
+ * Creates a {@link SSLEngineFactory} to be used by the Client.
+ * @param config The application configuration.
+ */
+ public static SSLEngineFactory createClientSSLEngineFactory(final
Configuration config) throws Exception {
+ return createSSLEngineFactory(config, true);
+ }
+
+ private static SSLEngineFactory createSSLEngineFactory(
+ final Configuration config,
+ final boolean clientMode) throws Exception {
+
+ final SSLContext sslContext = clientMode ?
+ createSSLClientContext(config) :
+ createSSLServerContext(config);
+
+ checkState(sslContext != null, "%s it not enabled",
SecurityOptions.SSL_ENABLED.key());
+
+ return new SSLEngineFactory(
+ sslContext,
+ getEnabledProtocols(config),
+ getEnabledCipherSuites(config),
+ clientMode);
+ }
+
/**
* Sets SSL version and cipher suites for SSLEngine.
- * @param engine
- * SSLEngine to be handled
- * @param config
- * The application configuration
+ *
+ * @param engine SSLEngine to be handled
+ * @param config The application configuration
+ * @deprecated Use {@link #createClientSSLEngineFactory(Configuration)}
or
+ * {@link #createServerSSLEngineFactory(Configuration)}.
*/
+ @Deprecated
public static void setSSLVerAndCipherSuites(SSLEngine engine,
Configuration config) {
-
engine.setEnabledProtocols(config.getString(SecurityOptions.SSL_PROTOCOL).split(","));
-
engine.setEnabledCipherSuites(config.getString(SecurityOptions.SSL_ALGORITHMS).split(","));
+ engine.setEnabledProtocols(getEnabledProtocols(config));
+ engine.setEnabledCipherSuites(getEnabledCipherSuites(config));
+ }
+
+ private static String[] getEnabledProtocols(final Configuration config)
{
+ requireNonNull(config, "config must not be null");
--- End diff --
For private internal utilities, I suggest to skip the null check in most
places, especially when it will eagerly fail with an exception on null anyways.
In any case, if you believe the check should be there, please use
`Preconditions.checkNotNull` rather than `requireNonNull`.
> Regression - Flink CLI and Web UI not working when SSL is enabled
> -----------------------------------------------------------------
>
> Key: FLINK-9261
> URL: https://issues.apache.org/jira/browse/FLINK-9261
> Project: Flink
> Issue Type: Bug
> Components: Client, Network, Web Client
> Affects Versions: 1.5.0
> Reporter: Edward Rojas
> Assignee: Gary Yao
> Priority: Blocker
> Labels: regression
> Fix For: 1.5.0
>
>
> When *security.ssl.enabled* config is set to true, Web UI is no longer
> reachable; there is no logs on jobmanager.
>
> When setting *web.ssl.enabled* to false (keeping security.ssl.enabled to
> true), the dashboard is not reachable and there is the following exception on
> jobmanager:
> {code:java}
> WARN org.apache.flink.runtime.dispatcher.DispatcherRestEndpoint -
> Unhandled exception
> org.apache.flink.shaded.netty4.io.netty.handler.ssl.NotSslRecordException:
> not an SSL/TLS record:
> 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73743a383038310d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031305f31335f3329204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f36352e302e333332352e313831205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e380d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2c656e2d47423b713d302e392c65732d3431393b713d302e382c65733b713d302e372c66722d46523b713d302e362c66723b713d302e350d0a436f6f6b69653a20496465612d39326365626136363d39396464633637632d613838382d346439332d396166612d3737396631373636326264320d0a49662d4d6f6469666965642d53696e63653a205468752c2032362041707220323031382031313a30313a313520474d540d0a0d0a
> at
> org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:940)
> at
> org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:315)
> at
> org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:229)
> at
> org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:339)
> at
> org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:324)
> at
> org.apache.flink.shaded.netty4.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:847)
> at
> org.apache.flink.shaded.netty4.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
> at
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
> at
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
> at
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
> at
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
> at
> org.apache.flink.shaded.netty4.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:111)
> at
> org.apache.flink.shaded.netty4.io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> Also when trying to use the Flink CLI, it get stuck on "Waiting for
> response..." and there is no error messages on jobmanager. None of the
> commands works, list, run etc.
>
> Taskmanagers are able to registrate to Jobmanager, so the SSL configuration
> is good.
>
> SSL configuration:
> security.ssl.enabled: true
> security.ssl.keystore: /path/to/keystore
> security.ssl.keystore-password: xxxx
> security.ssl.key-password: xxxx
> security.ssl.truststore: /path/to/truststore
> security.ssl.truststore-password: xxxx
> web.ssl.enabled: false
> This same configuration works perfectly on Flink 1.4.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
