[jira] [Commented] (FLINK-9261) Regression - Flink CLI and Web UI not working when SSL is enabled

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLINK-9261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16469611#comment-16469611
 ] 

ASF GitHub Bot commented on FLINK-9261:
---------------------------------------

Github user GJL commented on a diff in the pull request:

    https://github.com/apache/flink/pull/5973#discussion_r187194770
  
    --- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java ---
    @@ -81,16 +85,62 @@ public static void 
setSSLVerAndCipherSuites(ServerSocket socket, Configuration c
                }
        }
     
    +   /**
    +    * Creates a {@link SSLEngineFactory} to be used by the Server.
    +    *
    +    * @param config The application configuration.
    +    */
    +   public static SSLEngineFactory createServerSSLEngineFactory(final 
Configuration config) throws Exception {
    +           return createSSLEngineFactory(config, false);
    +   }
    +
    +   /**
    +    * Creates a {@link SSLEngineFactory} to be used by the Client.
    +    * @param config The application configuration.
    +    */
    +   public static SSLEngineFactory createClientSSLEngineFactory(final 
Configuration config) throws Exception {
    +           return createSSLEngineFactory(config, true);
    +   }
    +
    +   private static SSLEngineFactory createSSLEngineFactory(
    +                   final Configuration config,
    +                   final boolean clientMode) throws Exception {
    +
    +           final SSLContext sslContext = clientMode ?
    +                   createSSLClientContext(config) :
    +                   createSSLServerContext(config);
    +
    +           checkState(sslContext != null, "%s it not enabled", 
SecurityOptions.SSL_ENABLED.key());
    +
    +           return new SSLEngineFactory(
    +                   sslContext,
    +                   getEnabledProtocols(config),
    +                   getEnabledCipherSuites(config),
    +                   clientMode);
    +   }
    +
        /**
         * Sets SSL version and cipher suites for SSLEngine.
    -    * @param engine
    -    *        SSLEngine to be handled
    -    * @param config
    -    *        The application configuration
    +    *
    +    * @param engine SSLEngine to be handled
    +    * @param config The application configuration
    +    * @deprecated Use {@link #createClientSSLEngineFactory(Configuration)} 
or
    +    * {@link #createServerSSLEngineFactory(Configuration)}.
         */
    +   @Deprecated
        public static void setSSLVerAndCipherSuites(SSLEngine engine, 
Configuration config) {
    -           
engine.setEnabledProtocols(config.getString(SecurityOptions.SSL_PROTOCOL).split(","));
    -           
engine.setEnabledCipherSuites(config.getString(SecurityOptions.SSL_ALGORITHMS).split(","));
    +           engine.setEnabledProtocols(getEnabledProtocols(config));
    +           engine.setEnabledCipherSuites(getEnabledCipherSuites(config));
    +   }
    +
    +   private static String[] getEnabledProtocols(final Configuration config) 
{
    +           requireNonNull(config, "config must not be null");
    --- End diff --
    
    Ok, I will use Flink's `checkNotNull` next time.


> Regression - Flink CLI and Web UI not working when SSL is enabled
> -----------------------------------------------------------------
>
>                 Key: FLINK-9261
>                 URL: https://issues.apache.org/jira/browse/FLINK-9261
>             Project: Flink
>          Issue Type: Bug
>          Components: Client, Network, Web Client
>    Affects Versions: 1.5.0
>            Reporter: Edward Rojas
>            Assignee: Gary Yao
>            Priority: Blocker
>              Labels: regression
>             Fix For: 1.5.0
>
>
> When *security.ssl.enabled* config is set to true, Web UI is no longer 
> reachable; there is no logs on jobmanager. 
>  
> When setting *web.ssl.enabled* to false (keeping security.ssl.enabled to 
> true), the dashboard is not reachable and there is the following exception on 
> jobmanager: 
> {code:java}
> WARN  org.apache.flink.runtime.dispatcher.DispatcherRestEndpoint    - 
> Unhandled exception
> org.apache.flink.shaded.netty4.io.netty.handler.ssl.NotSslRecordException: 
> not an SSL/TLS record: 
> 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73743a383038310d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031305f31335f3329204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f36352e302e333332352e313831205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e380d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2c656e2d47423b713d302e392c65732d3431393b713d302e382c65733b713d302e372c66722d46523b713d302e362c66723b713d302e350d0a436f6f6b69653a20496465612d39326365626136363d39396464633637632d613838382d346439332d396166612d3737396631373636326264320d0a49662d4d6f6469666965642d53696e63653a205468752c2032362041707220323031382031313a30313a313520474d540d0a0d0a
> at 
> org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:940)
> at 
> org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:315)
> at 
> org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:229)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:339)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:324)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:847)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
> at 
> org.apache.flink.shaded.netty4.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:111)
> at 
> org.apache.flink.shaded.netty4.io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> Also when trying to use the Flink CLI, it get stuck on "Waiting for 
> response..." and there is no error messages on jobmanager. None of the 
> commands works, list, run etc.
>  
> Taskmanagers are able to registrate to Jobmanager, so the SSL configuration 
> is good.
>  
> SSL configuration:
> security.ssl.enabled: true
> security.ssl.keystore: /path/to/keystore
> security.ssl.keystore-password: xxxx
> security.ssl.key-password: xxxx
> security.ssl.truststore: /path/to/truststore
> security.ssl.truststore-password: xxxx
> web.ssl.enabled: false
> This same configuration works perfectly on Flink 1.4.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)