[jira] [Commented] (FLINK-9312) Perform mutual authentication during SSL handshakes

Fri, 11 May 2018 14:29:39 -0700 

    [ 
https://issues.apache.org/jira/browse/FLINK-9312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16472692#comment-16472692
 ] 

ASF GitHub Bot commented on FLINK-9312:
---------------------------------------

Github user EronWright commented on the issue:

    https://github.com/apache/flink/pull/5966
  
    This looks great but let's please separate the intra-cluster SSL 
configuration options from the external-cluster options.  In particular, the 
web/API endpoints should be governed by a different keystore and truststore 
than are the internal endpoints.  Likewise, the "hostname verification" option 
should pertain only to external connectivity.
    
    My rationale is that:
    1. the truststore to be used for internal connectivity must be highly 
restrictive; it should never be the system truststore.  Meanwhile, the 
truststore for external connectivity (e.g. from the Flink client) should 
typically be the system truststore.
    2.  The certificate to be used for internal connectivity may simply be a 
generated certificate.  Meanwhile, the certificate for external connectivity 
should be obtained from a cluster CA.  For example, in K8s one might expect a 
cert obtained from the cluster CA and with a CN corresponding to a Service 
resource (`flink.default.svc.cluster.local`). 
    
    The whole issue of using a restrictive truststore for internal connectivity 
has been discussed on various Akka forums, for example [this 
PR](https://github.com/akka/akka/pull/23568#issuecomment-331919364).    Keep in 
mind that Akka has no authorization layer; any authenticated client is 
considered authorized.   Therefore, a liberal truststore (such as the system 
truststore) would present an extremely low barrier of entry since public SSL 
certs are easy to get.



> Perform mutual authentication during SSL handshakes
> ---------------------------------------------------
>
>                 Key: FLINK-9312
>                 URL: https://issues.apache.org/jira/browse/FLINK-9312
>             Project: Flink
>          Issue Type: New Feature
>          Components: Security
>            Reporter: Stephan Ewen
>            Priority: Major
>             Fix For: 1.6.0
>
>
> Currently, the Flink processes encrypted connections via SSL:
>   - Data exchange TM - TM
>   - RPC JM - TM
>   - Blob Service JM - TM
> However, the server side always accepts any client to build up the 
> connection, meaning the connections are not strongly authenticated.
> Activating SSL mutual authentication solves that - only processes that have 
> the same certificate can connect.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to