[
https://issues.apache.org/jira/browse/FLINK-10069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16573514#comment-16573514
]
ASF GitHub Bot commented on FLINK-10069:
----------------------------------------
asfgit closed pull request #6507: [FLINK-10069] [docs] Update SSL docs to
reflect internal vs. external communication
URL: https://github.com/apache/flink/pull/6507
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/docs/fig/ssl_internal_external.svg
b/docs/fig/ssl_internal_external.svg
new file mode 100755
index 00000000000..04262d29cbc
--- /dev/null
+++ b/docs/fig/ssl_internal_external.svg
@@ -0,0 +1,336 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/";
+ xmlns:cc="http://creativecommons.org/ns#";
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#";
+ xmlns:svg="http://www.w3.org/2000/svg";
+ xmlns="http://www.w3.org/2000/svg";
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd";
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape";
+ width="831.19"
+ height="364.59875"
+ id="svg2"
+ version="1.1"
+ inkscape:version="0.48.5 r10040">
+ <defs
+ id="defs4" />
+ <sodipodi:namedview
+ id="base"
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1.0"
+ inkscape:pageopacity="0.0"
+ inkscape:pageshadow="2"
+ inkscape:zoom="0.35"
+ inkscape:cx="514.76354"
+ inkscape:cy="76.03094"
+ inkscape:document-units="px"
+ inkscape:current-layer="layer1"
+ showgrid="false"
+ fit-margin-top="0"
+ fit-margin-left="0"
+ fit-margin-right="0"
+ fit-margin-bottom="0"
+ inkscape:window-width="1920"
+ inkscape:window-height="1178"
+ inkscape:window-x="-8"
+ inkscape:window-y="-8"
+ inkscape:window-maximized="1" />
+ <metadata
+ id="metadata7">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage"; />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ inkscape:label="Layer 1"
+ inkscape:groupmode="layer"
+ id="layer1"
+ transform="translate(139.76354,-243.79437)">
+ <g
+ id="g3138"
+ transform="translate(-199.38854,144.82812)">
+ <path
+ id="path3140"
+ d="m 649.32426,123.89336 c 0,-6.97673 5.66391,-12.67815
12.67816,-12.67815 l 148.1244,0 c 7.01425,0 12.67816,5.70142 12.67816,12.67815
l 0,50.75015 c 0,7.01425 -5.66391,12.67816 -12.67816,12.67816 l -148.1244,0 c
-7.01425,0 -12.67816,-5.66391 -12.67816,-12.67816 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3142"
+
style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="144.70425"
+ x="711.15765"
+ xml:space="preserve">Task </text>
+ <text
+ id="text3144"
+
style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="171.71098"
+ x="687.45178"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3146"
+ d="m 649.32426,256.45139 c 0,-7.01425 5.66391,-12.71567
12.67816,-12.71567 l 148.1244,0 c 7.01425,0 12.67816,5.70142 12.67816,12.71567
l 0,50.71263 c 0,7.01425 -5.66391,12.71567 -12.67816,12.71567 l -148.1244,0 c
-7.01425,0 -12.67816,-5.70142 -12.67816,-12.71567 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3148"
+
style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="277.28275"
+ x="711.15765"
+ xml:space="preserve">Task </text>
+ <text
+ id="text3150"
+
style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="304.28949"
+ x="687.45178"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3152"
+ d="m 649.32426,389.12194 c 0,-7.01425 5.66391,-12.67816
12.67816,-12.67816 l 148.1244,0 c 7.01425,0 12.67816,5.66391 12.67816,12.67816
l 0,50.75014 c 0,7.01425 -5.66391,12.67816 -12.67816,12.67816 l -148.1244,0 c
-7.01425,0 -12.67816,-5.66391 -12.67816,-12.67816 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3154"
+
style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="409.86127"
+ x="711.15765"
+ xml:space="preserve">Task </text>
+ <text
+ id="text3156"
+
style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="436.86801"
+ x="687.45178"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3158"
+ d="m 330.47608,331.77015 c 0,-6.15153 4.98874,-11.14027
11.14028,-11.14027 l 126.68781,0 c 6.15153,0 11.12152,4.98874 11.12152,11.14027
l 0,44.48608 c 0,6.13278 -4.96999,11.12153 -11.12152,11.12153 l -126.68781,0 c
-6.15154,0 -11.14028,-4.98875 -11.14028,-11.12153 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3160"
+
style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="349.87692"
+ x="359.48764"
+ xml:space="preserve">Resource</text>
+ <text
+ id="text3162"
+
style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="373.8829"
+ x="361.88824"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3164"
+ d="m 330.47608,184.84605 c 0,-6.13278 4.98874,-11.12152
11.14028,-11.12152 l 126.68781,0 c 6.15153,0 11.12152,4.98874 11.12152,11.12152
l 0,44.48608 c 0,6.15153 -4.96999,11.12152 -11.12152,11.12152 l -126.68781,0 c
-6.15154,0 -11.14028,-4.96999 -11.14028,-11.12152 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3166"
+
style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="202.97752"
+ x="388.14163"
+ xml:space="preserve">Job</text>
+ <text
+ id="text3168"
+
style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="226.98351"
+ x="361.8851"
+ xml:space="preserve">Manager</text>
+ <path
+ id="path3170"
+ d="m 315.00348,164.49723 173.48071,0 0,230.68247 -173.48071,0 z"
+
style="fill:none;stroke:#000000;stroke-width:1.25656307px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3172"
+
style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="418.32153"
+ x="334.40732"
+ xml:space="preserve">Master Process</text>
+ <path
+ id="path3174"
+ d="m 730.41947,194.37342 0,39.87244 -1.87547,0 0,-39.87244 z m
4.27606,32.85819 -5.2138,8.88971 -5.17629,-8.88971 c -0.26256,-0.45011
-0.11253,-1.05026 0.33759,-1.31283 0.45011,-0.26256 1.01275,-0.075
1.27531,0.33759 l 4.3886,7.50187 -1.6129,0 4.38859,-7.50187 c 0.22506,-0.41261
0.8252,-0.60015 1.27532,-0.33759 0.45011,0.26257 0.60015,0.86272
0.33758,1.31283 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3176"
+ d="m 743.54774,196.21138 0,39.90994 -1.87547,0 0,-39.90994 z m
-6.11403,7.05176 5.17629,-8.88972 5.2138,8.88972 c 0.26257,0.45011
0.11253,1.01275 -0.33758,1.27532 -0.45011,0.26256 -1.05026,0.11252
-1.27532,-0.33759 l -4.38859,-7.50187 1.6129,0 -4.38859,7.50187 c
-0.26257,0.45011 -0.82521,0.60015 -1.27532,0.33759 -0.45011,-0.26257
-0.60015,-0.82521 -0.33759,-1.27532 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3178"
+ d="m 730.41947,326.89394 0,39.87243 -1.87547,0 0,-39.87243 z m
4.27606,32.85818 -5.2138,8.88972 -5.17629,-8.88972 c -0.26256,-0.45011
-0.11253,-1.01275 0.33759,-1.27531 0.45011,-0.26257 1.01275,-0.11253
1.27531,0.33758 l 4.3886,7.50187 -1.6129,0 4.38859,-7.50187 c 0.22506,-0.45011
0.8252,-0.60015 1.27532,-0.33758 0.45011,0.26256 0.60015,0.8252 0.33758,1.27531
z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3180"
+ d="m 743.54774,328.7694 0,39.87244 -1.87547,0 0,-39.87244 z m
-6.11403,7.01425 5.17629,-8.88971 5.2138,8.88971 c 0.26257,0.45011
0.11253,1.01275 -0.33758,1.27532 -0.45011,0.26257 -1.05026,0.11253
-1.27532,-0.33758 l -4.38859,-7.50187 1.6129,0 -4.38859,7.50187 c
-0.26257,0.45011 -0.82521,0.60015 -1.27532,0.33758 -0.45011,-0.26257
-0.60015,-0.82521 -0.33759,-1.27532 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3182"
+ d="m 614.32804,151.98786 -103.30073,62.04046 -0.93773,-1.6129
103.26322,-62.04046 z m -95.08618,62.07797 -10.27756,0.11253 4.95123,-9.03975 c
0.26256,-0.45012 0.8252,-0.60015 1.27532,-0.33759 0.45011,0.22506
0.60015,0.7877 0.37509,1.27532 l 0,0 -4.20105,7.6144 -0.8252,-1.38785
8.70217,-0.11253 c 0.48762,-0.0375 0.93773,0.3751 0.93773,0.90023 0,0.52513
-0.4126,0.93773 -0.93773,0.97524 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3184"
+ d="m 620.74214,166.24141 -103.30073,62.07797 -0.93774,-1.6129
103.26323,-62.04046 z m -9.18979,-1.6129 10.31507,-0.15003 -4.95123,9.03975 c
-0.26257,0.45011 -0.82521,0.63766 -1.27532,0.37509 -0.45011,-0.26256
-0.63766,-0.8252 -0.37509,-1.27532 l 4.16354,-7.61439 0.8252,1.38784
-8.66466,0.11253 c -0.52513,0 -0.93773,-0.4126 -0.93773,-0.93773
-0.0375,-0.48762 0.37509,-0.93774 0.90022,-0.93774 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3186"
+ d="m 629.29427,273.29308 -120.48001,0 0,-1.87546 120.48001,0 z m
-113.46576,4.23856 -8.88972,-5.17629 8.88972,-5.17629 c 0.45011,-0.26256
1.01275,-0.11253 1.27531,0.33759 0.26257,0.45011 0.11253,1.01275
-0.33758,1.27531 l 0,0 -7.50187,4.3886 0,-1.65042 7.50187,4.3886 c
0.45011,0.26256 0.60015,0.8252 0.33758,1.27532 -0.26256,0.45011 -0.8252,0.60015
-1.27531,0.33758 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3188"
+ d="m 627.41881,288.93448 -120.48002,0 0,-1.87547 120.48002,0 z m
-7.01425,-6.15153 8.88971,5.2138 -8.88971,5.17629 c -0.45011,0.26256
-1.01275,0.11252 -1.27532,-0.33759 -0.26256,-0.45011 -0.11253,-1.01275
0.33758,-1.27532 l 7.50187,-4.38859 0,1.6129 -7.50187,-4.35108 c
-0.45011,-0.26257 -0.60014,-0.86272 -0.33758,-1.31283 0.26257,-0.45011
0.82521,-0.60015 1.27532,-0.33758 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3190"
+ d="m 620.25452,393.28548 -104.351,-60.24001 0.93774,-1.6129
104.35099,60.24001 z m -100.375,-53.03822 -5.13879,-8.92722 10.31507,-0.075 c
0.52514,0 0.93774,0.4126 0.93774,0.93774 0,0.52513 -0.4126,0.93773
-0.93774,0.93773 l 0,0 -8.66465,0.0375 0.78769,-1.38785 4.31358,7.53938 c
0.26256,0.45011 0.11252,1.01275 -0.33759,1.27532 -0.45011,0.26256
-1.05026,0.11253 -1.27531,-0.33759 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3192"
+ d="m 610.87718,405.8136 -104.35099,-60.24001 0.93773,-1.6129
104.351,60.24001 z m -3.03825,-8.8147 5.10127,8.96474 -10.27756,0.0375 c
-0.52513,0 -0.93774,-0.41261 -0.93774,-0.93774 0,-0.52513 0.41261,-0.93773
0.93774,-0.93773 l 8.66466,-0.0375 -0.7877,1.38784 -4.31357,-7.53937 c
-0.26257,-0.45012 -0.11253,-1.01276 0.33758,-1.27532 0.45011,-0.26257
1.01275,-0.11253 1.27532,0.33758 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3194"
+
style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="254.02786"
+ x="506.90329"
+ xml:space="preserve">RPC / BLOB</text>
+ <text
+ id="text3196"
+
style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="222.93466"
+ x="772.27954"
+ xml:space="preserve">Data Plane</text>
+ <text
+ id="text3198"
+
style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="355.45471"
+ x="772.27954"
+ xml:space="preserve">Data Plane</text>
+ <path
+ id="path3200"
+ d="m 300.93747,462.86531 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z
m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-5.02625
0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z
m 0,-5.02625 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98874
0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-5.02625 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z
m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98874
0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-5.02626 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z
m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-5.02625
0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z
m 0,-5.02625 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-5.02625 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z
m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-5.02626
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-5.02625 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-5.02625 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-4.98875
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-4.98875 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75093 1.27532,0
0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-5.02626 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0
0,3.75094 -1.27532,0 z m 0,-5.02625 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-4.98875 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625 0,-3.75094 1.27532,0
0,3.75094 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-4.98875 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0
0,3.75094 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-5.02626 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0
0,3.75094 -1.27532,0 z m 0,-5.02625 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-4.98875 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625 0,-3.75094 1.27532,0
0,3.75094 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z
m 0,-4.98875 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-5.02625
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0
0,3.75094 -1.27532,0 z m 0,-4.98875 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z
m 0,-5.02625 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874
0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874 0,-3.75094 1.27532,0
0,3.75094 -1.27532,0 z m 0,-5.02626 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z
m 0,-4.98874 0,-3.75093 1.27532,0 0,3.75093 -1.27532,0 z m 0,-4.98874
0,-3.75094 1.27532,0 0,3.75094 -1.27532,0 z m 0,-5.02625 0,-3.75094 1.27532,0
0,3.75094 -1.27532,0 z m 0,-4.98875 0,-3.75093 1.27532,0 0,1.23781 -0.63766,0
0.63766,-0.600152 0,3.113272 -1.27532,0 z m 2.51313,-3.75093 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
5.02626,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
5.02626,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
5.02625,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 5.02626,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
5.02625,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 5.02626,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
5.02625,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 5.02625,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 4.98874,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 5.02626,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 5.02625,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 4.98874,0 3.75094,0
0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 5.02625,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m
4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 5.02626,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 5.02626,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m 4.98875,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0 0,1.23781 -3.75093,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
5.02626,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75094,0 0,1.23781 -3.75094,0
0,-1.23781 z m 4.98874,0 3.75094,0 0,1.23781 -3.75094,0 0,-1.23781 z m
4.98875,0 3.75093,0 0,1.23781 -3.75093,0 0,-1.23781 z m 5.02625,0 3.75093,0
0,1.23781 -3.75093,0 0,-1.23781 z m 4.98874,0 2.17554,0 0,2.8132 -1.2378,0
0,-2.175542 0.63765,0.600152 -1.57539,0 0,-1.23781 z m 2.17554,4.05101
0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75094 -1.2378,0
0,-3.75094 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m
0,4.98875 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75093
-1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094
1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,5.02626
0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75093 -1.2378,0
0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m
0,5.02625 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093
-1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75093 -1.2378,0 0,-3.75093
1.2378,0 z m 0,5.02625 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98874
0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093 -1.2378,0
0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m
0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093
-1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75093 -1.2378,0 0,-3.75093
1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98874
0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,5.02626 0,3.75093 -1.2378,0
0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m
0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,5.02625 0,3.75094
-1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093 -1.2378,0 0,-3.75093
1.2378,0 z m 0,4.98874 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625
0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0
0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m
0,5.02625 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75094
-1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094
1.2378,0 z m 0,5.02626 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874
0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0
0,-3.75094 1.2378,0 z m 0,5.02625 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m
0,4.98875 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75093
-1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75094 -1.2378,0 0,-3.75094
1.2378,0 z m 0,4.98875 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874
0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75093 -1.2378,0
0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m
0,4.98875 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75093
-1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094
1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,5.02626
0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75093 -1.2378,0
0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m
0,5.02625 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093
-1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75093 -1.2378,0 0,-3.75093
1.2378,0 z m 0,5.02625 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98874
0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093 -1.2378,0
0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m
0,4.98874 0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98874 0,3.75094
-1.2378,0 0,-3.75094 1.2378,0 z m 0,5.02626 0,3.75093 -1.2378,0 0,-3.75093
1.2378,0 z m 0,4.98874 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874
0,3.75094 -1.2378,0 0,-3.75094 1.2378,0 z m 0,5.02625 0,3.75094 -1.2378,0
0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m
0,4.98874 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625 0,3.75094
-1.2378,0 0,-3.75094 1.2378,0 z m 0,4.98875 0,3.75093 -1.2378,0 0,-3.75093
1.2378,0 z m 0,4.98874 0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,5.02625
0,3.75093 -1.2378,0 0,-3.75093 1.2378,0 z m 0,4.98874 0,3.75094 -1.2378,0
0,-3.75094 1.2378,0 z m -0.93773,5.32633 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-5.02626,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-5.02626,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-5.02625,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -5.02626,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-5.02625,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -5.02626,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -5.02625,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-5.02625,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -5.02625,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -4.98874,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -5.02626,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -5.02625,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-5.02625,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -4.98874,0 -3.75094,0
0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -5.02625,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m
-4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -5.02626,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-5.02625,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -5.02626,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-5.02625,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m -4.98875,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0 0,-1.27532 3.75093,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-5.02626,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-4.98875,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -5.02625,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0 0,1.27532 z m
-5.02626,0 -3.75093,0 0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75093,0
0,-1.27532 3.75093,0 0,1.27532 z m -4.98874,0 -3.75094,0 0,-1.27532 3.75094,0
0,1.27532 z m -5.02625,0 -3.11328,0 0,-1.27532 3.11328,0 0,1.27532 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.03750934px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3202"
+ d="m 293.13553,229.20085 0,101.91289 29.68864,0 0,-101.91289
-29.68864,0 z"
+ style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3204"
+ d="m 293.13553,229.20085 29.68864,0 0,101.91289 -29.68864,0 z"
+
style="fill:none;stroke:#000000;stroke-width:1.25656307px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3206"
+
style="font-size:22.5056076px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Calibri"
+ y="302.33319"
+ x="315.52737"
+ xml:space="preserve">REST</text>
+ <text
+ id="text3208"
+
style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="130.10928"
+ x="316.13495"
+ xml:space="preserve">Internal</text>
+ <text
+ id="text3210"
+
style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="130.10928"
+ x="200.44704"
+ xml:space="preserve">External</text>
+ <path
+ id="path3212"
+ d="m 60.258762,197.50545 c 0,-4.50112 3.647784,-8.15828
8.148905,-8.15828 l 119.664183,0 c 4.5105,0 8.15829,3.65716 8.15829,8.15828 l
0,32.61438 c 0,4.50112 -3.64779,8.1489 -8.15829,8.1489 l -119.664183,0 c
-4.501121,0 -8.148905,-3.64778 -8.148905,-8.1489 z"
+
style="fill:none;stroke:#7f7f7f;stroke-width:1.24718571px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3214"
+
style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="221.69411"
+ x="87.575058"
+ xml:space="preserve">Browser</text>
+ <path
+ id="path3216"
+ d="m 60.258762,260.51178 c 0,-4.5105 3.657161,-8.17704
8.177037,-8.17704 l 119.617301,0 c 4.5105,0 8.17704,3.66654 8.17704,8.17704 l
0,32.71752 c 0,4.51988 -3.66654,8.17704 -8.17704,8.17704 l -119.617301,0 c
-4.519876,0 -8.177037,-3.65716 -8.177037,-8.17704 z"
+
style="fill:none;stroke:#7f7f7f;stroke-width:1.24718571px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3218"
+
style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="284.72891"
+ x="111.5811"
+ xml:space="preserve">CLI</text>
+ <path
+ id="path3220"
+ d="m 60.258762,323.49934 c 0,-4.51987 3.657161,-8.17704
8.177037,-8.17704 l 119.617301,0 c 4.51987,0 8.17704,3.65717 8.17704,8.17704 l
0,32.7269 c 0,4.51988 -3.65717,8.17704 -8.17704,8.17704 l -119.617301,0 c
-4.519876,0 -8.177037,-3.65716 -8.177037,-8.17704 z"
+
style="fill:none;stroke:#7f7f7f;stroke-width:1.25656307px;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3222"
+
style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="347.7637"
+ x="103.17585"
+ xml:space="preserve">Tools</text>
+ <path
+ id="path3224"
+ d="m 273.97763,266.09129 -59.94931,0 0,-1.87547 59.94931,0 z m
-52.92569,4.24793 -8.88971,-5.18566 8.88971,-5.18567 c 0.45012,-0.26257
1.02213,-0.11253 1.2847,0.33758 0.26257,0.44074 0.11253,1.02213 -0.33758,1.2847
l -7.50187,4.36984 0,-1.62228 7.50187,4.37921 c 0.45011,0.26257 0.60015,0.83459
0.33758,1.2847 -0.26257,0.45011 -0.83458,0.60015 -1.2847,0.33758 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.00937734px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <path
+ id="path3226"
+ d="m 272.13029,295.94873 -59.95868,0 0,-1.87547 59.95868,0 z m
-7.033,-6.13278 8.88972,5.19504 -8.88972,5.17629 c -0.45011,0.26257
-1.0315,0.11253 -1.29407,-0.33758 -0.24381,-0.45011 -0.0938,-1.01275
0.33758,-1.27532 l 7.50187,-4.36984 0,1.61291 -7.50187,-4.36984 c
-0.43135,-0.26257 -0.58139,-0.84396 -0.33758,-1.29408 0.26257,-0.45011
0.84396,-0.60014 1.29407,-0.33758 z"
+
style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.01875467px;stroke-linecap:butt;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3228"
+
style="font-size:19.95497131px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="288.96088"
+ x="218.86954"
+ xml:space="preserve">HTTP</text>
+ <path
+ id="path3230"
+ d="m 330.47608,258.3081 c 0,-6.15153 4.98874,-11.12152
11.14028,-11.12152 l 126.68781,0 c 6.15153,0 11.12152,4.96999 11.12152,11.12152
l 0,44.48608 c 0,6.15154 -4.96999,11.12152 -11.12152,11.12152 l -126.68781,0 c
-6.15154,0 -11.14028,-4.96998 -11.14028,-11.12152 z"
+ style="fill:#afabab;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text3232"
+
style="font-size:19.95497131px;font-style:normal;font-weight:normal;text-align:start;text-anchor:start;fill:#000000;font-family:Verdana"
+ y="288.43024"
+ x="351.6857"
+ xml:space="preserve">Dispatcher</text>
+ </g>
+ </g>
+</svg>
diff --git a/docs/ops/security-ssl.md b/docs/ops/security-ssl.md
index 1a3c3810250..ed5f4d771bc 100644
--- a/docs/ops/security-ssl.md
+++ b/docs/ops/security-ssl.md
@@ -22,16 +22,111 @@ specific language governing permissions and limitations
under the License.
-->
-This page provides instructions on how to enable SSL for the network
communication between different Flink components.
+This page provides instructions on how to enable TLS/SSL authentication and
encryption for network communication with and between Flink processes.
-## SSL Configuration
+## Internal and External Connectivity
-SSL can be enabled for all network communication between Flink components. SSL
keystores and truststore has to be deployed on each Flink node and configured
(conf/flink-conf.yaml) using keys in the security.ssl.* namespace (Please see
the [configuration page](config.html) for details). SSL can be selectively
enabled/disabled for different transports using the following flags. These
flags are only applicable when security.ssl.enabled is set to true.
+When securing network connections between machines processes through
authentication and encryption, Apache Flink differentiates between *internal*
and *external* connectivity.
+*Internal Connectivity* refers to all connections made between Flink
processes. These connections run Flink custom protocols. Users never connect
directly to internal connectivity endpoints.
+*External / REST Connectivity* endpoints refers to all connections made from
the outside to Flink processes. This includes the web UI and REST commands to
+start and control running Flink jobs/applications, including the communication
of the Flink CLI with the JobManager / Dispatcher.
-* **taskmanager.data.ssl.enabled**: SSL flag for data communication between
task managers
-* **blob.service.ssl.enabled**: SSL flag for blob service client/server
communication
-* **akka.ssl.enabled**: SSL flag for akka based control connection between the
Flink client, jobmanager and taskmanager
-* **jobmanager.web.ssl.enabled**: Flag to enable https access to the
jobmanager's web frontend
+For more flexibility, security for internal and external connectivity can be
enabled and configured separately.
+
+<div style="text-align: center">
+ <img src="{{ site.baseurl }}/fig/ssl_internal_external.svg" alt="Internal
and External Connectivity" style="width:75%; padding-top:10px;
padding-bottom:10px;" />
+</div>
+
+#### Internal Connectivity
+
+Internal connectivity includes:
+
+ - Control messages: RPC between JobManager / TaskManager / Dispatcher /
ResourceManager
+ - The data plane: The connections between TaskManagers to exchange data
during shuffles, broadcasts, redistribution, etc.
+ - The Blob Service (distribution of libraries and other artifacts).
+
+All internal connections are SSL authenticated and encrypted. The connections
use **mutual authentication**, meaning both server
+and client side of each connection need to present the certificate to each
other. The certificate acts effectively as a shared
+secret.
+
+A common setup is to generate a dedicated certificate (may be self-signed) for
a Flink deployment. The certificate for internal communication
+is not needed by any other party to interact with Flink, and can be simply
added to the container images, or attached to the YARN deployment.
+
+*Note: Because internal connections are mutually authenticated with shared
certificates, Flink can skip hostname verification. This makes container-based
setups easier.*
+
+#### External / REST Connectivity
+
+All external connectivity is exposed via an HTTP/REST endpoint, used for
example by the web UI and the CLI:
+
+ - Communication with the *Dispatcher* to submit jobs (session clusters)
+ - Communication with the *JobManager* to inspect and modify a running
job/application
+
+The REST endpoints can be configured to require SSL connections. The server
will, however, accept connections from any client, meaning the REST endpoint
does not authenticate the client.
+
+If authentication of connections to the REST endpoint is required, we
recommend to deploy a "side car proxy":
+Bind the REST endpoint to the loopback interface (or the pod-local interface
in Kubernetes) and start a REST proxy that authenticates and forwards the
requests to Flink.
+Examples for proxies that Flink users have deployed are [Envoy
Proxy](https://www.envoyproxy.io/) or
+[NGINX with
MOD_AUTH](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).
+
+The rationale behind delegating authentication to a proxy is that such proxies
offer many more authentication options than the Flink project could reasonably
implement itself,
+and thus offer better integration into existing infrastructures.
+
+
+#### Queryable State
+
+Connections to the queryable state endpoints is currently not authenticated or
encrypted.
+
+
+## Configuring SSL
+
+SSL can be enabled separately for *internal* and *external* connectivity:
+
+ - **security.ssl.internal.enabled**: Enable SSL for all *internal*
connections.
+ - **security.ssl.rest.enabled**: Enable SSL for *REST / external*
connections.
+
+*Note: For backwards compatibility, the **security.ssl.enabled** option still
exists and enables SSL for both internal and REST endpoints.*
+
+For internal connectivity, you can optionally disable security for different
connection types separately.
+When `security.ssl.internal.enabled` is set to `true`, you can set the
following parameters to `false` to disable SSL for that particular connection
type:
+
+ - `taskmanager.data.ssl.enabled`: Data communication between TaskManagers
+ - `blob.service.ssl.enabled`: Transport of BLOBs from JobManager to
TaskManager
+ - `akka.ssl.enabled`: Akka-based RPC connections between JobManager /
TaskManager / ResourceManager
+
+#### Keystores and Truststores
+
+The SSL configuration requires to configure a **keystore** and a
**truststore**. The *keystore* contains the public certificate
+(public key) and the private key, while the truststore contains the trusted
certificates or the trusted authorities. Both stores
+need to be set up such that the truststore trusts the keystore's certificate.
+
+**Internal Connectivity**
+
+Because internal communication is mutually authenticated, keystore and
truststore typically contain the same dedicated certificate.
+The certificate can use wild card hostnames or addresses, because the
certificate is expected to be a shared secret and host
+names are not verified. It is even possible to use the same file (the
keystore) also as the truststore.
+
+{% highlight yaml %}
+security.ssl.internal.keystore: /path/to/file.keystore
+security.ssl.internal.keystore-password: keystore_password
+security.ssl.internal.key-password: key_password
+security.ssl.internal.truststore: /path/to/file.truststore
+security.ssl.internal.truststore-password: truststore_password
+{% endhighlight %}
+
+**REST Endpoints (external connectivity)**
+
+For REST endpoints, the keystore is used by the server endpoint, and the
truststore is used by the REST clients (including the CLI client)
+to accept the server's certificate. In the case where the REST keystore has a
self-signed certificate, the truststore must trust that certificate directly.
+If the REST endpoint uses a certificate that is signed through a proper
certification hierarchy, the roots of that hierarchy should
+be in the trust store.
+
+{% highlight yaml %}
+security.ssl.rest.keystore: /path/to/file.keystore
+security.ssl.rest.keystore-password: keystore_password
+security.ssl.rest.key-password: key_password
+security.ssl.rest.truststore: /path/to/file.truststore
+security.ssl.rest.truststore-password: truststore_password
+{% endhighlight %}
**IMPORTANT**
@@ -44,115 +139,126 @@ We recommend that SSL setups update to the stronger
cipher suites, if possible,
security.ssl.algorithms:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
{% endhighlight %}
-If these suites are not supported on your setup, you will see that Flink
processes will not be able to connect to each other.
+If these cipher suites are not supported on your setup, you will see that
Flink processes will not be able to connect to each other.
-## Deploying Keystores and Truststores
-You need to have a Java Keystore generated and copied to each node in the
Flink cluster. The common name or subject alternative names in the certificate
should match the node's hostname and IP address. Keystores and truststores can
be generated using the [keytool
utility](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html).
All Flink components should have read access to the keystore and truststore
files.
+## Creating and Deploying Keystores and Truststores
-### Example: Creating self signed CA and keystores for a two-node cluster
+Keys, Certificates, and the Keystores and Truststores can be generated using
the [keytool
utility](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html).
+You need to have an appropriate Java Keystore and Truststore accessible from
each node in the Flink cluster.
-Execute the following keytool commands to create a truststore with a self
signed CA.
+ - For standalone setups, this means copying the files to each node, or
adding them to a shared mounted directory.
+ - For container based setups, add the keystore and truststore files to the
container images.
+ - For Yarn/Mesos setups, the cluster deployment phase can automatically
distribute the keystore and truststore files.
-{% highlight bash %}
-keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA"
-storepass password -keypass password -keyalg RSA -ext bc=ca:true
-keytool -keystore ca.keystore -storepass password -alias ca -exportcert >
ca.cer
-keytool -importcert -keystore ca.truststore -alias ca -storepass password
-noprompt -file ca.cer
-{% endhighlight %}
+For the externally facing REST endpoint, the common name or subject
alternative names in the certificate should match the node's hostname and IP
address.
-Now create keystores for each node with certificates signed by the above CA.
Let node1.company.org and node2.company.org be the hostnames with IPs
192.168.1.1 and 192.168.1.2 respectively
-#### Node 1
+## Example SSL Setup Standalone and Kubernetes
+
+**Internal Connectivity**
+
+Execute the following keytool commands to create a key pair in a keystore:
+
{% highlight bash %}
-keytool -genkeypair -alias node1 -keystore node1.keystore -dname
"CN=node1.company.org" -ext SAN=dns:node1.company.org,ip:192.168.1.1 -storepass
password -keypass password -keyalg RSA
-keytool -certreq -keystore node1.keystore -storepass password -alias node1
-file node1.csr
-keytool -gencert -keystore ca.keystore -storepass password -alias ca -ext
SAN=dns:node1.company.org,ip:192.168.1.1 -infile node1.csr -outfile node1.cer
-keytool -importcert -keystore node1.keystore -storepass password -file ca.cer
-alias ca -noprompt
-keytool -importcert -keystore node1.keystore -storepass password -file
node1.cer -alias node1 -noprompt
+keytool -genkeypair -alias flink.internal -keystore internal.keystore -dname
"CN=flink.internal" -storepass internal_store_password -keypass
internal_key_password -keyalg RSA -keysize 4096
{% endhighlight %}
-#### Node 2
-{% highlight bash %}
-keytool -genkeypair -alias node2 -keystore node2.keystore -dname
"CN=node2.company.org" -ext SAN=dns:node2.company.org,ip:192.168.1.2 -storepass
password -keypass password -keyalg RSA
-keytool -certreq -keystore node2.keystore -storepass password -alias node2
-file node2.csr
-keytool -gencert -keystore ca.keystore -storepass password -alias ca -ext
SAN=dns:node2.company.org,ip:192.168.1.2 -infile node2.csr -outfile node2.cer
-keytool -importcert -keystore node2.keystore -storepass password -file ca.cer
-alias ca -noprompt
-keytool -importcert -keystore node2.keystore -storepass password -file
node2.cer -alias node2 -noprompt
+The single key/certificate in the keystore is used the same way by the server
and client endpoints (mutual authentication).
+The key pair acts as the shared secret for internal security, and we can
directly use it as keystore and truststore.
+
+{% highlight yaml %}
+security.ssl.internal.enabled: true
+security.ssl.internal.keystore: /path/to/flink/conf/internal.keystore
+security.ssl.internal.truststore: /path/to/flink/conf/internal.keystore
+security.ssl.internal.keystore-password: internal_store_password
+security.ssl.internal.truststore-password: internal_store_password
+security.ssl.internal.key-password: internal_key_password
{% endhighlight %}
-## Standalone Deployment
-Configure each node in the standalone cluster to pick up the keystore and
truststore files present in the local file system.
+**REST Endpoint**
-### Example: Two-node cluster
+The REST endpoint may receive connections from external processes, including
tools that are not part of Flink (for example curl request to the REST API).
+Setting up a proper certificate that is signed though a CA hierarchy may make
sense for the REST endpoint.
-* Generate two keystores, one for each node, and copy them to the filesystem
on the respective node. Also copy the public key of the CA (which was used to
sign the certificates in the keystore) as a Java truststore on both the nodes.
-* Configure conf/flink-conf.yaml to pick up these files.
+However, as mentioned above, the REST endpoint does not authenticate clients
and thus typically needs to be secured via a proxy anyways.
-#### Node 1
-{% highlight yaml %}
-security.ssl.enabled: true
-security.ssl.keystore: /usr/local/node1.keystore
-security.ssl.keystore-password: password
-security.ssl.key-password: password
-security.ssl.truststore: /usr/local/ca.truststore
-security.ssl.truststore-password: password
+**REST Endpoint (simple self signed certificate)**
+
+This example shows how to create a simple keystore / truststore pair. The
truststore does not contain the primary key and can
+be shared with other applications. In this example, *myhost.company.org /
ip:10.0.2.15* is the node (or service) for the Flink master.
+
+{% highlight bash %}
+keytool -genkeypair -alias flink.rest -keystore rest.keystore -dname
"CN=myhost.company.org" -ext "SAN=dns:myhost.company.org,ip:10.0.2.15"
-storepass rest_keystore_password -keypass rest_key_password -keyalg RSA
-keysize 4096
+
+keytool -exportcert -keystore rest.keystore -alias flink.rest -storepass
rest_keystore_password -file flink.cer
+
+keytool -importcert -keystore rest.truststore -alias flink.rest -storepass
rest_truststore_password -file flink.cer -noprompt
{% endhighlight %}
-#### Node 2
{% highlight yaml %}
-security.ssl.enabled: true
-security.ssl.keystore: /usr/local/node2.keystore
-security.ssl.keystore-password: password
-security.ssl.key-password: password
-security.ssl.truststore: /usr/local/ca.truststore
-security.ssl.truststore-password: password
+security.ssl.rest.enabled: true
+security.ssl.rest.keystore: /path/to/flink/conf/rest.keystore
+security.ssl.rest.truststore: /path/to/flink/conf/rest.truststore
+security.ssl.rest.keystore-password: rest_keystore_password
+security.ssl.rest.truststore-password: rest_truststore_password
+security.ssl.rest.key-password: rest_key_password
{% endhighlight %}
-* Restart the Flink components to enable SSL for all of Flink's internal
communication
-* Verify by accessing the jobmanager's UI using https url. The taskmanager's
path in the UI should show akka.ssl.tcp:// as the protocol
-* The blob server and taskmanager's data communication can be verified from
the log files
+**REST Endpoint (with a self signed CA)**
-## YARN Deployment
-The keystores and truststore can be deployed in a YARN setup in multiple ways
depending on the cluster setup. Following are two ways to achieve this.
+Execute the following keytool commands to create a truststore with a self
signed CA.
+
+{% highlight bash %}
+keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA"
-storepass ca_keystore_password -keypass ca_key_password -keyalg RSA -keysize
4096 -ext "bc=ca:true"
-### 1. Deploy keystores before starting the YARN session
-The keystores and truststore should be generated and deployed on all nodes in
the YARN setup where Flink components can potentially be executed. The same
Flink config file from the Flink YARN client is used for all the Flink
components running in the YARN cluster. Therefore we need to ensure the
keystore is deployed and accessible using the same filepath in all the YARN
nodes.
+keytool -exportcert -keystore ca.keystore -alias ca -storepass
ca_keystore_password -file ca.cer
-#### Example config
-{% highlight yaml %}
-security.ssl.enabled: true
-security.ssl.keystore: /usr/local/node.keystore
-security.ssl.keystore-password: password
-security.ssl.key-password: password
-security.ssl.truststore: /usr/local/ca.truststore
-security.ssl.truststore-password: password
+keytool -importcert -keystore ca.truststore -alias ca -storepass
ca_truststore_password -file ca.cer -noprompt
{% endhighlight %}
-Now you can start the YARN session from the CLI like you would normally do.
+Now create a keystore for the REST endpoint with a certificate signed by the
above CA.
+Let *flink.company.org / ip:10.0.2.15* be the hostname of the Flink master
(JobManager).
-### 2. Use YARN CLI to deploy the keystores and truststore
-We can use the YARN client's ship files option (-yt) to distribute the
keystores and truststore. Since the same keystore will be deployed at all
nodes, we need to ensure a single certificate in the keystore can be served for
all nodes. This can be done by either using the Subject Alternative Name (SAN)
extension in the certificate and setting it to cover all nodes (hostname and ip
addresses) in the cluster or by using wildcard subdomain names (if the cluster
is setup accordingly).
+{% highlight bash %}
+keytool -genkeypair -alias flink.rest -keystore rest.signed.keystore -dname
"CN=flink.company.org" -ext "SAN=dns:flink.company.org" -storepass
rest_keystore_password -keypass rest_key_password -keyalg RSA -keysize 4096
-#### Example
-* Supply the following parameters to the keytool command when generating the
keystore: -ext
SAN=dns:node1.company.org,ip:192.168.1.1,dns:node2.company.org,ip:192.168.1.2
-* Copy the keystore and the CA's truststore into a local directory (at the
CLI's working directory), say deploy-keys/
-* Update the configuration to pick up the files from a relative path
+keytool -certreq -alias flink.rest -keystore rest.signed.keystore -storepass
rest_keystore_password -keypass rest_key_password -file rest.csr
-{% highlight yaml %}
-security.ssl.enabled: true
-security.ssl.keystore: deploy-keys/node.keystore
-security.ssl.keystore-password: password
-security.ssl.key-password: password
-security.ssl.truststore: deploy-keys/ca.truststore
-security.ssl.truststore-password: password
+keytool -gencert -alias ca -keystore ca.keystore -storepass
ca_keystore_password -keypass ca_key_password -ext
"SAN=dns:flink.company.org,ip:10.0.2.15" -infile rest.csr -outfile rest.cer
+
+keytool -importcert -keystore rest.signed.keystore -storepass
rest_keystore_password -file ca.cer -alias ca -noprompt
+
+keytool -importcert -keystore rest.signed.keystore -storepass
rest_keystore_password -keypass rest_key_password -file rest.cer -alias
flink.rest -noprompt
{% endhighlight %}
-* Start the YARN session using the -yt parameter
+Now add the following configuration to your `flink-conf.yaml`:
-{% highlight bash %}
-flink run -m yarn-cluster -yt deploy-keys/ TestJob.jar
+{% highlight yaml %}
+security.ssl.rest.enabled: true
+security.ssl.rest.keystore: /path/to/flink/conf/rest.signed.keystore
+security.ssl.rest.truststore: /path/to/flink/conf/ca.truststore
+security.ssl.rest.keystore-password: rest_keystore_password
+security.ssl.rest.key-password: rest_key_password
+security.ssl.rest.truststore-password: ca_truststore_password
{% endhighlight %}
-When deployed using YARN, Flink's web dashboard is accessible through YARN
proxy's Tracking URL. To ensure that the YARN proxy is able to access Flink's
https url you need to configure YARN proxy to accept Flink's SSL certificates.
Add the custom CA certificate into Java's default truststore on the YARN Proxy
node.
+
+## Tips for YARN / Mesos Deployment
+
+For YARN and Mesos, you can use the tools of Yarn and Mesos to help:
+
+ - Configuring security for internal communication is exactly the same as in
the example above.
+
+ - To secure the REST endpoint, you need to issue the REST endpoint's
certificate such that it is valid for all hosts
+ that the Flink master may get deployed to. This can be done with a wild
card DNS name, or by adding multiple DNS names.
+
+ - The easiest way to deploy keystores and truststore is by YARN client's
*ship files* option (`-yt`).
+ Copy the keystore and truststore files into a local directory (say
`deploy-keys/`) and start the YARN session as
+ follows: `flink run -m yarn-cluster -yt deploy-keys/ flinkapp.jar`
+
+ - When deployed using YARN, Flink's web dashboard is accessible through YARN
proxy's Tracking URL.
+ To ensure that the YARN proxy is able to access Flink's HTTPS URL, you
need to configure YARN proxy to accept Flink's SSL certificates.
+ For that, add the custom CA certificate into Java's default truststore on
the YARN Proxy node.
{% top %}
diff --git
a/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestClientConfiguration.java
b/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestClientConfiguration.java
index cbd888dd2ce..e09f357ea74 100644
---
a/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestClientConfiguration.java
+++
b/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestClientConfiguration.java
@@ -94,7 +94,7 @@ public static RestClientConfiguration
fromConfiguration(Configuration config) th
try {
sslEngineFactory =
SSLUtils.createRestClientSSLEngineFactory(config);
} catch (Exception e) {
- throw new ConfigurationException("Failed to
initialize SSLContext for the web frontend", e);
+ throw new ConfigurationException("Failed to
initialize SSLContext for the REST client", e);
}
} else {
sslEngineFactory = null;
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Add docs for updates SSL model
> -------------------------------
>
> Key: FLINK-10069
> URL: https://issues.apache.org/jira/browse/FLINK-10069
> Project: Flink
> Issue Type: New Feature
> Components: Documentation
> Reporter: Stephan Ewen
> Assignee: Stephan Ewen
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.6.0
>
>
> Add docs about the "internal" versus "external" connectivity and new
> configuration options.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
