[
https://issues.apache.org/jira/browse/FLUME-3269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Turcsanyi updated FLUME-3269:
-----------------------------------
Description:
Several Flume components support SSL, but they all have their own config
parameters for specifying the location and password for keystore and truststore.
These parameters could be passed as standard JSSE system properties (specified
in flume-env.sh):
{code}
-Djavax.net.ssl.keyStore=/path/to/keystore
-Djavax.net.ssl.keyStorePassword=keystore-password
-Djavax.net.ssl.keyStoreType=keystore-type
-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.trustStorePassword=truststore-password
-Djavax.net.ssl.trustStoreType=truststore-type
{code}
This would be a more consistent and standard based configuration.
Specifying passwords in system properties means that the passwords can be seen
in the process list. For cases where it is not acceptable, it will also be
possible to define the parameters in environment variables.
{code}
FLUME_SSL_KEYSTORE_PATH
FLUME_SSL_KEYSTORE_PASSWORD
FLUME_SSL_KEYSTORE_TYPE
FLUME_SSL_TRUSTSTORE_PATH
FLUME_SSL_TRUSTSTORE_PASSWORD
FLUME_SSL_TRUSTSTORE_TYPE
{code}
The logic of applying the SSL config parameters for an SSL-enabled source/sink:
- if the agent config defines the SSL parameter for the component, then they
will be used (allowing customisation and backward compatibility)
- if no SSL parameters are defined for the component, but the -D system
properties are present, then they will be used
- if neither the component SSL parameters nor the -D system properties are
defined, but the environment variable are present, then they will be used
- otherwise config error
So the priority:
# component parameters in agent config
# -D system properties
# environment variables
was:
Several Flume components support SSL, but they all have their own config
parameters for specifying the location and password for keystore and truststore.
These parameters could be passed as standard JSSE system properties (specified
in flume-env.sh):
{code}
-Djavax.net.ssl.keyStore=/path/to/keystore.jks
-Djavax.net.ssl.keyStorePassword=keystore-password
-Djavax.net.ssl.trustStore=/path/to/truststore.jks
-Djavax.net.ssl.trustStorePassword=truststore-password
{code}
This would be a more consistent and standard based configuration.
The logic of applying the config parameters:
- if the agent config defines the keystore / password for a component, then
they will be used (allowing customisation and backward compatibility)
- if the agent config does not define the keystore / password for a component,
but the -D properties are present, then they will be used
- otherwise config error
> Support JSSE keystore/trustore -D system properties
> ---------------------------------------------------
>
> Key: FLUME-3269
> URL: https://issues.apache.org/jira/browse/FLUME-3269
> Project: Flume
> Issue Type: Improvement
> Reporter: Peter Turcsanyi
> Assignee: Peter Turcsanyi
> Priority: Major
>
> Several Flume components support SSL, but they all have their own config
> parameters for specifying the location and password for keystore and
> truststore.
> These parameters could be passed as standard JSSE system properties
> (specified in flume-env.sh):
> {code}
> -Djavax.net.ssl.keyStore=/path/to/keystore
> -Djavax.net.ssl.keyStorePassword=keystore-password
> -Djavax.net.ssl.keyStoreType=keystore-type
> -Djavax.net.ssl.trustStore=/path/to/truststore
> -Djavax.net.ssl.trustStorePassword=truststore-password
> -Djavax.net.ssl.trustStoreType=truststore-type
> {code}
> This would be a more consistent and standard based configuration.
> Specifying passwords in system properties means that the passwords can be
> seen in the process list. For cases where it is not acceptable, it will also
> be possible to define the parameters in environment variables.
> {code}
> FLUME_SSL_KEYSTORE_PATH
> FLUME_SSL_KEYSTORE_PASSWORD
> FLUME_SSL_KEYSTORE_TYPE
> FLUME_SSL_TRUSTSTORE_PATH
> FLUME_SSL_TRUSTSTORE_PASSWORD
> FLUME_SSL_TRUSTSTORE_TYPE
> {code}
> The logic of applying the SSL config parameters for an SSL-enabled
> source/sink:
> - if the agent config defines the SSL parameter for the component, then they
> will be used (allowing customisation and backward compatibility)
> - if no SSL parameters are defined for the component, but the -D system
> properties are present, then they will be used
> - if neither the component SSL parameters nor the -D system properties are
> defined, but the environment variable are present, then they will be used
> - otherwise config error
> So the priority:
> # component parameters in agent config
> # -D system properties
> # environment variables
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
