Hi, The passwords are shown in plain text in logs , is this fixed in newer versions of flink (I am using 1.3.2)
Also, please let me know the answer to my previous queries in this mail chain Regards, Vinay Patil On Mon, Mar 19, 2018 at 7:35 PM, Vinay Patil <vinay18.pa...@gmail.com> wrote: > Hi, > > When I set ssl.verify.hostname to true , the job fails with SSL handshake > exception where it tries to match the IP address instead of the hostname > in the certificates. Everything works when I set this to false. The > keystore is created with FQDN. > The solution of adding all the hostnames and IP addresses in SAN list is > discarded by the company. > > And a security concern is raised when I set this parameter to false. I see > this https://issues.apache.org/jira/browse/FLINK-5030 in Unresolved > state. > How do Flink support hostname verification ? > > @Chesnay : It would be helpful to know the answer to my previous mail > > Regards, > Vinay Patil > > On Fri, Mar 16, 2018 at 10:15 AM, Vinay Patil <vinay18.pa...@gmail.com> > wrote: > >> Hi Chesnay, >> >> After setting the configurations for Remote Execution Environment the job >> gets submitted ,I had to set ssl-verify-hostname to false. >> However, I don't understand why there is a need to do it. I am running >> the job from master node itself and providing all the configurations in >> flink-conf.yaml while creating the cluster. So why do I have to copy the >> same stuff in code ? >> >> Regards, >> Vinay Patil >> >> On Fri, Mar 16, 2018 at 8:23 AM, Vinay Patil <vinay18.pa...@gmail.com> >> wrote: >> >>> Hi, >>> >>> No I am not passing any config to the remote execution environment. I am >>> running the job from master node itself. I have provided SSL configs in >>> flink-xonf.yaml >>> >>> Do I need to specify any SSL.config as part of Remote Execution env ? >>> >>> If yes can you please provide me an example. >>> >>> >>> >>> On Mar 16, 2018 1:56 AM, "Chesnay Schepler [via Apache Flink User >>> Mailing List archive.]" <ml+s2336050n1895...@n4.nabble.com> wrote: >>> >>> How are you creating the remote environment? In particular, are passing >>> a configuration to the RemoteEnvironment? >>> Have you set the SSL options in the config? >>> >>> >>> On 15.03.2018 22:46, Vinay Patil wrote: >>> >>> Hi, >>> >>> Even tried with ip-address for JobManager.host.name property, but did >>> not work. When I tried netstat -anp | grep 6123 , I see 3 TM connection >>> state as established, however when I submit the job , I see two more >>> entries with state as TIME_WAIT and after some time these entries are gone >>> and I get a Lost to Job Manager Exception. >>> >>> This only happens when SSL is enabled. >>> >>> Regards, >>> Vinay Patil >>> >>> On Thu, Mar 15, 2018 at 10:28 AM, Vinay Patil <[hidden email] >>> <http:///user/SendEmail.jtp?type=node&node=18950&i=0>> wrote: >>> >>>> Just an update, I am submitting the job from the master node, not >>>> using the normal flink run command to submit the job , but using Remote >>>> Execution Environment in code to do this. >>>> >>>> And in that I am passing the hostname which is same as provided in >>>> flink-conf.yaml >>>> >>>> Regards, >>>> Vinay Patil >>>> >>>> On Thu, Mar 15, 2018 at 7:57 AM, Vinay Patil <[hidden email] >>>> <http:///user/SendEmail.jtp?type=node&node=18950&i=1>> wrote: >>>> >>>>> Hi Guys, >>>>> >>>>> Any suggestions here >>>>> >>>>> Regards, >>>>> Vinay Patil >>>>> >>>>> On Wed, Mar 14, 2018 at 8:08 PM, Vinay Patil <[hidden email] >>>>> <http:///user/SendEmail.jtp?type=node&node=18950&i=2>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> After waiting for some time I got the exception as Lost Connection to >>>>>> Job Manager. Message: Could not retrieve the JobExecutionResult from Job >>>>>> Manager >>>>>> >>>>>> I am submitting the job as remote execution environment. I have >>>>>> specified the exact hostname of JobManager and port as 6123. >>>>>> >>>>>> Please let me know if any other configurations are needed. >>>>>> >>>>>> Regards, >>>>>> Vinay Patil >>>>>> >>>>>> On Wed, Mar 14, 2018 at 11:48 AM, Vinay Patil <[hidden email] >>>>>> <http:///user/SendEmail.jtp?type=node&node=18950&i=3>> wrote: >>>>>> >>>>>>> Hi Timo, >>>>>>> >>>>>>> Not getting any exception , it just says waiting for job completion >>>>>>> with a Job ID printed. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Vinay Patil >>>>>>> >>>>>>> On Wed, Mar 14, 2018 at 11:34 AM, Timo Walther [via Apache Flink >>>>>>> User Mailing List archive.] <[hidden email] >>>>>>> <http:///user/SendEmail.jtp?type=node&node=18950&i=4>> wrote: >>>>>>> >>>>>>>> Hi Vinay, >>>>>>>> >>>>>>>> do you have any exception or log entry that describes the failure? >>>>>>>> >>>>>>>> Regards, >>>>>>>> Timo >>>>>>>> >>>>>>>> >>>>>>>> Am 14.03.18 um 15:51 schrieb Vinay Patil: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have keystore for each of the 4 nodes in cluster and respective >>>>>>>> trustore. The cluster is configured correctly with SSL , verified this >>>>>>>> by >>>>>>>> accessing job manager using https and also see the TM path as >>>>>>>> akka.ssl.tcp, >>>>>>>> however the job is not getting submitted to the cluster. >>>>>>>> >>>>>>>> I am not allowed to import the certificate to the java default >>>>>>>> trustore, so I have provided the trustore and keystore as jvm args to >>>>>>>> the >>>>>>>> job. >>>>>>>> >>>>>>>> Is there any other configuration I should do so that the job is >>>>>>>> submitted >>>>>>>> >>>>>>>> Regards, >>>>>>>> Vinay Patil >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> If you reply to this email, your message will be added to the >>>>>>>> discussion below: >>>>>>>> http://apache-flink-user-mailing-list-archive.2336050.n4.nab >>>>>>>> ble.com/Flink-SSL-Setup-on-a-standalone-cluster-tp18907p18909.html >>>>>>>> To start a new topic under Apache Flink User Mailing List archive., >>>>>>>> email [hidden email] >>>>>>>> <http:///user/SendEmail.jtp?type=node&node=18950&i=5> >>>>>>>> To unsubscribe from Apache Flink User Mailing List archive., click >>>>>>>> here. >>>>>>>> NAML >>>>>>>> <http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> >>> >>> ------------------------------ >>> If you reply to this email, your message will be added to the discussion >>> below: >>> http://apache-flink-user-mailing-list-archive.2336050.n4.nab >>> ble.com/Flink-SSL-Setup-on-a-standalone-cluster-tp18907p18950.html >>> To start a new topic under Apache Flink User Mailing List archive., >>> email ml+s2336050n1...@n4.nabble.com >>> To unsubscribe from Apache Flink User Mailing List archive., click here >>> <http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=1&code=dmluYXkxOC5wYXRpbEBnbWFpbC5jb218MXwxODExMDE2NjAx> >>> . >>> NAML >>> <http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> >>> >>> >>> >> >
