Java Code Examples for org.apache.flink.configuration.SecurityOptions

The following examples show how to use org.apache.flink.configuration.SecurityOptions. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source Project: Flink-CEPplus   Author: ljygz   File: YarnTaskExecutorRunnerTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testKerberosKeytabConfiguration() throws Exception {
	final String resourceDirPath = Paths.get("src", "test", "resources").toAbsolutePath().toString();

	final Map<String, String> envs = new HashMap<>(2);
	envs.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "[email protected]");
	envs.put(YarnConfigKeys.KEYTAB_PATH, resourceDirPath);

	Configuration configuration = new Configuration();
	YarnTaskExecutorRunner.setupConfigurationAndInstallSecurityContext(configuration, resourceDirPath, envs);

	final List<SecurityModule> modules = SecurityUtils.getInstalledModules();
	Optional<SecurityModule> moduleOpt = modules.stream().filter(module -> module instanceof HadoopModule).findFirst();

	if (moduleOpt.isPresent()) {
		HadoopModule hadoopModule = (HadoopModule) moduleOpt.get();
		assertThat(hadoopModule.getSecurityConfig().getPrincipal(), is("[email protected]"));
		assertThat(hadoopModule.getSecurityConfig().getKeytab(), is(new File(resourceDirPath, Utils.KEYTAB_FILE_NAME).getAbsolutePath()));
	} else {
		fail("Can not find HadoopModule!");
	}

	assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB), is(new File(resourceDirPath, Utils.KEYTAB_FILE_NAME).getAbsolutePath()));
	assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("[email protected]"));
}
 
Example #2
Source Project: flink   Author: apache   File: BlobServerSSLTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testFailedToInitWithInvalidSslKeystoreConfigured() {
	final Configuration config = new Configuration();

	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	config.setString(SecurityOptions.SSL_KEYSTORE, "invalid.keystore");
	config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_TRUSTSTORE, "invalid.keystore");
	config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");

	try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
		fail();
	} catch (Exception e) {
		findThrowable(e, IOException.class);
		findThrowableWithMessage(e, "Failed to initialize SSL for the blob server");
	}
}
 
Example #3
Source Project: Flink-CEPplus   Author: ljygz   File: SSLStoreOverlay.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Configures the overlay using the current environment (and global configuration).
 *
 * The following Flink configuration settings are used to source the keystore and truststore:
 *  - security.ssl.keystore
 *  - security.ssl.truststore
 */
public Builder fromEnvironment(Configuration globalConfiguration)  {

	String keystore = globalConfiguration.getString(SecurityOptions.SSL_KEYSTORE);
	if(keystore != null) {
		keystorePath = new File(keystore);
		if(!keystorePath.exists()) {
			throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_KEYSTORE.key());
		}
	}

	String truststore = globalConfiguration.getString(SecurityOptions.SSL_TRUSTSTORE);
	if(truststore != null) {
		truststorePath = new File(truststore);
		if(!truststorePath.exists()) {
			throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_TRUSTSTORE.key());
		}
	}

	return this;
}
 
Example #4
Source Project: flink   Author: apache   File: BlobServerSSLTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testFailedToInitWithTwoProtocolsSet() {
	final Configuration config = new Configuration();

	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	config.setString(SecurityOptions.SSL_KEYSTORE,
		getClass().getResource("/local127.keystore").getPath());
	config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_TRUSTSTORE,
		getClass().getResource("/local127.truststore").getPath());

	config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_ALGORITHMS, "TLSv1,TLSv1.1");

	try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
		fail();
	} catch (Exception e) {
		findThrowable(e, IOException.class);
		findThrowableWithMessage(e, "Unable to open BLOB Server in specified port range: 0");
	}
}
 
Example #5
Source Project: Flink-CEPplus   Author: ljygz   File: SSLUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Creates a SSLEngineFactory to be used by internal communication client endpoints.
 */
public static SSLHandlerFactory createInternalClientSSLEngineFactory(final Configuration config) throws Exception {
	SSLContext sslContext = createInternalSSLContext(config);
	if (sslContext == null) {
		throw new IllegalConfigurationException("SSL is not enabled for internal communication.");
	}

	return new SSLHandlerFactory(
			sslContext,
			getEnabledProtocols(config),
			getEnabledCipherSuites(config),
			true,
			true,
			config.getInteger(SecurityOptions.SSL_INTERNAL_HANDSHAKE_TIMEOUT),
			config.getInteger(SecurityOptions.SSL_INTERNAL_CLOSE_NOTIFY_FLUSH_TIMEOUT));
}
 
Example #6
Source Project: flink   Author: apache   File: SSLUtils.java    License: Apache License 2.0 6 votes vote down vote up
@VisibleForTesting
static SslProvider getSSLProvider(final Configuration config) {
	checkNotNull(config, "config must not be null");
	String providerString = config.getString(SecurityOptions.SSL_PROVIDER);
	if (providerString.equalsIgnoreCase("OPENSSL")) {
		if (OpenSsl.isAvailable()) {
			return OPENSSL;
		} else {
			throw new IllegalConfigurationException("openSSL not available", OpenSsl.unavailabilityCause());
		}
	} else if (providerString.equalsIgnoreCase("JDK")) {
		return JDK;
	} else {
		throw new IllegalConfigurationException("Unknown SSL provider: %s", providerString);
	}
}
 
Example #7
Source Project: flink   Author: apache   File: SSLUtilsTest.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Tests if SSLUtils set the right ssl version and cipher suites for SSLServerSocket.
 */
@Test
public void testSetSSLVersionAndCipherSuitesForSSLServerSocket() throws Exception {
	Configuration serverConfig = createInternalSslConfigWithKeyAndTrustStores();

	// set custom protocol and cipher suites
	serverConfig.setString(SecurityOptions.SSL_PROTOCOL, "TLSv1.1");
	serverConfig.setString(SecurityOptions.SSL_ALGORITHMS, "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256");

	try (ServerSocket socket = SSLUtils.createSSLServerSocketFactory(serverConfig).createServerSocket(0)) {
		assertTrue(socket instanceof SSLServerSocket);
		final SSLServerSocket sslSocket = (SSLServerSocket) socket;

		String[] protocols = sslSocket.getEnabledProtocols();
		String[] algorithms = sslSocket.getEnabledCipherSuites();

		assertEquals(1, protocols.length);
		assertEquals("TLSv1.1", protocols[0]);
		assertEquals(2, algorithms.length);
		assertThat(algorithms, arrayContainingInAnyOrder(
				"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256"));
	}
}
 
Example #8
Source Project: Flink-CEPplus   Author: ljygz   File: RestServerEndpointITCase.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testDefaultVersionRouting() throws Exception {
	Assume.assumeFalse(
		"Ignoring SSL-enabled test to keep OkHttp usage simple.",
		config.getBoolean(SecurityOptions.SSL_REST_ENABLED));

	OkHttpClient client = new OkHttpClient();

	final Request request = new Request.Builder()
		.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
		.build();

	try (final Response response = client.newCall(request).execute()) {
		assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
	}
}
 
Example #9
Source Project: flink   Author: apache   File: RestServerEndpointITCase.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testDefaultVersionRouting() throws Exception {
	Assume.assumeFalse(
		"Ignoring SSL-enabled test to keep OkHttp usage simple.",
		config.getBoolean(SecurityOptions.SSL_REST_ENABLED));

	OkHttpClient client = new OkHttpClient();

	final Request request = new Request.Builder()
		.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
		.build();

	try (final Response response = client.newCall(request).execute()) {
		assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
	}
}
 
Example #10
Source Project: Flink-CEPplus   Author: ljygz   File: BlobServerSSLTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testFailedToInitWithInvalidSslKeystoreConfigured() {
	final Configuration config = new Configuration();

	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	config.setString(SecurityOptions.SSL_KEYSTORE, "invalid.keystore");
	config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
	config.setString(SecurityOptions.SSL_TRUSTSTORE, "invalid.keystore");
	config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");

	try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
		fail();
	} catch (Exception e) {
		findThrowable(e, IOException.class);
		findThrowableWithMessage(e, "Failed to initialize SSL for the blob server");
	}
}
 
Example #11
Source Project: Flink-CEPplus   Author: ljygz   File: SSLUtilsTest.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Tests whether activation of internal / REST SSL evaluates the config flags correctly.
 */
@SuppressWarnings("deprecation")
@Test
public void checkEnableSSL() {
	// backwards compatibility
	Configuration oldConf = new Configuration();
	oldConf.setBoolean(SecurityOptions.SSL_ENABLED, true);
	assertTrue(SSLUtils.isInternalSSLEnabled(oldConf));
	assertTrue(SSLUtils.isRestSSLEnabled(oldConf));

	// new options take precedence
	Configuration newOptions = new Configuration();
	newOptions.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	newOptions.setBoolean(SecurityOptions.SSL_REST_ENABLED, false);
	assertTrue(SSLUtils.isInternalSSLEnabled(newOptions));
	assertFalse(SSLUtils.isRestSSLEnabled(newOptions));

	// new options take precedence
	Configuration precedence = new Configuration();
	precedence.setBoolean(SecurityOptions.SSL_ENABLED, true);
	precedence.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, false);
	precedence.setBoolean(SecurityOptions.SSL_REST_ENABLED, false);
	assertFalse(SSLUtils.isInternalSSLEnabled(precedence));
	assertFalse(SSLUtils.isRestSSLEnabled(precedence));
}
 
Example #12
Source Project: flink   Author: apache   File: RestServerEndpointITCase.java    License: Apache License 2.0 6 votes vote down vote up
@Parameterized.Parameters
public static Collection<Object[]> data() throws Exception {
	final Configuration config = getBaseConfig();

	final String truststorePath = getTestResource("local127.truststore").getAbsolutePath();
	final String keystorePath = getTestResource("local127.keystore").getAbsolutePath();

	final Configuration sslConfig = new Configuration(config);
	sslConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, true);
	sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE, truststorePath);
	sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "password");
	sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE, keystorePath);
	sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, "password");
	sslConfig.setString(SecurityOptions.SSL_REST_KEY_PASSWORD, "password");

	final Configuration sslRestAuthConfig = new Configuration(sslConfig);
	sslRestAuthConfig.setBoolean(SecurityOptions.SSL_REST_AUTHENTICATION_ENABLED, true);

	final Configuration sslPinningRestAuthConfig = new Configuration(sslRestAuthConfig);
	sslPinningRestAuthConfig.setString(SecurityOptions.SSL_REST_CERT_FINGERPRINT,
		SSLUtilsTest.getRestCertificateFingerprint(sslPinningRestAuthConfig, "flink.test"));

	return Arrays.asList(new Object[][]{
		{config}, {sslConfig}, {sslRestAuthConfig}, {sslPinningRestAuthConfig}
	});
}
 
Example #13
Source Project: flink   Author: apache   File: SSLStoreOverlayTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testConfigure() throws Exception {

	File keystore = tempFolder.newFile();
	File truststore = tempFolder.newFile();
	SSLStoreOverlay overlay = new SSLStoreOverlay(keystore, truststore);

	ContainerSpecification spec = new ContainerSpecification();
	overlay.configure(spec);

	assertEquals(TARGET_KEYSTORE_PATH.getPath(), spec.getFlinkConfiguration().getString(SecurityOptions.SSL_KEYSTORE));
	checkArtifact(spec, TARGET_KEYSTORE_PATH);

	assertEquals(TARGET_TRUSTSTORE_PATH.getPath(), spec.getFlinkConfiguration().getString(SecurityOptions.SSL_TRUSTSTORE));
	checkArtifact(spec, TARGET_TRUSTSTORE_PATH);
}
 
Example #14
Source Project: flink   Author: flink-tpc-ds   File: RestServerEndpointITCase.java    License: Apache License 2.0 6 votes vote down vote up
@Parameterized.Parameters
public static Collection<Object[]> data() {
	final Configuration config = getBaseConfig();

	final String truststorePath = getTestResource("local127.truststore").getAbsolutePath();
	final String keystorePath = getTestResource("local127.keystore").getAbsolutePath();

	final Configuration sslConfig = new Configuration(config);
	sslConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, true);
	sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE, truststorePath);
	sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "password");
	sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE, keystorePath);
	sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, "password");
	sslConfig.setString(SecurityOptions.SSL_REST_KEY_PASSWORD, "password");

	final Configuration sslRestAuthConfig = new Configuration(sslConfig);
	sslRestAuthConfig.setBoolean(SecurityOptions.SSL_REST_AUTHENTICATION_ENABLED, true);

	return Arrays.asList(new Object[][]{
		{config}, {sslConfig}, {sslRestAuthConfig}
	});
}
 
Example #15
Source Project: flink   Author: apache   File: SSLStoreOverlay.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void configure(ContainerSpecification container) throws IOException {
	if(keystore != null) {
		container.getArtifacts().add(ContainerSpecification.Artifact.newBuilder()
			.setSource(keystore)
			.setDest(TARGET_KEYSTORE_PATH)
			.setCachable(false)
			.build());
		container.getFlinkConfiguration().setString(SecurityOptions.SSL_KEYSTORE, TARGET_KEYSTORE_PATH.getPath());
	}
	if(truststore != null) {
		container.getArtifacts().add(ContainerSpecification.Artifact.newBuilder()
			.setSource(truststore)
			.setDest(TARGET_TRUSTSTORE_PATH)
			.setCachable(false)
			.build());
		container.getFlinkConfiguration().setString(SecurityOptions.SSL_TRUSTSTORE, TARGET_TRUSTSTORE_PATH.getPath());
	}
}
 
Example #16
Source Project: Flink-CEPplus   Author: ljygz   File: NettyClientServerSslTest.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Verify failure on invalid ssl configuration.
 */
@Test
public void testInvalidSslConfiguration() throws Exception {
	NettyProtocol protocol = new NoOpProtocol();

	Configuration config = createSslConfig();
	// Modify the keystore password to an incorrect one
	config.setString(SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD, "invalidpassword");

	NettyConfig nettyConfig = createNettyConfig(config);

	NettyTestUtil.NettyServerAndClient serverAndClient = null;
	try {
		serverAndClient = NettyTestUtil.initServerAndClient(protocol, nettyConfig);
		Assert.fail("Created server and client from invalid configuration");
	} catch (Exception e) {
		// Exception should be thrown as expected
	}

	NettyTestUtil.shutdown(serverAndClient);
}
 
Example #17
Source Project: Flink-CEPplus   Author: ljygz   File: NettyClientServerSslTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testClientUntrustedCertificate() throws Exception {
	final Configuration serverConfig = createSslConfig();
	final Configuration clientConfig = createSslConfig();

	// give the client a different keystore / certificate
	clientConfig.setString(SecurityOptions.SSL_INTERNAL_KEYSTORE, "src/test/resources/untrusted.keystore");

	final NettyConfig nettyServerConfig = createNettyConfig(serverConfig);
	final NettyConfig nettyClientConfig = createNettyConfig(clientConfig);

	final NettyBufferPool bufferPool = new NettyBufferPool(1);
	final NettyProtocol protocol = new NoOpProtocol();

	final NettyServer server = NettyTestUtil.initServer(nettyServerConfig, protocol, bufferPool);
	final NettyClient client = NettyTestUtil.initClient(nettyClientConfig, protocol, bufferPool);
	final NettyServerAndClient serverAndClient = new NettyServerAndClient(server, client);

	final Channel ch = NettyTestUtil.connect(serverAndClient);
	ch.pipeline().addLast(new StringDecoder()).addLast(new StringEncoder());

	// Attempting to write data over ssl should fail
	assertFalse(ch.writeAndFlush("test").await().isSuccess());

	NettyTestUtil.shutdown(serverAndClient);
}
 
Example #18
Source Project: flink   Author: apache   File: SecurityConfiguration.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Create a security configuration from the global configuration.
 * @param flinkConf the Flink global configuration.
 * @param securityModuleFactories the security modules to apply.
 */
public SecurityConfiguration(Configuration flinkConf,
		List<String> securityContextFactory,
		List<String> securityModuleFactories) {
	this.isZkSaslDisable = flinkConf.getBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE);
	this.keytab = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
	this.principal = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
	this.useTicketCache = flinkConf.getBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE);
	this.loginContextNames = parseList(flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS));
	this.zkServiceName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_SERVICE_NAME);
	this.zkLoginContextName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_LOGIN_CONTEXT_NAME);
	this.securityModuleFactories = Collections.unmodifiableList(securityModuleFactories);
	this.securityContextFactory = securityContextFactory;
	this.flinkConfig = checkNotNull(flinkConf);
	validate();
}
 
Example #19
Source Project: flink   Author: flink-tpc-ds   File: SSLStoreOverlay.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Configures the overlay using the current environment (and global configuration).
 *
 * The following Flink configuration settings are used to source the keystore and truststore:
 *  - security.ssl.keystore
 *  - security.ssl.truststore
 */
public Builder fromEnvironment(Configuration globalConfiguration)  {

	String keystore = globalConfiguration.getString(SecurityOptions.SSL_KEYSTORE);
	if(keystore != null) {
		keystorePath = new File(keystore);
		if(!keystorePath.exists()) {
			throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_KEYSTORE.key());
		}
	}

	String truststore = globalConfiguration.getString(SecurityOptions.SSL_TRUSTSTORE);
	if(truststore != null) {
		truststorePath = new File(truststore);
		if(!truststorePath.exists()) {
			throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_TRUSTSTORE.key());
		}
	}

	return this;
}
 
Example #20
Source Project: flink   Author: flink-tpc-ds   File: RestServerEndpointITCase.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testDefaultVersionRouting() throws Exception {
	Assume.assumeFalse(
		"Ignoring SSL-enabled test to keep OkHttp usage simple.",
		config.getBoolean(SecurityOptions.SSL_REST_ENABLED));

	OkHttpClient client = new OkHttpClient();

	final Request request = new Request.Builder()
		.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
		.build();

	try (final Response response = client.newCall(request).execute()) {
		assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
	}
}
 
Example #21
Source Project: flink   Author: apache   File: SecurityUtilsTest.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Verify that we fall back to a second configuration if the first one is incompatible.
 */
@Test
public void testSecurityContextShouldFallbackToSecond() throws Exception {
	Configuration testFlinkConf = new Configuration();

	testFlinkConf.set(
			SecurityOptions.SECURITY_CONTEXT_FACTORY_CLASSES,
			Lists.newArrayList(
					IncompatibleTestSecurityContextFactory.class.getCanonicalName(),
					TestSecurityContextFactory.class.getCanonicalName()));

	SecurityConfiguration testSecurityConf = new SecurityConfiguration(testFlinkConf);

	SecurityUtils.install(testSecurityConf);
	assertEquals(
			TestSecurityContextFactory.TestSecurityContext.class,
			SecurityUtils.getInstalledContext().getClass());

	SecurityUtils.uninstall();
	assertEquals(NoOpSecurityContext.class, SecurityUtils.getInstalledContext().getClass());
}
 
Example #22
Source Project: flink   Author: flink-tpc-ds   File: SSLUtils.java    License: Apache License 2.0 6 votes vote down vote up
private static TrustManagerFactory getTrustManagerFactory(Configuration config, boolean internal)
		throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
	String trustStoreFilePath = getAndCheckOption(
		config,
		internal ? SecurityOptions.SSL_INTERNAL_TRUSTSTORE : SecurityOptions.SSL_REST_TRUSTSTORE,
		SecurityOptions.SSL_TRUSTSTORE);

	String trustStorePassword = getAndCheckOption(
		config,
		internal ? SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD : SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD,
		SecurityOptions.SSL_TRUSTSTORE_PASSWORD);

	KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
	try (InputStream trustStoreFile = Files
		.newInputStream(new File(trustStoreFilePath).toPath())) {
		trustStore.load(trustStoreFile, trustStorePassword.toCharArray());
	}

	TrustManagerFactory tmf =
		TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
	tmf.init(trustStore);

	return tmf;
}
 
Example #23
Source Project: Flink-CEPplus   Author: ljygz   File: YarnTaskExecutorRunner.java    License: Apache License 2.0 5 votes vote down vote up
private static void setupConfigurationFromVariables(Configuration configuration, String currDir, Map<String, String> variables) throws IOException {
	final String yarnClientUsername = variables.get(YarnConfigKeys.ENV_HADOOP_USER_NAME);

	final String remoteKeytabPath = variables.get(YarnConfigKeys.KEYTAB_PATH);
	LOG.info("TM: remote keytab path obtained {}", remoteKeytabPath);

	final String remoteKeytabPrincipal = variables.get(YarnConfigKeys.KEYTAB_PRINCIPAL);
	LOG.info("TM: remote keytab principal obtained {}", remoteKeytabPrincipal);

	// tell akka to die in case of an error
	configuration.setBoolean(AkkaOptions.JVM_EXIT_ON_FATAL_ERROR, true);

	String keytabPath = null;
	if (remoteKeytabPath != null) {
		File f = new File(currDir, Utils.KEYTAB_FILE_NAME);
		keytabPath = f.getAbsolutePath();
		LOG.info("keytab path: {}", keytabPath);
	}

	UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();

	LOG.info("YARN daemon is running as: {} Yarn client user obtainer: {}",
			currentUser.getShortUserName(), yarnClientUsername);

	if (keytabPath != null && remoteKeytabPrincipal != null) {
		configuration.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, keytabPath);
		configuration.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, remoteKeytabPrincipal);
	}

	// use the hostname passed by job manager
	final String taskExecutorHostname = variables.get(YarnResourceManager.ENV_FLINK_NODE_ID);
	if (taskExecutorHostname != null) {
		configuration.setString(TaskManagerOptions.HOST, taskExecutorHostname);
	}
}
 
Example #24
Source Project: flink   Author: apache   File: YarnEntrypointUtilsTest.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testParsingValidKerberosEnv() throws IOException {
	final Configuration initialConfiguration = new Configuration();
	Map<String, String> env = new HashMap<>();
	File keytabFile = TEMPORARY_FOLDER.newFile();
	env.put(YarnConfigKeys.LOCAL_KEYTAB_PATH, keytabFile.getAbsolutePath());
	env.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "starlord");

	Configuration configuration = loadConfiguration(initialConfiguration, env);

	assertThat(configuration.get(SecurityOptions.KERBEROS_LOGIN_KEYTAB), is(keytabFile.getAbsolutePath()));
	assertThat(configuration.get(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("starlord"));
}
 
Example #25
Source Project: Flink-CEPplus   Author: ljygz   File: SecurityConfiguration.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Create a security configuration from the global configuration.
 * @param flinkConf the Flink global configuration.
 * @param securityModuleFactories the security modules to apply.
 */
public SecurityConfiguration(Configuration flinkConf,
		List<SecurityModuleFactory> securityModuleFactories) {
	this.isZkSaslDisable = flinkConf.getBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE);
	this.keytab = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
	this.principal = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
	this.useTicketCache = flinkConf.getBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE);
	this.loginContextNames = parseList(flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS));
	this.zkServiceName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_SERVICE_NAME);
	this.zkLoginContextName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_LOGIN_CONTEXT_NAME);
	this.securityModuleFactories = Collections.unmodifiableList(securityModuleFactories);
	this.flinkConfig = checkNotNull(flinkConf);
	validate();
}
 
Example #26
Source Project: Flink-CEPplus   Author: ljygz   File: KeytabOverlay.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void configure(ContainerSpecification container) throws IOException {
	if(keytab != null) {
		container.getArtifacts().add(ContainerSpecification.Artifact.newBuilder()
			.setSource(keytab)
			.setDest(TARGET_PATH)
			.setCachable(false)
			.build());
		container.getDynamicConfiguration().setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, TARGET_PATH.getPath());
	}
}
 
Example #27
Source Project: flink   Author: apache   File: YarnEntrypointUtilsTest.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testParsingKerberosEnvWithMissingKeytab() throws IOException {
	final Configuration initialConfiguration = new Configuration();
	Map<String, String> env = new HashMap<>();
	env.put(YarnConfigKeys.LOCAL_KEYTAB_PATH, "/hopefully/doesnt/exist");
	env.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "starlord");

	Configuration configuration = loadConfiguration(initialConfiguration, env);

	// both keytab and principal should be null
	assertThat(configuration.get(SecurityOptions.KERBEROS_LOGIN_KEYTAB), nullValue());
	assertThat(configuration.get(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), nullValue());
}
 
Example #28
Source Project: flink   Author: flink-tpc-ds   File: BlobClientSslTest.java    License: Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void startNonSSLServer() throws IOException {
	Configuration config = SSLUtilsTest.createInternalSslConfigWithKeyAndTrustStores(
		SecurityOptions.SSL_PROVIDER.defaultValue());
	config.setString(BlobServerOptions.STORAGE_DIRECTORY, temporarySslFolder.newFolder().getAbsolutePath());
	config.setBoolean(BlobServerOptions.SSL_ENABLED, false);

	blobNonSslServer = new BlobServer(config, new VoidBlobStore());
	blobNonSslServer.start();

	nonSslClientConfig = config;
}
 
Example #29
Source Project: flink   Author: flink-tpc-ds   File: SSLUtilsTest.java    License: Apache License 2.0 5 votes vote down vote up
public static Configuration createInternalSslConfigWithKeyAndTrustStores(String sslProvider) {
	final Configuration config = new Configuration();
	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	addSslProviderConfig(config, sslProvider);
	addInternalKeyStoreConfig(config);
	addInternalTrustStoreConfig(config);
	return config;
}
 
Example #30
Source Project: flink   Author: flink-tpc-ds   File: SSLUtilsTest.java    License: Apache License 2.0 5 votes vote down vote up
private Configuration createInternalSslConfigWithTrustStore() {
	final Configuration config = new Configuration();
	config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
	addSslProviderConfig(config, sslProvider);
	addInternalTrustStoreConfig(config);
	return config;
}