New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FLINK-9816][network] add option to configure SSL engine provider for TM communication #6328
Conversation
… TM communication This prepares Flink to use OpenSSL for TM communication channels via netty. Currently, there is no easy way to provide the required native libraries, though. We'll either include these in a future version of flink-shaded or update instructions on how to include/build them manually.
Could you rebase this on top of #6326 ? That PR makes sure SSLEngine factories are used everywhere, giving a single point to integrate the provider such that it is available for all SSL endpoints. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just some suggestion
@@ -160,6 +160,7 @@ private Configuration createSslConfig() throws Exception { | |||
flinkConfig.setString(SecurityOptions.SSL_KEY_PASSWORD, "password"); | |||
flinkConfig.setString(SecurityOptions.SSL_TRUSTSTORE, "src/test/resources/local127.truststore"); | |||
flinkConfig.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password"); | |||
// flinkConfig.setString(SecurityOptions.SSL_PROVIDER, "OPENSSL"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if this is a useless dead code, can be removed
*/ | ||
@Nullable | ||
public static SSLContext createSSLServerContext(Configuration sslConfig) throws Exception { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this empty line is useless, can be removed
* Creates the SSL Context for the server if SSL is configured. | ||
* | ||
* @param sslConfig | ||
* The application configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the description of the param and throws do not need linefeed
* configured. | ||
* | ||
* @param sslConfig | ||
* The application configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do not need linefeed
/** | ||
* Instances needed to set up an SSL client connection. | ||
*/ | ||
public static class SSLServerTools { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need plural?
/** | ||
* Instances needed to set up an SSL client connection. | ||
*/ | ||
public static class SSLClientTools { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the class name use singular looks better to me
public static class SSLClientTools { | ||
public final SSLProvider preferredSslProvider; | ||
public final String sslProtocolVersion; | ||
public final TrustManagerFactory trustManagerFactory; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mark these fields as private
as provide getter/setter
looks better to me
|
||
public static SSLProvider fromString(String value) { | ||
Preconditions.checkNotNull(value); | ||
if (value.equalsIgnoreCase("OPENSSL")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
provide a constructor like SSLProvider(String provider)
to give the enum's string representation looks better than hard code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before merging this, please provide SSL benchmarks
What is the purpose of the change
Netty has the ability to run with different
SSLEngine
implementations but with our current setup, we are fixed to the JDK implementation, although one based on OpenSSL is expected to be faster [1].We should make this configurable and ideally also provide everything needed to run with OpenSSL in the future (the last part is not part of this PR).
[1] https://netty.io/wiki/requirements-for-4.x.html#benefits-of-using-openssl
Brief change log
security.ssl.provider
SslContextBuilder
(inNettyConfig
) to have this flexibilityVerifying this change
This change can be verified as follows:
JDK
SSL engine andOPENSSL
using a custom build usingnetty-tcnative
with statically linked boringssl libraries from http://netty.io/wiki/forked-tomcat-native.htmlDoes this pull request potentially affect one of the following parts:
@Public(Evolving)
: noDocumentation