flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-10628) Add end-to-end test for REST communication encryption
Date Thu, 15 Nov 2018 09:11:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-10628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16687677#comment-16687677
] 

ASF GitHub Bot commented on FLINK-10628:
----------------------------------------

zentol closed pull request #6967: [FLINK-10628][E2E][SSL] Enable mutual REST SSL auth in e2e
tests
URL: https://github.com/apache/flink/pull/6967
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/docs/ops/security-ssl.md b/docs/ops/security-ssl.md
index 4e3716218d2..77099ebf61f 100644
--- a/docs/ops/security-ssl.md
+++ b/docs/ops/security-ssl.md
@@ -198,7 +198,7 @@ This example shows how to create a simple keystore / truststore pair.
The trusts
 be shared with other applications. In this example, *myhost.company.org / ip:10.0.2.15* is
the node (or service) for the Flink master.
 
 {% highlight bash %}
-keytool -genkeypair -alias flink.rest -keystore rest.keystore -dname "CN=myhost.company.org"
-ext "SAN=dns:myhost.company.org,ip:10.0.2.15" -storepass rest_keystore_password -keypass
rest_key_password -keyalg RSA -keysize 4096
+keytool -genkeypair -alias flink.rest -keystore rest.keystore -dname "CN=myhost.company.org"
-ext "SAN=dns:myhost.company.org,ip:10.0.2.15" -storepass rest_keystore_password -keypass
rest_key_password -keyalg RSA -keysize 4096 -storetype PKCS12
 
 keytool -exportcert -keystore rest.keystore -alias flink.rest -storepass rest_keystore_password
-file flink.cer
 
@@ -219,7 +219,7 @@ security.ssl.rest.key-password: rest_key_password
 Execute the following keytool commands to create a truststore with a self signed CA.
 
 {% highlight bash %}
-keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA" -storepass ca_keystore_password
-keypass ca_key_password -keyalg RSA -keysize 4096 -ext "bc=ca:true"
+keytool -genkeypair -alias ca -keystore ca.keystore -dname "CN=Sample CA" -storepass ca_keystore_password
-keypass ca_key_password -keyalg RSA -keysize 4096 -ext "bc=ca:true" -storetype PKCS12
 
 keytool -exportcert -keystore ca.keystore -alias ca -storepass ca_keystore_password -file
ca.cer
 
@@ -230,7 +230,7 @@ Now create a keystore for the REST endpoint with a certificate signed
by the abo
 Let *flink.company.org / ip:10.0.2.15* be the hostname of the Flink master (JobManager).
 
 {% highlight bash %}
-keytool -genkeypair -alias flink.rest -keystore rest.signed.keystore -dname "CN=flink.company.org"
-ext "SAN=dns:flink.company.org" -storepass rest_keystore_password -keypass rest_key_password
-keyalg RSA -keysize 4096
+keytool -genkeypair -alias flink.rest -keystore rest.signed.keystore -dname "CN=flink.company.org"
-ext "SAN=dns:flink.company.org" -storepass rest_keystore_password -keypass rest_key_password
-keyalg RSA -keysize 4096 -storetype PKCS12
 
 keytool -certreq -alias flink.rest -keystore rest.signed.keystore -storepass rest_keystore_password
-keypass rest_key_password -file rest.csr
 
@@ -252,6 +252,25 @@ security.ssl.rest.key-password: rest_key_password
 security.ssl.rest.truststore-password: ca_truststore_password
 {% endhighlight %}
 
+**Tips to query REST Endpoint with curl utility**
+
+You can convert the keystore into the `PEM` format using `openssl`:
+
+{% highlight bash %}
+openssl pkcs12 -passin pass:rest_keystore_password -in rest.keystore -out rest.pem -nodes
+{% endhighlight %}
+
+Then you can query REST Endpoint with `curl`:
+
+{% highlight bash %}
+curl --cacert rest.pem flink_url
+{% endhighlight %}
+
+If mutual SSL is enabled:
+
+{% highlight bash %}
+curl --cacert rest.pem --cert rest.pem flink_url
+{% endhighlight %}
 
 ## Tips for YARN / Mesos Deployment
 
diff --git a/flink-end-to-end-tests/test-scripts/common.sh b/flink-end-to-end-tests/test-scripts/common.sh
index 0024d82f3d6..ea267538639 100644
--- a/flink-end-to-end-tests/test-scripts/common.sh
+++ b/flink-end-to-end-tests/test-scripts/common.sh
@@ -41,13 +41,20 @@ echo "Flink dist directory: $FLINK_DIR"
 
 FLINK_VERSION=$(cat ${END_TO_END_DIR}/pom.xml | sed -n 's/.*<version>\(.*\)<\/version>/\1/p')
 
-USE_SSL=OFF # set via set_conf_ssl(), reset via revert_default_config()
 TEST_ROOT=`pwd -P`
 TEST_INFRA_DIR="$END_TO_END_DIR/test-scripts/"
 cd $TEST_INFRA_DIR
 TEST_INFRA_DIR=`pwd -P`
 cd $TEST_ROOT
 
+NODENAME=`hostname -f`
+
+# REST_PROTOCOL and CURL_SSL_ARGS can be modified in common_ssl.sh if SSL is activated
+# they should be used in curl command to query Flink REST API
+REST_PROTOCOL="http"
+CURL_SSL_ARGS=""
+source "${TEST_INFRA_DIR}/common_ssl.sh"
+
 function print_mem_use_osx {
     declare -a mem_types=("active" "inactive" "wired down")
     used=""
@@ -87,7 +94,8 @@ function revert_default_config() {
         mv -f $FLINK_DIR/conf/flink-conf.yaml.bak $FLINK_DIR/conf/flink-conf.yaml
     fi
 
-    USE_SSL=OFF
+    REST_PROTOCOL="http"
+    CURL_SSL_ARGS=""
 }
 
 function set_conf() {
@@ -170,46 +178,6 @@ function get_node_ip {
     echo ${ip_addr}
 }
 
-function set_conf_ssl {
-
-    # clean up the dir that will be used for SSL certificates and trust stores
-    if [ -e "${TEST_DATA_DIR}/ssl" ]; then
-       echo "File ${TEST_DATA_DIR}/ssl exists. Deleting it..."
-       rm -rf "${TEST_DATA_DIR}/ssl"
-    fi
-    mkdir -p "${TEST_DATA_DIR}/ssl"
-
-    NODENAME=`hostname -f`
-    SANSTRING="dns:${NODENAME}"
-    for NODEIP in $(get_node_ip) ; do
-        SANSTRING="${SANSTRING},ip:${NODEIP}"
-    done
-
-    echo "Using SAN ${SANSTRING}"
-
-    # create certificates
-    keytool -genkeypair -alias ca -keystore "${TEST_DATA_DIR}/ssl/ca.keystore" -dname "CN=Sample
CA" -storepass password -keypass password -keyalg RSA -ext bc=ca:true
-    keytool -keystore "${TEST_DATA_DIR}/ssl/ca.keystore" -storepass password -alias ca -exportcert
> "${TEST_DATA_DIR}/ssl/ca.cer"
-    keytool -importcert -keystore "${TEST_DATA_DIR}/ssl/ca.truststore" -alias ca -storepass
password -noprompt -file "${TEST_DATA_DIR}/ssl/ca.cer"
-
-    keytool -genkeypair -alias node -keystore "${TEST_DATA_DIR}/ssl/node.keystore" -dname
"CN=${NODENAME}" -ext SAN=${SANSTRING} -storepass password -keypass password -keyalg RSA
-    keytool -certreq -keystore "${TEST_DATA_DIR}/ssl/node.keystore" -storepass password -alias
node -file "${TEST_DATA_DIR}/ssl/node.csr"
-    keytool -gencert -keystore "${TEST_DATA_DIR}/ssl/ca.keystore" -storepass password -alias
ca -ext SAN=${SANSTRING} -infile "${TEST_DATA_DIR}/ssl/node.csr" -outfile "${TEST_DATA_DIR}/ssl/node.cer"
-    keytool -importcert -keystore "${TEST_DATA_DIR}/ssl/node.keystore" -storepass password
-file "${TEST_DATA_DIR}/ssl/ca.cer" -alias ca -noprompt
-    keytool -importcert -keystore "${TEST_DATA_DIR}/ssl/node.keystore" -storepass password
-file "${TEST_DATA_DIR}/ssl/node.cer" -alias node -noprompt
-
-    # adapt config
-    # (here we rely on security.ssl.enabled enabling SSL for all components and internal
as well as
-    # external communication channels)
-    set_conf security.ssl.enabled true
-    set_conf security.ssl.keystore ${TEST_DATA_DIR}/ssl/node.keystore
-    set_conf security.ssl.keystore-password password
-    set_conf security.ssl.key-password password
-    set_conf security.ssl.truststore ${TEST_DATA_DIR}/ssl/ca.truststore
-    set_conf security.ssl.truststore-password password
-    USE_SSL=ON
-}
-
 function start_ha_cluster {
     create_ha_config
     start_local_zk
@@ -243,19 +211,13 @@ function start_local_zk {
 
 function wait_dispatcher_running {
   # wait at most 10 seconds until the dispatcher is up
-  local QUERY_URL
-  if [ "x$USE_SSL" = "xON" ]; then
-    QUERY_URL="http://localhost:8081/taskmanagers"
-  else
-    QUERY_URL="https://localhost:8081/taskmanagers"
-  fi
+  local QUERY_URL="${REST_PROTOCOL}://${NODENAME}:8081/taskmanagers"
   for i in {1..10}; do
     # without the || true this would exit our script if the JobManager is not yet up
-    QUERY_RESULT=$(curl "$QUERY_URL" 2> /dev/null || true)
+    QUERY_RESULT=$(curl ${CURL_SSL_ARGS} "$QUERY_URL" 2> /dev/null || true)
 
     # ensure the taskmanagers field is there at all and is not empty
     if [[ ${QUERY_RESULT} =~ \{\"taskmanagers\":\[.+\]\} ]]; then
-
       echo "Dispatcher REST endpoint is up."
       break
     fi
@@ -280,8 +242,9 @@ function start_taskmanagers {
 }
 
 function start_and_wait_for_tm {
+  local url="${REST_PROTOCOL}://${NODENAME}:8081/taskmanagers"
 
-  tm_query_result=$(curl -s "http://localhost:8081/taskmanagers")
+  tm_query_result=$(curl ${CURL_SSL_ARGS} -s "${url}")
 
   # we assume that the cluster is running
   if ! [[ ${tm_query_result} =~ \{\"taskmanagers\":\[.*\]\} ]]; then
@@ -289,12 +252,12 @@ function start_and_wait_for_tm {
     exit 1
   fi
 
-  running_tms=`curl -s "http://localhost:8081/taskmanagers" | grep -o "id" | wc -l`
+  running_tms=`curl ${CURL_SSL_ARGS} -s "${url}" | grep -o "id" | wc -l`
 
   ${FLINK_DIR}/bin/taskmanager.sh start
 
   for i in {1..10}; do
-    local new_running_tms=`curl -s "http://localhost:8081/taskmanagers" | grep -o "id" |
wc -l`
+    local new_running_tms=`curl ${CURL_SSL_ARGS} -s "${url}" | grep -o "id" | wc -l`
     if [ $((new_running_tms-running_tms)) -eq 0 ]; then
       echo "TaskManager is not yet up."
     else
@@ -541,7 +504,7 @@ function get_job_metric {
   local job_id=$1
   local metric_name=$2
 
-  local json=$(curl -s http://localhost:8081/jobs/${job_id}/metrics?get=${metric_name})
+  local json=$(curl ${CURL_SSL_ARGS} -s ${REST_PROTOCOL}://${NODENAME}:8081/jobs/${job_id}/metrics?get=${metric_name})
   local metric_value=$(echo ${json} | sed -n 's/.*"value":"\(.*\)".*/\1/p')
 
   echo ${metric_value}
diff --git a/flink-end-to-end-tests/test-scripts/common_ssl.sh b/flink-end-to-end-tests/test-scripts/common_ssl.sh
new file mode 100644
index 00000000000..a5e19eaf835
--- /dev/null
+++ b/flink-end-to-end-tests/test-scripts/common_ssl.sh
@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+
+################################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+################################################################################
+
+# NOTE: already sourced in common.sh
+
+function _set_conf_ssl_helper {
+    local type=$1 # 'internal' or external 'rest'
+    local ssl_dir="${TEST_DATA_DIR}/ssl/${type}"
+    local password="${type}.password"
+
+    if [ "${type}" != "internal" ] && [ "${type}" != "rest" ]; then
+        echo "Unknown type of ssl connectivity: ${type}. It can be either 'internal' or external
'rest'"
+        exit 1
+    fi
+
+    # clean up the dir that will be used for SSL certificates and trust stores
+    if [ -e "${ssl_dir}" ]; then
+       echo "File ${ssl_dir} exists. Deleting it..."
+       rm -rf "${ssl_dir}"
+    fi
+    mkdir -p "${ssl_dir}"
+
+    SANSTRING="dns:${NODENAME}"
+    for NODEIP in $(get_node_ip) ; do
+        SANSTRING="${SANSTRING},ip:${NODEIP}"
+    done
+
+    echo "Using SAN ${SANSTRING}"
+
+    # create certificates
+    keytool -genkeypair -alias ca -keystore "${ssl_dir}/ca.keystore" -dname "CN=Sample CA"
-storepass ${password} -keypass ${password} -keyalg RSA -ext bc=ca:true -storetype PKCS12
+    keytool -keystore "${ssl_dir}/ca.keystore" -storepass ${password} -alias ca -exportcert
> "${ssl_dir}/ca.cer"
+    keytool -importcert -keystore "${ssl_dir}/ca.truststore" -alias ca -storepass ${password}
-noprompt -file "${ssl_dir}/ca.cer"
+
+    keytool -genkeypair -alias node -keystore "${ssl_dir}/node.keystore" -dname "CN=${NODENAME}"
-ext SAN=${SANSTRING} -storepass ${password} -keypass ${password} -keyalg RSA -storetype PKCS12
+    keytool -certreq -keystore "${ssl_dir}/node.keystore" -storepass ${password} -alias node
-file "${ssl_dir}/node.csr"
+    keytool -gencert -keystore "${ssl_dir}/ca.keystore" -storepass ${password} -alias ca
-ext SAN=${SANSTRING} -infile "${ssl_dir}/node.csr" -outfile "${ssl_dir}/node.cer"
+    keytool -importcert -keystore "${ssl_dir}/node.keystore" -storepass ${password} -file
"${ssl_dir}/ca.cer" -alias ca -noprompt
+    keytool -importcert -keystore "${ssl_dir}/node.keystore" -storepass ${password} -file
"${ssl_dir}/node.cer" -alias node -noprompt
+
+    # keystore is converted into a pem format to use it as node.pem with curl in Flink REST
API queries, see also $CURL_SSL_ARGS
+    openssl pkcs12 -passin pass:${password} -in "${ssl_dir}/node.keystore" -out "${ssl_dir}/node.pem"
-nodes
+
+    # adapt config
+    # (here we rely on security.ssl.enabled enabling SSL for all components and internal
as well as
+    # external communication channels)
+    set_conf security.ssl.${type}.enabled true
+    set_conf security.ssl.${type}.keystore ${ssl_dir}/node.keystore
+    set_conf security.ssl.${type}.keystore-password ${password}
+    set_conf security.ssl.${type}.key-password ${password}
+    set_conf security.ssl.${type}.truststore ${ssl_dir}/ca.truststore
+    set_conf security.ssl.${type}.truststore-password ${password}
+}
+
+function _set_conf_mutual_rest_ssl {
+    local auth="${1:-server}" # only 'server' or 'mutual'
+    local mutual="false"
+    local ssl_dir="${TEST_DATA_DIR}/ssl/rest"
+    if [ "${auth}" == "mutual" ]; then
+        CURL_SSL_ARGS="${CURL_SSL_ARGS} --cert ${ssl_dir}/node.pem"
+        mutual="true";
+    fi
+    echo "Mutual ssl auth: ${mutual}"
+    set_conf security.ssl.rest.authentication-enabled ${mutual}
+}
+
+function set_conf_rest_ssl {
+    local auth="${1:-server}" # only 'server' or 'mutual'
+    local ssl_dir="${TEST_DATA_DIR}/ssl/rest"
+    _set_conf_ssl_helper "rest"
+    _set_conf_mutual_rest_ssl ${auth}
+    REST_PROTOCOL="https"
+    CURL_SSL_ARGS="${CURL_SSL_ARGS} --cacert ${ssl_dir}/node.pem"
+}
+
+function set_conf_ssl {
+    local auth="${1:-server}" # only 'server' or 'mutual'
+    _set_conf_ssl_helper "internal"
+    set_conf_rest_ssl ${auth}
+}
diff --git a/flink-end-to-end-tests/test-scripts/test_batch_allround.sh b/flink-end-to-end-tests/test-scripts/test_batch_allround.sh
index 2bdda8195d8..502c12f7dbe 100755
--- a/flink-end-to-end-tests/test-scripts/test_batch_allround.sh
+++ b/flink-end-to-end-tests/test-scripts/test_batch_allround.sh
@@ -29,7 +29,7 @@ echo "Run DataSet-Allround-Test Program"
 echo "taskmanager.network.memory.min: 10485760" >> $FLINK_DIR/conf/flink-conf.yaml
 echo "taskmanager.network.memory.max: 10485760" >> $FLINK_DIR/conf/flink-conf.yaml
 
-set_conf_ssl
+set_conf_ssl "server"
 start_cluster
 start_taskmanagers 3
 
diff --git a/flink-end-to-end-tests/test-scripts/test_streaming_file_sink.sh b/flink-end-to-end-tests/test-scripts/test_streaming_file_sink.sh
index 50f5afc1312..6c8d0b85435 100755
--- a/flink-end-to-end-tests/test-scripts/test_streaming_file_sink.sh
+++ b/flink-end-to-end-tests/test-scripts/test_streaming_file_sink.sh
@@ -22,6 +22,8 @@ OUT_TYPE="${1:-local}" # other type: s3
 source "$(dirname "$0")"/common.sh
 source "$(dirname "$0")"/common_s3.sh
 
+set_conf_ssl "mutual"
+
 OUT=out
 OUTPUT_PATH="$TEST_DATA_DIR/$OUT"
 S3_OUTPUT_PATH="s3://$ARTIFACTS_AWS_BUCKET/$OUT"


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Add end-to-end test for REST communication encryption
> -----------------------------------------------------
>
>                 Key: FLINK-10628
>                 URL: https://issues.apache.org/jira/browse/FLINK-10628
>             Project: Flink
>          Issue Type: Sub-task
>          Components: REST
>    Affects Versions: 1.7.0
>            Reporter: Till Rohrmann
>            Assignee: Andrey Zagrebin
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.7.0
>
>
> With FLINK-10371 we added support for mutual authentication for the REST communication.
We should adapt one of the existing end-to-end tests to require this feature for the REST
communication.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message