[jira] [Created] (FLINK-37953) Add OBF password obfuscation support for SSL configurations

Fri, 13 Jun 2025 00:12:41 -0700 

Basapuram Kumar created FLINK-37953:
---------------------------------------

             Summary: Add OBF password obfuscation support for SSL 
configurations
                 Key: FLINK-37953
                 URL: https://issues.apache.org/jira/browse/FLINK-37953
             Project: Flink
          Issue Type: Improvement
          Components: Runtime / Network
    Affects Versions: 1.19.1
            Reporter: Basapuram Kumar


Hello Team,

Currently, Flink's SSL configuration requires plaintext passwords for 
keystore/truststore in:
 * {{config.yaml}} (for internal RPC)

 * {{history-server.conf}} (for Internal & REST endpoints)

*Example Configurations:*

1.  
{code:java}
vim /etc/flink/conf/config.yaml{code}
{noformat}
security:
  ssl:
    internal:
      truststore: /etc/security/certificates/truststore.jks
      enabled: 'true'
      key-password: Hadoop@123 # PLAINTEXT EXPOSURE
      truststore-password: Hadoop@123 # PLAINTEXT EXPOSURE                      
     keystore-password: Hadoop@123 # PLAINTEXT EXPOSE
      keystore: /etc/security/certificates/keystore.jks{noformat}
2. 

 
{code:java}
vim /etc/flink/conf/history-server.conf/config.yaml {code}
 
{noformat}
security:
  ssl:
    rest:
      keystore-password: Hadoop@123  # Plain-text expose
      authentication-enabled: 'false'
      truststore-password: Hadoop@123  #Plain-text Expose
      key-password: Hadoop@123        # Plain-Text Expose
      truststore: /etc/security/certificates/truststore.jks
      keystore: /etc/security/certificates/keystore.jks
      enabled: 'true'
    internal:
      enabled: 'true'
      key-password: Hadoop@123  #Plain-Text Expose
      truststore-password: Hadoop@123  #Plain-Text Expose
      keystore-password: Hadoop@123     #Plain-Text Expose
      truststore: /etc/security/certificates/truststore.jks
      keystore: /etc/security/certificates/keystore.jks{noformat}
h2. *Proposed Solution*

Implement support for Jetty's *OBF* password obfuscation format:
 * Maintain backward compatibility with plaintext passwords

 * Add automatic detection of OBF prefixes ({{{}OBF:{}}})

 * Use Jetty's built-in {{Password}} class for decryption

 * Support all SSL password fields:

 ** {{key-password}}

 ** {{keystore-password}}

 ** {{{}{}}}{{{}truststore-password{}}}

{{How to generate OBF passwords.?}}

{{}}
{noformat}
java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar      
org.eclipse.jetty.util.security.Password 
<SSL_keystore/truststore_password>{noformat}
{{Ex:}}
{noformat}
java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar      
org.eclipse.jetty.util.security.Password Hadoop@123

2025-06-03 14:41:51.066:INFO::main: Logging initialized @126ms
Hadoop@123
OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
MD5:d61eb912413c69c46d34b847ef660caa{noformat}
{{Use this *OBF* password for the SSL configurations}}
{noformat}
security.ssl.internal.key-password  
security.ssl.internal.keystore-password                                   
security.ssl.internal.truststore                    

security.ssl.rest.key-password 
security.ssl.rest.keystore-password                                   
security.ssl.rest.truststore{noformat}
{{}}

{{After providing OBF password.}}
{noformat}
vim /etc/flink/conf/history-server.conf/config.yaml{noformat}
{noformat}
security:
  ssl:
    rest:
      keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
      authentication-enabled: 'false'
      truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
      key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
      truststore: /etc/security/certificates/truststore.jks
      keystore: /etc/security/certificates/keystore.jks
      enabled: 'true'
    internal:
      enabled: 'true'
      key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
      truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
      keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
      truststore: /etc/security/certificates/truststore.jks
      keystore: /etc/security/certificates/keystore.jks

historyserver:
  archive:
    fs:
      dir: hdfs://rl9-zk-ssl.acceldata.ce:8020/apps/odp/flink/completed-jobs/
      refresh-interval: '10000'
  web:
    address: 0.0.0.0
    port: '9022'
    ssl:
      enabled: 'true'

{noformat}
 

Adding OBF password support significantly improves Flink's security by 
eliminating plaintext password exposure in config files.

 

This aligns with security best practices already adopted across the Hadoop 
ecosystem (Zookeeper,Hadoop, Hive,Zeppelin, Ambari ... etc.) and helps meet 
compliance requirements.

 

The change is low-risk since it maintains backward compatibility while 
providing immediate security benefits for new deployments.

 

 

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to