[jira] [Commented] (FLINK-37953) Add OBF password obfuscation support for SSL configurations

Fri, 13 Jun 2025 00:30:24 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-37953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17967628#comment-17967628
 ] 

Basapuram Kumar commented on FLINK-37953:
-----------------------------------------

PR - https://github.com/apache/flink/pull/26677

> Add OBF password obfuscation support for SSL configurations
> -----------------------------------------------------------
>
>                 Key: FLINK-37953
>                 URL: https://issues.apache.org/jira/browse/FLINK-37953
>             Project: Flink
>          Issue Type: Improvement
>          Components: Runtime / Network
>    Affects Versions: 1.19.1
>            Reporter: Basapuram Kumar
>            Priority: Major
>
> Hello Team,
> Currently, Flink's SSL configuration requires plaintext passwords for 
> keystore/truststore in:
>  * {{config.yaml}} (for internal RPC)
>  * {{history-server.conf}} (for Internal & REST endpoints)
> *Example Configurations:*
> 1.  
> {code:java}
> vim /etc/flink/conf/config.yaml{code}
> {noformat}
> security:
>   ssl:
>     internal:
>       truststore: /etc/security/certificates/truststore.jks
>       enabled: 'true'
>       key-password: Hadoop@123 # PLAINTEXT EXPOSURE
>       truststore-password: Hadoop@123 # PLAINTEXT EXPOSURE                    
>        keystore-password: Hadoop@123 # PLAINTEXT EXPOSE
>       keystore: /etc/security/certificates/keystore.jks{noformat}
> 2. 
>  
> {code:java}
> vim /etc/flink/conf/history-server.conf/config.yaml {code}
>  
> {noformat}
> security:
>   ssl:
>     rest:
>       keystore-password: Hadoop@123  # Plain-text expose
>       authentication-enabled: 'false'
>       truststore-password: Hadoop@123  #Plain-text Expose
>       key-password: Hadoop@123        # Plain-Text Expose
>       truststore: /etc/security/certificates/truststore.jks
>       keystore: /etc/security/certificates/keystore.jks
>       enabled: 'true'
>     internal:
>       enabled: 'true'
>       key-password: Hadoop@123  #Plain-Text Expose
>       truststore-password: Hadoop@123  #Plain-Text Expose
>       keystore-password: Hadoop@123     #Plain-Text Expose
>       truststore: /etc/security/certificates/truststore.jks
>       keystore: /etc/security/certificates/keystore.jks{noformat}
> h2. *Proposed Solution*
> Implement support for Jetty's *OBF* password obfuscation format:
>  * Maintain backward compatibility with plaintext passwords
>  * Add automatic detection of OBF prefixes ({{{}OBF:{}}})
>  * Use Jetty's built-in {{Password}} class for decryption
>  * Support all SSL password fields:
>  ** {{key-password}}
>  ** {{keystore-password}}
>  ** {{{}{}}}{{{}truststore-password{}}}
> {{How to generate OBF passwords.?}}
> {{}}
> {noformat}
> java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar      
> org.eclipse.jetty.util.security.Password 
> <SSL_keystore/truststore_password>{noformat}
> {{Ex:}}
> {noformat}
> java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar      
> org.eclipse.jetty.util.security.Password Hadoop@123
> 2025-06-03 14:41:51.066:INFO::main: Logging initialized @126ms
> Hadoop@123
> OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
> MD5:d61eb912413c69c46d34b847ef660caa{noformat}
> {{Use this *OBF* password for the SSL configurations}}
> {noformat}
> security.ssl.internal.key-password  
> security.ssl.internal.keystore-password                                   
> security.ssl.internal.truststore                    
> security.ssl.rest.key-password 
> security.ssl.rest.keystore-password                                   
> security.ssl.rest.truststore{noformat}
> {{}}
> {{After providing OBF password.}}
> {noformat}
> vim /etc/flink/conf/history-server.conf/config.yaml{noformat}
> {noformat}
> security:
>   ssl:
>     rest:
>       keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
>       authentication-enabled: 'false'
>       truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
>       key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
>       truststore: /etc/security/certificates/truststore.jks
>       keystore: /etc/security/certificates/keystore.jks
>       enabled: 'true'
>     internal:
>       enabled: 'true'
>       key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
>       truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
>       keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
>       truststore: /etc/security/certificates/truststore.jks
>       keystore: /etc/security/certificates/keystore.jks
> historyserver:
>   archive:
>     fs:
>       dir: hdfs://rl9-zk-ssl.acceldata.ce:8020/apps/odp/flink/completed-jobs/
>       refresh-interval: '10000'
>   web:
>     address: 0.0.0.0
>     port: '9022'
>     ssl:
>       enabled: 'true'
> {noformat}
>  
> Adding OBF password support significantly improves Flink's security by 
> eliminating plaintext password exposure in config files.
>  
> This aligns with security best practices already adopted across the Hadoop 
> ecosystem (Zookeeper,Hadoop, Hive,Zeppelin, Ambari ... etc.) and helps meet 
> compliance requirements.
>  
> The change is low-risk since it maintains backward compatibility while 
> providing immediate security benefits for new deployments.
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to