[
https://issues.apache.org/jira/browse/FLINK-37953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Basapuram Kumar updated FLINK-37953:
------------------------------------
Description:
Hello Team,
Currently, Flink's SSL configuration requires plaintext passwords for
keystore/truststore in:
* {{config.yaml}} (for internal RPC)
* {{{}history-server.conf/{}}}{{{}config.yaml{}}}{{{}{}}} (for Internal & REST
endpoints)
*Example Configurations:*
1.
{code:java}
vim /etc/flink/conf/config.yaml{code}
{noformat}
security:
ssl:
internal:
truststore: /etc/security/certificates/truststore.jks
enabled: 'true'
key-password: Hadoop@123 # PLAINTEXT EXPOSURE
truststore-password: Hadoop@123 # PLAINTEXT EXPOSURE
keystore-password: Hadoop@123 # PLAINTEXT EXPOSE
keystore: /etc/security/certificates/keystore.jks{noformat}
2.
{code:java}
vim /etc/flink/conf/history-server.conf/config.yaml {code}
{noformat}
security:
ssl:
rest:
keystore-password: Hadoop@123 # Plain-text expose
authentication-enabled: 'false'
truststore-password: Hadoop@123 #Plain-text Expose
key-password: Hadoop@123 # Plain-Text Expose
truststore: /etc/security/certificates/truststore.jks
keystore: /etc/security/certificates/keystore.jks
enabled: 'true'
internal:
enabled: 'true'
key-password: Hadoop@123 #Plain-Text Expose
truststore-password: Hadoop@123 #Plain-Text Expose
keystore-password: Hadoop@123 #Plain-Text Expose
truststore: /etc/security/certificates/truststore.jks
keystore: /etc/security/certificates/keystore.jks{noformat}
h2. *Proposed Solution*
Implement support for Jetty's *OBF* password obfuscation format:
* Maintain backward compatibility with plaintext passwords
* Add automatic detection of OBF prefixes ({{{}OBF:{}}})
* Use Jetty's built-in {{Password}} class for decryption
* Support all SSL password fields:
*
** {{key-password}}
*
** {{keystore-password}}
*
** {{{{}}{}}}{{{}truststore-password{}}}
{{How to generate OBF passwords.?}}
{{}}
{noformat}
java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar
org.eclipse.jetty.util.security.Password
<SSL_keystore/truststore_password>{noformat}
{{Ex:}}
{noformat}
java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar
org.eclipse.jetty.util.security.Password Hadoop@123
2025-06-03 14:41:51.066:INFO::main: Logging initialized @126ms
Hadoop@123
OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
MD5:d61eb912413c69c46d34b847ef660caa{noformat}
{{Use this *OBF* password for the SSL configurations}}
{noformat}
security.ssl.internal.key-password
security.ssl.internal.keystore-password
security.ssl.internal.truststore
security.ssl.rest.key-password
security.ssl.rest.keystore-password
security.ssl.rest.truststore{noformat}
{{}}
{{After providing OBF password.}}
{noformat}
vim /etc/flink/conf/history-server.conf/config.yaml{noformat}
{noformat}
security:
ssl:
rest:
keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
authentication-enabled: 'false'
truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
truststore: /etc/security/certificates/truststore.jks
keystore: /etc/security/certificates/keystore.jks
enabled: 'true'
internal:
enabled: 'true'
key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
truststore: /etc/security/certificates/truststore.jks
keystore: /etc/security/certificates/keystore.jks
historyserver:
archive:
fs:
dir: hdfs://rl9-zk-ssl.acceldata.ce:8020/apps/odp/flink/completed-jobs/
refresh-interval: '10000'
web:
address: 0.0.0.0
port: '9022'
ssl:
enabled: 'true'
{noformat}
Adding OBF password support significantly improves Flink's security by
eliminating plaintext password exposure in config files.
This aligns with security best practices already adopted across the Hadoop
ecosystem (Zookeeper,Hadoop, Hive,Zeppelin, Ambari ... etc.) and helps meet
compliance requirements.
The change is low-risk since it maintains backward compatibility while
providing immediate security benefits for new deployments.
was:
Hello Team,
Currently, Flink's SSL configuration requires plaintext passwords for
keystore/truststore in:
* {{config.yaml}} (for internal RPC)
* {{history-server.conf}} (for Internal & REST endpoints)
*Example Configurations:*
1.
{code:java}
vim /etc/flink/conf/config.yaml{code}
{noformat}
security:
ssl:
internal:
truststore: /etc/security/certificates/truststore.jks
enabled: 'true'
key-password: Hadoop@123 # PLAINTEXT EXPOSURE
truststore-password: Hadoop@123 # PLAINTEXT EXPOSURE
keystore-password: Hadoop@123 # PLAINTEXT EXPOSE
keystore: /etc/security/certificates/keystore.jks{noformat}
2.
{code:java}
vim /etc/flink/conf/history-server.conf/config.yaml {code}
{noformat}
security:
ssl:
rest:
keystore-password: Hadoop@123 # Plain-text expose
authentication-enabled: 'false'
truststore-password: Hadoop@123 #Plain-text Expose
key-password: Hadoop@123 # Plain-Text Expose
truststore: /etc/security/certificates/truststore.jks
keystore: /etc/security/certificates/keystore.jks
enabled: 'true'
internal:
enabled: 'true'
key-password: Hadoop@123 #Plain-Text Expose
truststore-password: Hadoop@123 #Plain-Text Expose
keystore-password: Hadoop@123 #Plain-Text Expose
truststore: /etc/security/certificates/truststore.jks
keystore: /etc/security/certificates/keystore.jks{noformat}
h2. *Proposed Solution*
Implement support for Jetty's *OBF* password obfuscation format:
* Maintain backward compatibility with plaintext passwords
* Add automatic detection of OBF prefixes ({{{}OBF:{}}})
* Use Jetty's built-in {{Password}} class for decryption
* Support all SSL password fields:
** {{key-password}}
** {{keystore-password}}
** {{{}{}}}{{{}truststore-password{}}}
{{How to generate OBF passwords.?}}
{{}}
{noformat}
java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar
org.eclipse.jetty.util.security.Password
<SSL_keystore/truststore_password>{noformat}
{{Ex:}}
{noformat}
java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar
org.eclipse.jetty.util.security.Password Hadoop@123
2025-06-03 14:41:51.066:INFO::main: Logging initialized @126ms
Hadoop@123
OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
MD5:d61eb912413c69c46d34b847ef660caa{noformat}
{{Use this *OBF* password for the SSL configurations}}
{noformat}
security.ssl.internal.key-password
security.ssl.internal.keystore-password
security.ssl.internal.truststore
security.ssl.rest.key-password
security.ssl.rest.keystore-password
security.ssl.rest.truststore{noformat}
{{}}
{{After providing OBF password.}}
{noformat}
vim /etc/flink/conf/history-server.conf/config.yaml{noformat}
{noformat}
security:
ssl:
rest:
keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
authentication-enabled: 'false'
truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
truststore: /etc/security/certificates/truststore.jks
keystore: /etc/security/certificates/keystore.jks
enabled: 'true'
internal:
enabled: 'true'
key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
truststore: /etc/security/certificates/truststore.jks
keystore: /etc/security/certificates/keystore.jks
historyserver:
archive:
fs:
dir: hdfs://rl9-zk-ssl.acceldata.ce:8020/apps/odp/flink/completed-jobs/
refresh-interval: '10000'
web:
address: 0.0.0.0
port: '9022'
ssl:
enabled: 'true'
{noformat}
Adding OBF password support significantly improves Flink's security by
eliminating plaintext password exposure in config files.
This aligns with security best practices already adopted across the Hadoop
ecosystem (Zookeeper,Hadoop, Hive,Zeppelin, Ambari ... etc.) and helps meet
compliance requirements.
The change is low-risk since it maintains backward compatibility while
providing immediate security benefits for new deployments.
> Add OBF password obfuscation support for SSL configurations
> -----------------------------------------------------------
>
> Key: FLINK-37953
> URL: https://issues.apache.org/jira/browse/FLINK-37953
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / Network
> Affects Versions: 1.19.1
> Reporter: Basapuram Kumar
> Priority: Major
> Labels: pull-request-available
>
> Hello Team,
> Currently, Flink's SSL configuration requires plaintext passwords for
> keystore/truststore in:
> * {{config.yaml}} (for internal RPC)
> * {{{}history-server.conf/{}}}{{{}config.yaml{}}}{{{}{}}} (for Internal &
> REST endpoints)
> *Example Configurations:*
> 1.
> {code:java}
> vim /etc/flink/conf/config.yaml{code}
> {noformat}
> security:
> ssl:
> internal:
> truststore: /etc/security/certificates/truststore.jks
> enabled: 'true'
> key-password: Hadoop@123 # PLAINTEXT EXPOSURE
> truststore-password: Hadoop@123 # PLAINTEXT EXPOSURE
> keystore-password: Hadoop@123 # PLAINTEXT EXPOSE
> keystore: /etc/security/certificates/keystore.jks{noformat}
> 2.
>
> {code:java}
> vim /etc/flink/conf/history-server.conf/config.yaml {code}
>
> {noformat}
> security:
> ssl:
> rest:
> keystore-password: Hadoop@123 # Plain-text expose
> authentication-enabled: 'false'
> truststore-password: Hadoop@123 #Plain-text Expose
> key-password: Hadoop@123 # Plain-Text Expose
> truststore: /etc/security/certificates/truststore.jks
> keystore: /etc/security/certificates/keystore.jks
> enabled: 'true'
> internal:
> enabled: 'true'
> key-password: Hadoop@123 #Plain-Text Expose
> truststore-password: Hadoop@123 #Plain-Text Expose
> keystore-password: Hadoop@123 #Plain-Text Expose
> truststore: /etc/security/certificates/truststore.jks
> keystore: /etc/security/certificates/keystore.jks{noformat}
> h2. *Proposed Solution*
> Implement support for Jetty's *OBF* password obfuscation format:
> * Maintain backward compatibility with plaintext passwords
> * Add automatic detection of OBF prefixes ({{{}OBF:{}}})
> * Use Jetty's built-in {{Password}} class for decryption
> * Support all SSL password fields:
> *
> ** {{key-password}}
> *
> ** {{keystore-password}}
> *
> ** {{{{}}{}}}{{{}truststore-password{}}}
> {{How to generate OBF passwords.?}}
> {{}}
> {noformat}
> java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar
> org.eclipse.jetty.util.security.Password
> <SSL_keystore/truststore_password>{noformat}
> {{Ex:}}
> {noformat}
> java -cp flink/opt/flink-azure-fs-hadoop-1.19.1.jar
> org.eclipse.jetty.util.security.Password Hadoop@123
> 2025-06-03 14:41:51.066:INFO::main: Logging initialized @126ms
> Hadoop@123
> OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
> MD5:d61eb912413c69c46d34b847ef660caa{noformat}
> {{Use this *OBF* password for the SSL configurations}}
> {noformat}
> security.ssl.internal.key-password
> security.ssl.internal.keystore-password
> security.ssl.internal.truststore
> security.ssl.rest.key-password
> security.ssl.rest.keystore-password
> security.ssl.rest.truststore{noformat}
> {{}}
> {{After providing OBF password.}}
> {noformat}
> vim /etc/flink/conf/history-server.conf/config.yaml{noformat}
> {noformat}
> security:
> ssl:
> rest:
> keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
> authentication-enabled: 'false'
> truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
> key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
> truststore: /etc/security/certificates/truststore.jks
> keystore: /etc/security/certificates/keystore.jks
> enabled: 'true'
> internal:
> enabled: 'true'
> key-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
> truststore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
> keystore-password: OBF:1dhw1i9a1inm1nse1x8e1x8g1nps1iks1i6o1dgq
> truststore: /etc/security/certificates/truststore.jks
> keystore: /etc/security/certificates/keystore.jks
> historyserver:
> archive:
> fs:
> dir: hdfs://rl9-zk-ssl.acceldata.ce:8020/apps/odp/flink/completed-jobs/
> refresh-interval: '10000'
> web:
> address: 0.0.0.0
> port: '9022'
> ssl:
> enabled: 'true'
> {noformat}
>
> Adding OBF password support significantly improves Flink's security by
> eliminating plaintext password exposure in config files.
>
> This aligns with security best practices already adopted across the Hadoop
> ecosystem (Zookeeper,Hadoop, Hive,Zeppelin, Ambari ... etc.) and helps meet
> compliance requirements.
>
> The change is low-risk since it maintains backward compatibility while
> providing immediate security benefits for new deployments.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
