Hi Suchithra, I'm not sure you can actually pass passwords in any other way. I'm also not sure this is needed if these are job-/cluster-specific because then, an attacker would have to have access to that first in order to get these credentials. And if the attacker has access to the job/cluster, it would be possible to extract this from the Java process.
Our Ververica Platform, for example, also creates these key/truststores per deployment [1] and uses Kubernetes secrets to store the certificates. Nico [1] https://docs.ververica.com/user_guide/application_operations/deployments/ configure_flink.html?highlight=ssl#implementation-details On Friday, 16 October 2020 10:56:35 CET V N, Suchithra (Nokia - IN/Bangalore) wrote: > Hello, > > I have a query regarding the ssl configuration in flink. In flink with ssl > enabled, flink-conf.yaml configuration file will contain the cleartext > passwords for keystore and truststore files. Suppose if any attacker gains > access to this configuration file, using these passwords keystore and > truststore files can be read. What is the community approach to protect > these passwords ? > > Regards, > Suchithra -- Dr. Nico Kruber | Solutions Architect Follow us @VervericaData Ververica -- Join Flink Forward - The Apache Flink Conference Stream Processing | Event Driven | Real Time -- Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany -- Ververica GmbH Registered at Amtsgericht Charlottenburg: HRB 158244 B Managing Directors: Yip Park Tung Jason, Jinwei (Kevin) Zhang, Karl Anton Wehner
signature.asc
Description: This is a digitally signed message part.
