org.apache.flink.configuration.SecurityOptions Java Examples
The following examples show how to use
org.apache.flink.configuration.SecurityOptions.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: SSLStoreOverlayTest.java From flink with Apache License 2.0 | 6 votes |
|
@Test
public void testConfigure() throws Exception {
File keystore = tempFolder.newFile();
File truststore = tempFolder.newFile();
SSLStoreOverlay overlay = new SSLStoreOverlay(keystore, truststore);
ContainerSpecification spec = new ContainerSpecification();
overlay.configure(spec);
assertEquals(TARGET_KEYSTORE_PATH.getPath(), spec.getFlinkConfiguration().getString(SecurityOptions.SSL_KEYSTORE));
checkArtifact(spec, TARGET_KEYSTORE_PATH);
assertEquals(TARGET_TRUSTSTORE_PATH.getPath(), spec.getFlinkConfiguration().getString(SecurityOptions.SSL_TRUSTSTORE));
checkArtifact(spec, TARGET_TRUSTSTORE_PATH);
}
Example #2
| Source File: BlobServerSSLTest.java From flink with Apache License 2.0 | 6 votes |
|
@Test
public void testFailedToInitWithInvalidSslKeystoreConfigured() {
final Configuration config = new Configuration();
config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
config.setString(SecurityOptions.SSL_KEYSTORE, "invalid.keystore");
config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
config.setString(SecurityOptions.SSL_TRUSTSTORE, "invalid.keystore");
config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");
try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
fail();
} catch (Exception e) {
findThrowable(e, IOException.class);
findThrowableWithMessage(e, "Failed to initialize SSL for the blob server");
}
}
Example #3
| Source File: SSLStoreOverlay.java From Flink-CEPplus with Apache License 2.0 | 6 votes |
|
/**
* Configures the overlay using the current environment (and global configuration).
*
* The following Flink configuration settings are used to source the keystore and truststore:
* - security.ssl.keystore
* - security.ssl.truststore
*/
public Builder fromEnvironment(Configuration globalConfiguration) {
String keystore = globalConfiguration.getString(SecurityOptions.SSL_KEYSTORE);
if(keystore != null) {
keystorePath = new File(keystore);
if(!keystorePath.exists()) {
throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_KEYSTORE.key());
}
}
String truststore = globalConfiguration.getString(SecurityOptions.SSL_TRUSTSTORE);
if(truststore != null) {
truststorePath = new File(truststore);
if(!truststorePath.exists()) {
throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_TRUSTSTORE.key());
}
}
return this;
}
Example #4
| Source File: BlobServerSSLTest.java From flink with Apache License 2.0 | 6 votes |
|
@Test
public void testFailedToInitWithTwoProtocolsSet() {
final Configuration config = new Configuration();
config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
config.setString(SecurityOptions.SSL_KEYSTORE,
getClass().getResource("/local127.keystore").getPath());
config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
config.setString(SecurityOptions.SSL_TRUSTSTORE,
getClass().getResource("/local127.truststore").getPath());
config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");
config.setString(SecurityOptions.SSL_ALGORITHMS, "TLSv1,TLSv1.1");
try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
fail();
} catch (Exception e) {
findThrowable(e, IOException.class);
findThrowableWithMessage(e, "Unable to open BLOB Server in specified port range: 0");
}
}
Example #5
| Source File: SSLStoreOverlay.java From flink with Apache License 2.0 | 6 votes |
|
/**
* Configures the overlay using the current environment (and global configuration).
*
* The following Flink configuration settings are used to source the keystore and truststore:
* - security.ssl.keystore
* - security.ssl.truststore
*/
public Builder fromEnvironment(Configuration globalConfiguration) {
String keystore = globalConfiguration.getString(SecurityOptions.SSL_KEYSTORE);
if(keystore != null) {
keystorePath = new File(keystore);
if(!keystorePath.exists()) {
throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_KEYSTORE.key());
}
}
String truststore = globalConfiguration.getString(SecurityOptions.SSL_TRUSTSTORE);
if(truststore != null) {
truststorePath = new File(truststore);
if(!truststorePath.exists()) {
throw new IllegalStateException("Invalid configuration for " + SecurityOptions.SSL_TRUSTSTORE.key());
}
}
return this;
}
Example #6
| Source File: SSLUtils.java From Flink-CEPplus with Apache License 2.0 | 6 votes |
|
/**
* Creates a SSLEngineFactory to be used by internal communication client endpoints.
*/
public static SSLHandlerFactory createInternalClientSSLEngineFactory(final Configuration config) throws Exception {
SSLContext sslContext = createInternalSSLContext(config);
if (sslContext == null) {
throw new IllegalConfigurationException("SSL is not enabled for internal communication.");
}
return new SSLHandlerFactory(
sslContext,
getEnabledProtocols(config),
getEnabledCipherSuites(config),
true,
true,
config.getInteger(SecurityOptions.SSL_INTERNAL_HANDSHAKE_TIMEOUT),
config.getInteger(SecurityOptions.SSL_INTERNAL_CLOSE_NOTIFY_FLUSH_TIMEOUT));
}
Example #7
| Source File: YarnTaskExecutorRunnerTest.java From Flink-CEPplus with Apache License 2.0 | 6 votes |
|
@Test
public void testKerberosKeytabConfiguration() throws Exception {
final String resourceDirPath = Paths.get("src", "test", "resources").toAbsolutePath().toString();
final Map<String, String> envs = new HashMap<>(2);
envs.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "testuser1@domain");
envs.put(YarnConfigKeys.KEYTAB_PATH, resourceDirPath);
Configuration configuration = new Configuration();
YarnTaskExecutorRunner.setupConfigurationAndInstallSecurityContext(configuration, resourceDirPath, envs);
final List<SecurityModule> modules = SecurityUtils.getInstalledModules();
Optional<SecurityModule> moduleOpt = modules.stream().filter(module -> module instanceof HadoopModule).findFirst();
if (moduleOpt.isPresent()) {
HadoopModule hadoopModule = (HadoopModule) moduleOpt.get();
assertThat(hadoopModule.getSecurityConfig().getPrincipal(), is("testuser1@domain"));
assertThat(hadoopModule.getSecurityConfig().getKeytab(), is(new File(resourceDirPath, Utils.KEYTAB_FILE_NAME).getAbsolutePath()));
} else {
fail("Can not find HadoopModule!");
}
assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB), is(new File(resourceDirPath, Utils.KEYTAB_FILE_NAME).getAbsolutePath()));
assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("testuser1@domain"));
}
Example #8
| Source File: SSLUtils.java From flink with Apache License 2.0 | 6 votes |
|
private static TrustManagerFactory getTrustManagerFactory(Configuration config, boolean internal)
throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
String trustStoreFilePath = getAndCheckOption(
config,
internal ? SecurityOptions.SSL_INTERNAL_TRUSTSTORE : SecurityOptions.SSL_REST_TRUSTSTORE,
SecurityOptions.SSL_TRUSTSTORE);
String trustStorePassword = getAndCheckOption(
config,
internal ? SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD : SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD,
SecurityOptions.SSL_TRUSTSTORE_PASSWORD);
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
try (InputStream trustStoreFile = Files
.newInputStream(new File(trustStoreFilePath).toPath())) {
trustStore.load(trustStoreFile, trustStorePassword.toCharArray());
}
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
return tmf;
}
Example #9
| Source File: NettyClientServerSslTest.java From Flink-CEPplus with Apache License 2.0 | 6 votes |
|
@Test
public void testClientUntrustedCertificate() throws Exception {
final Configuration serverConfig = createSslConfig();
final Configuration clientConfig = createSslConfig();
// give the client a different keystore / certificate
clientConfig.setString(SecurityOptions.SSL_INTERNAL_KEYSTORE, "src/test/resources/untrusted.keystore");
final NettyConfig nettyServerConfig = createNettyConfig(serverConfig);
final NettyConfig nettyClientConfig = createNettyConfig(clientConfig);
final NettyBufferPool bufferPool = new NettyBufferPool(1);
final NettyProtocol protocol = new NoOpProtocol();
final NettyServer server = NettyTestUtil.initServer(nettyServerConfig, protocol, bufferPool);
final NettyClient client = NettyTestUtil.initClient(nettyClientConfig, protocol, bufferPool);
final NettyServerAndClient serverAndClient = new NettyServerAndClient(server, client);
final Channel ch = NettyTestUtil.connect(serverAndClient);
ch.pipeline().addLast(new StringDecoder()).addLast(new StringEncoder());
// Attempting to write data over ssl should fail
assertFalse(ch.writeAndFlush("test").await().isSuccess());
NettyTestUtil.shutdown(serverAndClient);
}
Example #10
| Source File: SecurityUtilsTest.java From flink with Apache License 2.0 | 6 votes |
|
/**
* Verify that we fall back to a second configuration if the first one is incompatible.
*/
@Test
public void testSecurityContextShouldFallbackToSecond() throws Exception {
Configuration testFlinkConf = new Configuration();
testFlinkConf.set(
SecurityOptions.SECURITY_CONTEXT_FACTORY_CLASSES,
Lists.newArrayList(
IncompatibleTestSecurityContextFactory.class.getCanonicalName(),
TestSecurityContextFactory.class.getCanonicalName()));
SecurityConfiguration testSecurityConf = new SecurityConfiguration(testFlinkConf);
SecurityUtils.install(testSecurityConf);
assertEquals(
TestSecurityContextFactory.TestSecurityContext.class,
SecurityUtils.getInstalledContext().getClass());
SecurityUtils.uninstall();
assertEquals(NoOpSecurityContext.class, SecurityUtils.getInstalledContext().getClass());
}
Example #11
| Source File: NettyClientServerSslTest.java From Flink-CEPplus with Apache License 2.0 | 6 votes |
|
/**
* Verify failure on invalid ssl configuration.
*/
@Test
public void testInvalidSslConfiguration() throws Exception {
NettyProtocol protocol = new NoOpProtocol();
Configuration config = createSslConfig();
// Modify the keystore password to an incorrect one
config.setString(SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD, "invalidpassword");
NettyConfig nettyConfig = createNettyConfig(config);
NettyTestUtil.NettyServerAndClient serverAndClient = null;
try {
serverAndClient = NettyTestUtil.initServerAndClient(protocol, nettyConfig);
Assert.fail("Created server and client from invalid configuration");
} catch (Exception e) {
// Exception should be thrown as expected
}
NettyTestUtil.shutdown(serverAndClient);
}
Example #12
| Source File: SSLStoreOverlay.java From flink with Apache License 2.0 | 6 votes |
|
@Override
public void configure(ContainerSpecification container) throws IOException {
if(keystore != null) {
container.getArtifacts().add(ContainerSpecification.Artifact.newBuilder()
.setSource(keystore)
.setDest(TARGET_KEYSTORE_PATH)
.setCachable(false)
.build());
container.getFlinkConfiguration().setString(SecurityOptions.SSL_KEYSTORE, TARGET_KEYSTORE_PATH.getPath());
}
if(truststore != null) {
container.getArtifacts().add(ContainerSpecification.Artifact.newBuilder()
.setSource(truststore)
.setDest(TARGET_TRUSTSTORE_PATH)
.setCachable(false)
.build());
container.getFlinkConfiguration().setString(SecurityOptions.SSL_TRUSTSTORE, TARGET_TRUSTSTORE_PATH.getPath());
}
}
Example #13
| Source File: SecurityConfiguration.java From flink with Apache License 2.0 | 6 votes |
|
/**
* Create a security configuration from the global configuration.
* @param flinkConf the Flink global configuration.
* @param securityModuleFactories the security modules to apply.
*/
public SecurityConfiguration(Configuration flinkConf,
List<String> securityContextFactory,
List<String> securityModuleFactories) {
this.isZkSaslDisable = flinkConf.getBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE);
this.keytab = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
this.principal = flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
this.useTicketCache = flinkConf.getBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE);
this.loginContextNames = parseList(flinkConf.getString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS));
this.zkServiceName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_SERVICE_NAME);
this.zkLoginContextName = flinkConf.getString(SecurityOptions.ZOOKEEPER_SASL_LOGIN_CONTEXT_NAME);
this.securityModuleFactories = Collections.unmodifiableList(securityModuleFactories);
this.securityContextFactory = securityContextFactory;
this.flinkConfig = checkNotNull(flinkConf);
validate();
}
Example #14
| Source File: RestServerEndpointITCase.java From flink with Apache License 2.0 | 6 votes |
|
@Parameterized.Parameters
public static Collection<Object[]> data() throws Exception {
final Configuration config = getBaseConfig();
final String truststorePath = getTestResource("local127.truststore").getAbsolutePath();
final String keystorePath = getTestResource("local127.keystore").getAbsolutePath();
final Configuration sslConfig = new Configuration(config);
sslConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, true);
sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE, truststorePath);
sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "password");
sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE, keystorePath);
sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, "password");
sslConfig.setString(SecurityOptions.SSL_REST_KEY_PASSWORD, "password");
final Configuration sslRestAuthConfig = new Configuration(sslConfig);
sslRestAuthConfig.setBoolean(SecurityOptions.SSL_REST_AUTHENTICATION_ENABLED, true);
final Configuration sslPinningRestAuthConfig = new Configuration(sslRestAuthConfig);
sslPinningRestAuthConfig.setString(SecurityOptions.SSL_REST_CERT_FINGERPRINT,
SSLUtilsTest.getRestCertificateFingerprint(sslPinningRestAuthConfig, "flink.test"));
return Arrays.asList(new Object[][]{
{config}, {sslConfig}, {sslRestAuthConfig}, {sslPinningRestAuthConfig}
});
}
Example #15
| Source File: SSLUtilsTest.java From Flink-CEPplus with Apache License 2.0 | 6 votes |
|
/**
* Tests whether activation of internal / REST SSL evaluates the config flags correctly.
*/
@SuppressWarnings("deprecation")
@Test
public void checkEnableSSL() {
// backwards compatibility
Configuration oldConf = new Configuration();
oldConf.setBoolean(SecurityOptions.SSL_ENABLED, true);
assertTrue(SSLUtils.isInternalSSLEnabled(oldConf));
assertTrue(SSLUtils.isRestSSLEnabled(oldConf));
// new options take precedence
Configuration newOptions = new Configuration();
newOptions.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
newOptions.setBoolean(SecurityOptions.SSL_REST_ENABLED, false);
assertTrue(SSLUtils.isInternalSSLEnabled(newOptions));
assertFalse(SSLUtils.isRestSSLEnabled(newOptions));
// new options take precedence
Configuration precedence = new Configuration();
precedence.setBoolean(SecurityOptions.SSL_ENABLED, true);
precedence.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, false);
precedence.setBoolean(SecurityOptions.SSL_REST_ENABLED, false);
assertFalse(SSLUtils.isInternalSSLEnabled(precedence));
assertFalse(SSLUtils.isRestSSLEnabled(precedence));
}
Example #16
| Source File: BlobServerSSLTest.java From Flink-CEPplus with Apache License 2.0 | 6 votes |
|
@Test
public void testFailedToInitWithInvalidSslKeystoreConfigured() {
final Configuration config = new Configuration();
config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
config.setString(SecurityOptions.SSL_KEYSTORE, "invalid.keystore");
config.setString(SecurityOptions.SSL_KEYSTORE_PASSWORD, "password");
config.setString(SecurityOptions.SSL_KEY_PASSWORD, "password");
config.setString(SecurityOptions.SSL_TRUSTSTORE, "invalid.keystore");
config.setString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD, "password");
try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
fail();
} catch (Exception e) {
findThrowable(e, IOException.class);
findThrowableWithMessage(e, "Failed to initialize SSL for the blob server");
}
}
Example #17
| Source File: RestServerEndpointITCase.java From flink with Apache License 2.0 | 6 votes |
|
@Test
public void testDefaultVersionRouting() throws Exception {
Assume.assumeFalse(
"Ignoring SSL-enabled test to keep OkHttp usage simple.",
config.getBoolean(SecurityOptions.SSL_REST_ENABLED));
OkHttpClient client = new OkHttpClient();
final Request request = new Request.Builder()
.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
.build();
try (final Response response = client.newCall(request).execute()) {
assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
}
}
Example #18
| Source File: RestServerEndpointITCase.java From flink with Apache License 2.0 | 6 votes |
|
@Parameterized.Parameters
public static Collection<Object[]> data() {
final Configuration config = getBaseConfig();
final String truststorePath = getTestResource("local127.truststore").getAbsolutePath();
final String keystorePath = getTestResource("local127.keystore").getAbsolutePath();
final Configuration sslConfig = new Configuration(config);
sslConfig.setBoolean(SecurityOptions.SSL_REST_ENABLED, true);
sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE, truststorePath);
sslConfig.setString(SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, "password");
sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE, keystorePath);
sslConfig.setString(SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, "password");
sslConfig.setString(SecurityOptions.SSL_REST_KEY_PASSWORD, "password");
final Configuration sslRestAuthConfig = new Configuration(sslConfig);
sslRestAuthConfig.setBoolean(SecurityOptions.SSL_REST_AUTHENTICATION_ENABLED, true);
return Arrays.asList(new Object[][]{
{config}, {sslConfig}, {sslRestAuthConfig}
});
}
Example #19
| Source File: RestServerEndpointITCase.java From Flink-CEPplus with Apache License 2.0 | 6 votes |
|
@Test
public void testDefaultVersionRouting() throws Exception {
Assume.assumeFalse(
"Ignoring SSL-enabled test to keep OkHttp usage simple.",
config.getBoolean(SecurityOptions.SSL_REST_ENABLED));
OkHttpClient client = new OkHttpClient();
final Request request = new Request.Builder()
.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
.build();
try (final Response response = client.newCall(request).execute()) {
assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
}
}
Example #20
| Source File: RestServerEndpointITCase.java From flink with Apache License 2.0 | 6 votes |
|
@Test
public void testDefaultVersionRouting() throws Exception {
Assume.assumeFalse(
"Ignoring SSL-enabled test to keep OkHttp usage simple.",
config.getBoolean(SecurityOptions.SSL_REST_ENABLED));
OkHttpClient client = new OkHttpClient();
final Request request = new Request.Builder()
.url(serverEndpoint.getRestBaseUrl() + TestVersionSelectionHeaders2.INSTANCE.getTargetRestEndpointURL())
.build();
try (final Response response = client.newCall(request).execute()) {
assertEquals(HttpResponseStatus.ACCEPTED.code(), response.code());
}
}
Example #21
| Source File: SSLUtilsTest.java From flink with Apache License 2.0 | 6 votes |
|
/**
* Tests if SSLUtils set the right ssl version and cipher suites for SSLServerSocket.
*/
@Test
public void testSetSSLVersionAndCipherSuitesForSSLServerSocket() throws Exception {
Configuration serverConfig = createInternalSslConfigWithKeyAndTrustStores();
// set custom protocol and cipher suites
serverConfig.setString(SecurityOptions.SSL_PROTOCOL, "TLSv1.1");
serverConfig.setString(SecurityOptions.SSL_ALGORITHMS, "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256");
try (ServerSocket socket = SSLUtils.createSSLServerSocketFactory(serverConfig).createServerSocket(0)) {
assertTrue(socket instanceof SSLServerSocket);
final SSLServerSocket sslSocket = (SSLServerSocket) socket;
String[] protocols = sslSocket.getEnabledProtocols();
String[] algorithms = sslSocket.getEnabledCipherSuites();
assertEquals(1, protocols.length);
assertEquals("TLSv1.1", protocols[0]);
assertEquals(2, algorithms.length);
assertThat(algorithms, arrayContainingInAnyOrder(
"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256"));
}
}
Example #22
| Source File: SSLUtils.java From flink with Apache License 2.0 | 6 votes |
|
@VisibleForTesting
static SslProvider getSSLProvider(final Configuration config) {
checkNotNull(config, "config must not be null");
String providerString = config.getString(SecurityOptions.SSL_PROVIDER);
if (providerString.equalsIgnoreCase("OPENSSL")) {
if (OpenSsl.isAvailable()) {
return OPENSSL;
} else {
throw new IllegalConfigurationException("openSSL not available", OpenSsl.unavailabilityCause());
}
} else if (providerString.equalsIgnoreCase("JDK")) {
return JDK;
} else {
throw new IllegalConfigurationException("Unknown SSL provider: %s", providerString);
}
}
Example #23
| Source File: SSLUtils.java From flink with Apache License 2.0 | 5 votes |
|
/**
* Creates a SSLEngineFactory to be used by internal communication server endpoints.
*/
public static SSLHandlerFactory createInternalServerSSLEngineFactory(final Configuration config) throws Exception {
SslContext sslContext = createInternalNettySSLContext(config, false);
if (sslContext == null) {
throw new IllegalConfigurationException("SSL is not enabled for internal communication.");
}
return new SSLHandlerFactory(
sslContext,
config.getInteger(SecurityOptions.SSL_INTERNAL_HANDSHAKE_TIMEOUT),
config.getInteger(SecurityOptions.SSL_INTERNAL_CLOSE_NOTIFY_FLUSH_TIMEOUT));
}
Example #24
| Source File: YarnTaskExecutorRunnerTest.java From flink with Apache License 2.0 | 5 votes |
|
@Test
public void testPreInstallKerberosKeytabConfiguration() throws Exception {
final String resourceDirPath = Paths.get("src", "test", "resources").toAbsolutePath().toString();
final Map<String, String> envs = new HashMap<>(2);
envs.put(YarnConfigKeys.KEYTAB_PRINCIPAL, "testuser1@domain");
// Try directly resolving local path when no remote keytab path is provided.
envs.put(YarnConfigKeys.LOCAL_KEYTAB_PATH, "src/test/resources/krb5.keytab");
Configuration configuration = new Configuration();
YarnTaskExecutorRunner.setupConfigurationAndInstallSecurityContext(configuration, resourceDirPath, envs);
final List<SecurityModule> modules = SecurityUtils.getInstalledModules();
Optional<SecurityModule> moduleOpt = modules.stream().filter(module -> module instanceof HadoopModule).findFirst();
if (moduleOpt.isPresent()) {
HadoopModule hadoopModule = (HadoopModule) moduleOpt.get();
assertThat(hadoopModule.getSecurityConfig().getPrincipal(), is("testuser1@domain"));
// Using containString verification as the absolute path varies depending on runtime environment
assertThat(hadoopModule.getSecurityConfig().getKeytab(), containsString("src/test/resources/krb5.keytab"));
} else {
fail("Can not find HadoopModule!");
}
assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB), containsString("src/test/resources/krb5.keytab"));
assertThat(configuration.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL), is("testuser1@domain"));
}
Example #25
| Source File: SSLUtilsTest.java From flink with Apache License 2.0 | 5 votes |
|
public static Configuration createRestSslConfigWithKeyAndTrustStores(String sslProvider) {
final Configuration config = new Configuration();
config.setBoolean(SecurityOptions.SSL_REST_ENABLED, true);
addSslProviderConfig(config, sslProvider);
addRestKeyStoreConfig(config);
addRestTrustStoreConfig(config);
return config;
}
Example #26
| Source File: BlobServerSSLTest.java From flink with Apache License 2.0 | 5 votes |
|
@Test
public void testFailedToInitWithMissingMandatorySslConfiguration() {
final Configuration config = new Configuration();
config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
try (final BlobServer ignored = new BlobServer(config, new VoidBlobStore())) {
fail();
} catch (Exception e) {
findThrowable(e, IOException.class);
findThrowableWithMessage(e, "Failed to initialize SSL for the blob server");
}
}
Example #27
| Source File: RestServerEndpointITCase.java From flink with Apache License 2.0 | 5 votes |
|
@Test
public void testNonSslRedirectForEnabledSsl() throws Exception {
Assume.assumeTrue(config.getBoolean(SecurityOptions.SSL_REST_ENABLED));
OkHttpClient client = new OkHttpClient.Builder().followRedirects(false).build();
String httpsUrl = serverEndpoint.getRestBaseUrl() + "/path";
String httpUrl = httpsUrl.replace("https://", "http://");
Request request = new Request.Builder().url(httpUrl).build();
try (final Response response = client.newCall(request).execute()) {
assertEquals(HttpResponseStatus.MOVED_PERMANENTLY.code(), response.code());
assertThat(response.headers().names(), hasItems("Location"));
assertEquals(httpsUrl, response.header("Location"));
}
}
Example #28
| Source File: SSLUtilsTest.java From flink with Apache License 2.0 | 5 votes |
|
/**
* Tests that {@link SSLHandlerFactory} is created correctly.
*/
@Test
public void testCreateSSLEngineFactory() throws Exception {
Configuration serverConfig = createInternalSslConfigWithKeyAndTrustStores();
final String[] sslAlgorithms;
final String[] expectedSslProtocols;
if (sslProvider.equalsIgnoreCase("OPENSSL")) {
// openSSL does not support the same set of cipher algorithms!
sslAlgorithms = new String[] {"TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384"};
expectedSslProtocols = new String[] {"SSLv2Hello", "TLSv1"};
} else {
sslAlgorithms = new String[] {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"};
expectedSslProtocols = new String[] {"TLSv1"};
}
// set custom protocol and cipher suites
serverConfig.setString(SecurityOptions.SSL_PROTOCOL, "TLSv1");
serverConfig.setString(SecurityOptions.SSL_ALGORITHMS, String.join(",", sslAlgorithms));
final SSLHandlerFactory serverSSLHandlerFactory = SSLUtils.createInternalServerSSLEngineFactory(serverConfig);
final SslHandler sslHandler = serverSSLHandlerFactory.createNettySSLHandler(UnpooledByteBufAllocator.DEFAULT);
assertEquals(expectedSslProtocols.length, sslHandler.engine().getEnabledProtocols().length);
assertThat(
sslHandler.engine().getEnabledProtocols(),
arrayContainingInAnyOrder(expectedSslProtocols));
assertEquals(sslAlgorithms.length, sslHandler.engine().getEnabledCipherSuites().length);
assertThat(
sslHandler.engine().getEnabledCipherSuites(),
arrayContainingInAnyOrder(sslAlgorithms));
}
Example #29
| Source File: SSLUtilsTest.java From flink with Apache License 2.0 | 5 votes |
|
public static String getCertificateFingerprint(Configuration config, String certificateAlias) throws Exception {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
try (InputStream keyStoreFile = Files.newInputStream(new File(config.getString(SecurityOptions.SSL_INTERNAL_KEYSTORE)).toPath())) {
keyStore.load(keyStoreFile, config.getString(SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD).toCharArray());
}
return getSha1Fingerprint(keyStore.getCertificate(certificateAlias));
}
Example #30
| Source File: SSLUtilsTest.java From flink with Apache License 2.0 | 5 votes |
|
private Configuration createInternalSslConfigWithKeyStore() {
final Configuration config = new Configuration();
config.setBoolean(SecurityOptions.SSL_INTERNAL_ENABLED, true);
addSslProviderConfig(config, sslProvider);
addInternalKeyStoreConfig(config);
return config;
}
