vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide/mrs_01_1583.html
Yang, Tong 6182f91ba8 MRS component operation guide_normal 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2022-12-09 14:55:21 +00:00

389 lines
46 KiB
HTML
Raw Blame History

<a name="mrs_01_1583"></a><a name="mrs_01_1583"></a>
<h1 class="topictitle1">Authentication and Encryption</h1>
<div id="body1596441032921"><div class="section" id="mrs_01_1583__section375534695613"><h4 class="sectiontitle">Security Authentication</h4><p id="mrs_01_1583__p72875293571">Flink uses the following three authentication modes:</p>
<ul id="mrs_01_1583__ul13287202925713"><li id="mrs_01_1583__li628722985710">Kerberos authentication: It is used between the Flink Yarn client and Yarn ResourceManager, JobManager and ZooKeeper, JobManager and HDFS, TaskManager and HDFS, Kafka and TaskManager, as well as TaskManager and ZooKeeper.</li><li id="mrs_01_1583__li1928715296577">Security cookie authentication: Security cookie authentication is used between Flink Yarn client and JobManager, JobManager and TaskManager, as well as TaskManager and TaskManager.</li><li id="mrs_01_1583__li52871529165714">Internal authentication of Yarn: The Internal authentication mechanism of Yarn is used between Yarn ResourceManager and ApplicationMaster (AM).<div class="note" id="mrs_01_1583__note32871429205711"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="mrs_01_1583__ul1928872995720"><li id="mrs_01_1583__li52881729185711">Flink JobManager and Yarn ApplicationMaster are in the same process.</li><li id="mrs_01_1583__li728882911574">If Kerberos authentication is enabled for the user's cluster, Kerberos authentication is required.</li><li id="mrs_01_1583__li190872945612">For versions earlier than MRS 3.<em id="mrs_01_1583__i937342971519">x</em>, Flink does not support security cookie authentication.</li></ul>
</div></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1583__table18288142985710" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Authentication modes</caption><thead align="left"><tr id="mrs_01_1583__row152881629105719"><th align="left" class="cellrowborder" valign="top" width="13.450000000000001%" id="mcps1.3.1.3.3.2.2.4.1.1"><p id="mrs_01_1583__p1828882925719"><strong id="mrs_01_1583__b11899730172512">Authentication Mode</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="13.089999999999998%" id="mcps1.3.1.3.3.2.2.4.1.2"><p id="mrs_01_1583__p528811293571"><strong id="mrs_01_1583__b1028812912571">Description</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.46000000000001%" id="mcps1.3.1.3.3.2.2.4.1.3"><p id="mrs_01_1583__p12288162912572"><strong id="mrs_01_1583__b687443915257">Configuration Method</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1583__row17288029125710"><td class="cellrowborder" valign="top" width="13.450000000000001%" headers="mcps1.3.1.3.3.2.2.4.1.1 "><p id="mrs_01_1583__p5288129165710">Kerberos authentication</p>
</td>
<td class="cellrowborder" valign="top" width="13.089999999999998%" headers="mcps1.3.1.3.3.2.2.4.1.2 "><p id="mrs_01_1583__p182882298574">Currently, only keytab authentication mode is supported.</p>
</td>
<td class="cellrowborder" valign="top" width="73.46000000000001%" headers="mcps1.3.1.3.3.2.2.4.1.3 "><ol id="mrs_01_1583__ol132881029195716"><li id="mrs_01_1583__li1628818293575">Download the user keytab from the KDC server, and place the keytab to a directory on the host of the Flink client.</li><li id="mrs_01_1583__li1628852995713">Configure the following parameters in the <strong id="mrs_01_1583__b1313021030101012">flink-conf.yaml</strong> file:<ol type="a" id="mrs_01_1583__ol12881929105713"><li id="mrs_01_1583__li162881029195713">Keytab path<pre class="screen" id="mrs_01_1583__screen6289192910577">security.kerberos.login.keytab: /home/flinkuser/keytab/abc222.keytab</pre>
<p id="mrs_01_1583__p228916293571">Note:</p>
<p id="mrs_01_1583__p142892292577"><strong id="mrs_01_1583__b440825315101012">/home/flinkuser/keytab/abc222.keytab</strong> indicates the user directory.</p>
</li><li id="mrs_01_1583__li11289029195710">Principal name<pre class="screen" id="mrs_01_1583__screen0289192995719">security.kerberos.login.principal: abc222</pre>
</li><li id="mrs_01_1583__li1328982910571">In HA mode, if ZooKeeper is configured, the Kerberos authentication configuration items must be configured as follows:<pre class="screen" id="mrs_01_1583__screen192891329175716">zookeeper.sasl.disable: false
security.kerberos.login.contexts: Client</pre>
</li><li id="mrs_01_1583__li142892295578">If you want to perform Kerberos authentication between Kafka client and Kafka broker, set the value as follows:<pre class="screen" id="mrs_01_1583__screen7289829145712">security.kerberos.login.contexts: Client,KafkaClient</pre>
</li></ol>
</li></ol>
</td>
</tr>
<tr id="mrs_01_1583__row122896295578"><td class="cellrowborder" valign="top" width="13.450000000000001%" headers="mcps1.3.1.3.3.2.2.4.1.1 "><p id="mrs_01_1583__p1328942985713">Security cookie authentication</p>
</td>
<td class="cellrowborder" valign="top" width="13.089999999999998%" headers="mcps1.3.1.3.3.2.2.4.1.2 "><p id="mrs_01_1583__p9289929125719">-</p>
</td>
<td class="cellrowborder" valign="top" width="73.46000000000001%" headers="mcps1.3.1.3.3.2.2.4.1.3 "><ol id="mrs_01_1583__ol1728952914573"><li id="mrs_01_1583__li634361418215">In the <strong id="mrs_01_1583__b64974426155">bin</strong> directory of the Flink client, run the <strong id="mrs_01_1583__b4497164211153">generate_keystore.sh</strong> script to generate security cookie, <strong id="mrs_01_1583__b134972424153">flink.keystore</strong>, and <strong id="mrs_01_1583__b4497114211517">flink.truststore</strong>.<div class="p" id="mrs_01_1583__p1840513273212">Run the <strong id="mrs_01_1583__b10491164185713">sh generate_keystore.sh</strong> command and enter the user-defined password. The password cannot contain <strong id="mrs_01_1583__b529850406102034">#</strong>.<div class="note" id="mrs_01_1583__note351411105219"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="mrs_01_1583__p1985978125917">After the script is executed, the <span class="filepath" id="mrs_01_1583__filepath2065410003102034"><b>flink.keystore</b></span> and <span class="filepath" id="mrs_01_1583__filepath1251953240102034"><b>flink.truststore</b></span> files are generated in the <strong id="mrs_01_1583__b481575547102034">conf</strong> directory on the Flink client. In the <span class="filepath" id="mrs_01_1583__filepath413226405102034"><b>flink-conf.yaml</b></span> file, default values are specified for following parameters:</p>
<ul id="mrs_01_1583__ul89714582189"><li id="mrs_01_1583__li199711758121813">Set <span class="parmname" id="mrs_01_1583__parmname1632622985102034"><b>security.ssl.keystore</b></span> to the absolute path of the <span class="filepath" id="mrs_01_1583__filepath792036202102034"><b>flink.keystore</b></span> file.</li><li id="mrs_01_1583__li103211421910">Set <span class="parmname" id="mrs_01_1583__parmname1143230259102034"><b>security.ssl.truststore</b></span> to the absolute path of the <span class="filepath" id="mrs_01_1583__filepath1342726889102034"><b>flink.truststore</b></span> file.</li></ul>
<ul id="mrs_01_1583__ul967157151910"><li id="mrs_01_1583__li16719718197">Set <strong id="mrs_01_1583__b544649111914">security.cookie</strong> to a random password automatically generated by the <strong id="mrs_01_1583__b75101659121920">generate_keystore.sh</strong> script.</li><li id="mrs_01_1583__li83115101193">By default, <strong id="mrs_01_1583__b5806721132116">security.ssl.encrypt.enabled: false</strong> is set in the <strong id="mrs_01_1583__b18832193542114">flink-conf.yaml</strong> file by default. The <strong id="mrs_01_1583__b5710175611213">generate_keystore.sh</strong> script sets <strong id="mrs_01_1583__b7226846225">security.ssl.key-password</strong>, <strong id="mrs_01_1583__b796920818222">security.ssl.keystore-password</strong>, and <strong id="mrs_01_1583__b17213162315224">security.ssl.truststore-password</strong> to the password entered when the <strong id="mrs_01_1583__b14886155713222">generate_keystore.sh</strong> script is called.</li></ul>
<ul id="mrs_01_1583__ul98721361913"><li id="mrs_01_1583__li987171319191">For MRS 3.<em id="mrs_01_1583__i4620165654616">x</em> or later, if ciphertext is required and <strong id="mrs_01_1583__b53135523238">security.ssl.encrypt.enabled</strong> is set to <strong id="mrs_01_1583__b3275175918596">true</strong> in the <strong id="mrs_01_1583__b8336258182316">flink-conf.yaml</strong> file, the <strong id="mrs_01_1583__b125814512517">generate_keystore.sh</strong> script does not set <strong id="mrs_01_1583__b209152662412">security.ssl.key-password</strong>, <strong id="mrs_01_1583__b521033832415">security.ssl.keystore-password</strong>, and <strong id="mrs_01_1583__b1757016587248">security.ssl.truststore-password</strong>. To obtain the values, use the Manager plaintext encryption API by running <strong id="mrs_01_1583__b141401239121310">curl -k -i -u </strong><em id="mrs_01_1583__i1814523916133">Username</em><strong id="mrs_01_1583__b832284531316">:</strong><em id="mrs_01_1583__i8327945111317">Password</em><strong id="mrs_01_1583__b135893150152"> -X POST -HContent-type:application/json -d '{"plainText":"</strong><em id="mrs_01_1583__i3595181561514">Password</em><strong id="mrs_01_1583__b95902153150">"}' 'https://</strong><em id="mrs_01_1583__i16685134911415">x.x.x.x</em><strong id="mrs_01_1583__b168010497418">:28443/web/api/v2/tools/encrypt'</strong>.<p id="mrs_01_1583__p9490344151413">In the preceding command, <em id="mrs_01_1583__i976781642215">Username</em><strong id="mrs_01_1583__b476791612210">:</strong><em id="mrs_01_1583__i207672165220">Password</em> indicates the user name and password for logging in to the system. The password of <strong id="mrs_01_1583__b13767141614229">"plainText"</strong> indicates the one used to call the <strong id="mrs_01_1583__b17688167222">generate_keystore.sh</strong> script. <em id="mrs_01_1583__i12768151682214">x.x.x.x</em> indicates the floating IP address of Manager.</p>
</li></ul>
</div></div>
</div>
</li><li id="mrs_01_1583__li4290152955718">Set <span class="parmvalue" id="mrs_01_1583__parmvalue1126355636101012"><b>security.enable: true</b></span> in the <strong id="mrs_01_1583__b84451912175716">flink-conf.yaml</strong> file and check whether <span class="parmname" id="mrs_01_1583__parmname617903271101012"><b>security cookie</b></span> is configured successfully. Example:<pre class="screen" id="mrs_01_1583__screen3291182915719">security.cookie: ae70acc9-9795-4c48-ad35-8b5adc8071744f605d1d-2726-432e-88ae-dd39bfec40a9</pre>
</li></ol>
</td>
</tr>
<tr id="mrs_01_1583__row1629118297574"><td class="cellrowborder" valign="top" width="13.450000000000001%" headers="mcps1.3.1.3.3.2.2.4.1.1 "><p id="mrs_01_1583__p329112295574">Internal authentication of Yarn</p>
</td>
<td class="cellrowborder" valign="top" width="13.089999999999998%" headers="mcps1.3.1.3.3.2.2.4.1.2 "><p id="mrs_01_1583__p17291172910573">This authentication mode does not need to be configured by the user.</p>
</td>
<td class="cellrowborder" valign="top" width="73.46000000000001%" headers="mcps1.3.1.3.3.2.2.4.1.3 "><p id="mrs_01_1583__p122911829205711">-</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="mrs_01_1583__note15291729185716"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1583__p1129112915572">One Flink cluster supports only one user. One user can create multiple Flink clusters.</p>
</div></div>
</li></ul>
</div>
<div class="section" id="mrs_01_1583__section270112348585"><a name="mrs_01_1583__section270112348585"></a><a name="section270112348585"></a><h4 class="sectiontitle">Encrypted Transmission</h4><p id="mrs_01_1583__p107035227594">Flink uses following encrypted transmission modes:</p>
<ul id="mrs_01_1583__ul270352225918"><li id="mrs_01_1583__li6704422145914">Encrypted transmission inside Yarn: It is used between the Flink Yarn client and Yarn ResourceManager, as well as Yarn ResourceManager and JobManager.</li><li id="mrs_01_1583__li1870413228594">SSL transmission: SSL transmission is used between Flink Yarn client and JobManager, JobManager and TaskManager, as well as TaskManager and TaskManager.</li><li id="mrs_01_1583__li15704182213595">Encrypted transmission inside Hadoop: The internal encrypted transmission mode of Hadoop used between JobManager and HDFS, TaskManager and HDFS, JobManager and ZooKeeper, as well as TaskManager and ZooKeeper.</li></ul>
<div class="note" id="mrs_01_1583__note1070415221591"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1583__p1370442219597">Configuration about SSL encrypted transmission is mandatory while configuration about encryption of Yarn and Hadoop is not required.</p>
</div></div>
<p id="mrs_01_1583__p18704162295916">To configure SSL encrypted transmission, configure the following parameters in the <strong id="mrs_01_1583__b1936699522101012">flink-conf.yaml</strong> file on the client:</p>
<ol id="mrs_01_1583__ol141142044105117"><li id="mrs_01_1583__li41141244135117">Enable SSL and configure the SSL encryption algorithm. For MRS 3.x or later, see <a href="#mrs_01_1583__table4164102001915">Table 2</a>. Modify the parameters as required.
<div class="tablenoborder"><a name="mrs_01_1583__table4164102001915"></a><a name="table4164102001915"></a><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1583__table4164102001915" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameter description</caption><thead align="left"><tr id="mrs_01_1583__row5164202051919"><th align="left" class="cellrowborder" valign="top" width="28.494949494949495%" id="mcps1.3.2.6.1.2.2.4.1.1"><p id="mrs_01_1583__p16164192051916"><strong id="mrs_01_1583__b613110578436">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="42.37373737373738%" id="mcps1.3.2.6.1.2.2.4.1.2"><p id="mrs_01_1583__p191641020141919"><strong id="mrs_01_1583__b111651720191911">Example Value</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="29.13131313131313%" id="mcps1.3.2.6.1.2.2.4.1.3"><p id="mrs_01_1583__p816510205192"><strong id="mrs_01_1583__b15165220121916">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1583__row19165020141917"><td class="cellrowborder" valign="top" width="28.494949494949495%" headers="mcps1.3.2.6.1.2.2.4.1.1 "><p id="mrs_01_1583__p7165620191911">security.ssl.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="42.37373737373738%" headers="mcps1.3.2.6.1.2.2.4.1.2 "><p id="mrs_01_1583__p1165220111913">true</p>
</td>
<td class="cellrowborder" valign="top" width="29.13131313131313%" headers="mcps1.3.2.6.1.2.2.4.1.3 "><p id="mrs_01_1583__p1116522031911">Enable SSL.</p>
</td>
</tr>
<tr id="mrs_01_1583__row8165122021919"><td class="cellrowborder" valign="top" width="28.494949494949495%" headers="mcps1.3.2.6.1.2.2.4.1.1 "><p id="mrs_01_1583__p6165172071911">akka.ssl.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="42.37373737373738%" headers="mcps1.3.2.6.1.2.2.4.1.2 "><p id="mrs_01_1583__p17165920121913">true</p>
</td>
<td class="cellrowborder" valign="top" width="29.13131313131313%" headers="mcps1.3.2.6.1.2.2.4.1.3 "><p id="mrs_01_1583__p4165920111910">Enable Akka SSL.</p>
</td>
</tr>
<tr id="mrs_01_1583__row916572019192"><td class="cellrowborder" valign="top" width="28.494949494949495%" headers="mcps1.3.2.6.1.2.2.4.1.1 "><p id="mrs_01_1583__p16165122081911">blob.service.ssl.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="42.37373737373738%" headers="mcps1.3.2.6.1.2.2.4.1.2 "><p id="mrs_01_1583__p316552011915">true</p>
</td>
<td class="cellrowborder" valign="top" width="29.13131313131313%" headers="mcps1.3.2.6.1.2.2.4.1.3 "><p id="mrs_01_1583__p5165620141913">Enable SSL for the Blob channel.</p>
</td>
</tr>
<tr id="mrs_01_1583__row13166420141919"><td class="cellrowborder" valign="top" width="28.494949494949495%" headers="mcps1.3.2.6.1.2.2.4.1.1 "><p id="mrs_01_1583__p1416622016198">taskmanager.data.ssl.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="42.37373737373738%" headers="mcps1.3.2.6.1.2.2.4.1.2 "><p id="mrs_01_1583__p16166202016191">true</p>
</td>
<td class="cellrowborder" valign="top" width="29.13131313131313%" headers="mcps1.3.2.6.1.2.2.4.1.3 "><p id="mrs_01_1583__p1516632014192">Enable SSL transmissions between TaskManagers.</p>
</td>
</tr>
<tr id="mrs_01_1583__row19166120131910"><td class="cellrowborder" valign="top" width="28.494949494949495%" headers="mcps1.3.2.6.1.2.2.4.1.1 "><p id="mrs_01_1583__p31662207193">security.ssl.algorithms</p>
</td>
<td class="cellrowborder" valign="top" width="42.37373737373738%" headers="mcps1.3.2.6.1.2.2.4.1.2 "><p id="mrs_01_1583__p11166102001918">TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</p>
</td>
<td class="cellrowborder" valign="top" width="29.13131313131313%" headers="mcps1.3.2.6.1.2.2.4.1.3 "><p id="mrs_01_1583__p416672012199">Configure the SSL encryption algorithm.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="mrs_01_1583__p12466195414114">For versions earlier than MRS 3.x, see <a href="#mrs_01_1583__table483518144219">Table 3</a>.</p>
<div class="tablenoborder"><a name="mrs_01_1583__table483518144219"></a><a name="table483518144219"></a><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1583__table483518144219" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Parameter description</caption><thead align="left"><tr id="mrs_01_1583__row784318164215"><th align="left" class="cellrowborder" valign="top" width="33.333333333333336%" id="mcps1.3.2.6.1.4.2.4.1.1"><p id="mrs_01_1583__p1584161874216"><strong id="mrs_01_1583__b12184161417458">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="33.333333333333336%" id="mcps1.3.2.6.1.4.2.4.1.2"><p id="mrs_01_1583__p10841218114218"><strong id="mrs_01_1583__b707655384">Example Value</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="33.333333333333336%" id="mcps1.3.2.6.1.4.2.4.1.3"><p id="mrs_01_1583__p118451814428"><strong id="mrs_01_1583__b12469131624514">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1583__row2841218154215"><td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.1 "><p id="mrs_01_1583__p18541810424">security.ssl.internal.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.2 "><p id="mrs_01_1583__p1085161894216">true</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.3 "><p id="mrs_01_1583__p1785201894219">Enable internal SSL.</p>
</td>
</tr>
<tr id="mrs_01_1583__row685131824219"><td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.1 "><p id="mrs_01_1583__p198561884217">akka.ssl.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.2 "><p id="mrs_01_1583__p785718114218">true</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.3 "><p id="mrs_01_1583__p985218164220">Enable Akka SSL.</p>
</td>
</tr>
<tr id="mrs_01_1583__row1585151874218"><td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.1 "><p id="mrs_01_1583__p118512184424">blob.service.ssl.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.2 "><p id="mrs_01_1583__p138591813425">true</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.3 "><p id="mrs_01_1583__p885818144212">Enable SSL for the Blob channel.</p>
</td>
</tr>
<tr id="mrs_01_1583__row158581804216"><td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.1 "><p id="mrs_01_1583__p18861189428">taskmanager.data.ssl.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.2 "><p id="mrs_01_1583__p78631874217">true</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.3 "><p id="mrs_01_1583__p1286018184219">Enable SSL transmissions between TaskManagers.</p>
</td>
</tr>
<tr id="mrs_01_1583__row186201814425"><td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.1 "><p id="mrs_01_1583__p1186618174213">security.ssl.algorithms</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.2 "><p id="mrs_01_1583__p39101220164316">TLS_RSA_WITH_AES128CBC_SHA256</p>
</td>
<td class="cellrowborder" valign="top" width="33.333333333333336%" headers="mcps1.3.2.6.1.4.2.4.1.3 "><p id="mrs_01_1583__p168614187420">Configure the SSL encryption algorithm.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="p" id="mrs_01_1583__p8166132041917">For versions earlier than MRS 3.x, the following parameters in <a href="#mrs_01_1583__table2016662031916">Table 4</a> do not exist in the default Flink configuration of MRS. If you want to enable SSL for external connections, add the following parameters. After SSL for external connection is enabled, the native Flink page cannot be accessed using a Yarn proxy, because the Yarn open-source version cannot process HTTPS requests using a proxy. However, you can create a Windows VM in the same VPC of the cluster and access the native Flink page from the VM.
<div class="tablenoborder"><a name="mrs_01_1583__table2016662031916"></a><a name="table2016662031916"></a><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1583__table2016662031916" frame="border" border="1" rules="all"><caption><b>Table 4 </b>Parameter description</caption><thead align="left"><tr id="mrs_01_1583__row016719208199"><th align="left" class="cellrowborder" valign="top" width="33.666666666666664%" id="mcps1.3.2.6.1.5.2.2.4.1.1"><p id="mrs_01_1583__p12167120161910"><strong id="mrs_01_1583__b15498516485">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="23.909090909090907%" id="mcps1.3.2.6.1.5.2.2.4.1.2"><p id="mrs_01_1583__p616732012193"><strong id="mrs_01_1583__b12167820121913">Example Value</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="42.42424242424242%" id="mcps1.3.2.6.1.5.2.2.4.1.3"><p id="mrs_01_1583__p416716202199"><strong id="mrs_01_1583__b12167182011192">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1583__row31671620201918"><td class="cellrowborder" valign="top" width="33.666666666666664%" headers="mcps1.3.2.6.1.5.2.2.4.1.1 "><p id="mrs_01_1583__p10167142001911">security.ssl.rest.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="23.909090909090907%" headers="mcps1.3.2.6.1.5.2.2.4.1.2 "><p id="mrs_01_1583__p91673209191">true</p>
</td>
<td class="cellrowborder" valign="top" width="42.42424242424242%" headers="mcps1.3.2.6.1.5.2.2.4.1.3 "><p id="mrs_01_1583__p81671320171913">Enable external SSL. If this parameter is set to <strong id="mrs_01_1583__b1113348054101012">true</strong>, set the related parameters by referring to <a href="#mrs_01_1583__table2016662031916">Table 4</a>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row111674206196"><td class="cellrowborder" valign="top" width="33.666666666666664%" headers="mcps1.3.2.6.1.5.2.2.4.1.1 "><p id="mrs_01_1583__p81679206198">security.ssl.rest.keystore</p>
</td>
<td class="cellrowborder" valign="top" width="23.909090909090907%" headers="mcps1.3.2.6.1.5.2.2.4.1.2 "><p id="mrs_01_1583__p10167182020193">${path}/flink.keystore</p>
</td>
<td class="cellrowborder" valign="top" width="42.42424242424242%" headers="mcps1.3.2.6.1.5.2.2.4.1.3 "><p id="mrs_01_1583__p1816712204198">Path for storing the <strong id="mrs_01_1583__b413637911101012">keystore</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row2167182061912"><td class="cellrowborder" valign="top" width="33.666666666666664%" headers="mcps1.3.2.6.1.5.2.2.4.1.1 "><p id="mrs_01_1583__p14167112016198">security.ssl.rest.keystore-password</p>
</td>
<td class="cellrowborder" valign="top" width="23.909090909090907%" headers="mcps1.3.2.6.1.5.2.2.4.1.2 "><p id="mrs_01_1583__p116742017196">-</p>
</td>
<td class="cellrowborder" valign="top" width="42.42424242424242%" headers="mcps1.3.2.6.1.5.2.2.4.1.3 "><p id="mrs_01_1583__p3168320171914">A user-defined password of <strong id="mrs_01_1583__b516160172101012">keystore</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row11168142013190"><td class="cellrowborder" valign="top" width="33.666666666666664%" headers="mcps1.3.2.6.1.5.2.2.4.1.1 "><p id="mrs_01_1583__p20168182018194">security.ssl.rest.key-password</p>
</td>
<td class="cellrowborder" valign="top" width="23.909090909090907%" headers="mcps1.3.2.6.1.5.2.2.4.1.2 "><p id="mrs_01_1583__p9168182016198">-</p>
</td>
<td class="cellrowborder" valign="top" width="42.42424242424242%" headers="mcps1.3.2.6.1.5.2.2.4.1.3 "><p id="mrs_01_1583__p7168102061917">A user-defined password of the SSL key.</p>
</td>
</tr>
<tr id="mrs_01_1583__row11681620191912"><td class="cellrowborder" valign="top" width="33.666666666666664%" headers="mcps1.3.2.6.1.5.2.2.4.1.1 "><p id="mrs_01_1583__p2016882061916">security.ssl.rest.truststore</p>
</td>
<td class="cellrowborder" valign="top" width="23.909090909090907%" headers="mcps1.3.2.6.1.5.2.2.4.1.2 "><p id="mrs_01_1583__p81681620101913">${path}/flink.truststore</p>
</td>
<td class="cellrowborder" valign="top" width="42.42424242424242%" headers="mcps1.3.2.6.1.5.2.2.4.1.3 "><p id="mrs_01_1583__p191681201196">Path for storing the <strong id="mrs_01_1583__b1134752188101012">truststore</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row121684208199"><td class="cellrowborder" valign="top" width="33.666666666666664%" headers="mcps1.3.2.6.1.5.2.2.4.1.1 "><p id="mrs_01_1583__p016842018197">security.ssl.rest.truststore-password</p>
</td>
<td class="cellrowborder" valign="top" width="23.909090909090907%" headers="mcps1.3.2.6.1.5.2.2.4.1.2 "><p id="mrs_01_1583__p31686205198">-</p>
</td>
<td class="cellrowborder" valign="top" width="42.42424242424242%" headers="mcps1.3.2.6.1.5.2.2.4.1.3 "><p id="mrs_01_1583__p1916892018196">A user-defined password of <strong id="mrs_01_1583__b1489429911101012">truststore</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="note" id="mrs_01_1583__note015317589471"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1583__p161546582475">Enabling SSL for data transmission between TaskManagers may pose great impact on the system performance.</p>
</div></div>
</li><li id="mrs_01_1583__li0109423191711">In the <strong id="mrs_01_1583__b185982516222">bin</strong> directory of the Flink client, run the <strong id="mrs_01_1583__b128593256223"><em id="mrs_01_1583__i148590255222">sh generate_keystore.sh </em></strong><em id="mrs_01_1583__i138591025172216">&lt;password&gt;</em> command. For details, see <a href="mrs_01_1583.html">Authentication and Encryption</a>. The configuration items in <a href="#mrs_01_1583__table5150181111227">Table 5</a> are set by default for MRS 3.<em id="mrs_01_1583__i14859122592217">x</em> or later. You can also configure them manually.
<div class="tablenoborder"><a name="mrs_01_1583__table5150181111227"></a><a name="table5150181111227"></a><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1583__table5150181111227" frame="border" border="1" rules="all"><caption><b>Table 5 </b>Parameter description</caption><thead align="left"><tr id="mrs_01_1583__row1115181113228"><th align="left" class="cellrowborder" valign="top" width="31.858585858585858%" id="mcps1.3.2.6.2.7.2.4.1.1"><p id="mrs_01_1583__p615181110229"><strong id="mrs_01_1583__b62587431732">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="23.484848484848484%" id="mcps1.3.2.6.2.7.2.4.1.2"><p id="mrs_01_1583__p915191110221"><strong id="mrs_01_1583__b215116112228">Example Value</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="44.656565656565654%" id="mcps1.3.2.6.2.7.2.4.1.3"><p id="mrs_01_1583__p71517113227"><strong id="mrs_01_1583__b141511611152210">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1583__row81511111192212"><td class="cellrowborder" valign="top" width="31.858585858585858%" headers="mcps1.3.2.6.2.7.2.4.1.1 "><p id="mrs_01_1583__p7151191119221">security.ssl.keystore</p>
</td>
<td class="cellrowborder" valign="top" width="23.484848484848484%" headers="mcps1.3.2.6.2.7.2.4.1.2 "><p id="mrs_01_1583__p1151181110229">${path}/flink.keystore</p>
</td>
<td class="cellrowborder" valign="top" width="44.656565656565654%" headers="mcps1.3.2.6.2.7.2.4.1.3 "><p id="mrs_01_1583__p141514118223">Path for storing the <strong id="mrs_01_1583__b1876962902101012">keystore</strong>. <strong id="mrs_01_1583__b1272678175101012">flink.keystore</strong> indicates the name of the <strong id="mrs_01_1583__b1692733590101012">keystore</strong> file generated by the <strong id="mrs_01_1583__b512541498101012">generate_keystore.sh*</strong> tool.</p>
</td>
</tr>
<tr id="mrs_01_1583__row61511511192214"><td class="cellrowborder" valign="top" width="31.858585858585858%" headers="mcps1.3.2.6.2.7.2.4.1.1 "><p id="mrs_01_1583__p615115111221">security.ssl.keystore-password</p>
</td>
<td class="cellrowborder" valign="top" width="23.484848484848484%" headers="mcps1.3.2.6.2.7.2.4.1.2 "><p id="mrs_01_1583__p1815115111229">-</p>
</td>
<td class="cellrowborder" valign="top" width="44.656565656565654%" headers="mcps1.3.2.6.2.7.2.4.1.3 "><p id="mrs_01_1583__p1015112119227">A user-defined password of <strong id="mrs_01_1583__b981584474101012">keystore</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row5151111112219"><td class="cellrowborder" valign="top" width="31.858585858585858%" headers="mcps1.3.2.6.2.7.2.4.1.1 "><p id="mrs_01_1583__p1615114114229">security.ssl.key-password</p>
</td>
<td class="cellrowborder" valign="top" width="23.484848484848484%" headers="mcps1.3.2.6.2.7.2.4.1.2 "><p id="mrs_01_1583__p8151191112225">-</p>
</td>
<td class="cellrowborder" valign="top" width="44.656565656565654%" headers="mcps1.3.2.6.2.7.2.4.1.3 "><p id="mrs_01_1583__p19151611142216">A user-defined password of the SSL key.</p>
</td>
</tr>
<tr id="mrs_01_1583__row10151311102214"><td class="cellrowborder" valign="top" width="31.858585858585858%" headers="mcps1.3.2.6.2.7.2.4.1.1 "><p id="mrs_01_1583__p2151131114222">security.ssl.truststore</p>
</td>
<td class="cellrowborder" valign="top" width="23.484848484848484%" headers="mcps1.3.2.6.2.7.2.4.1.2 "><p id="mrs_01_1583__p115241122212">${path}/flink.truststore</p>
</td>
<td class="cellrowborder" valign="top" width="44.656565656565654%" headers="mcps1.3.2.6.2.7.2.4.1.3 "><p id="mrs_01_1583__p3152121162210">Path for storing the <strong id="mrs_01_1583__b593713058101012">truststore</strong>. <strong id="mrs_01_1583__b2074299296101012">flink.truststore</strong> indicates the name of the <strong id="mrs_01_1583__b500504887101012">truststore</strong> file generated by the <strong id="mrs_01_1583__b247863352101012">generate_keystore.sh*</strong> tool.</p>
</td>
</tr>
<tr id="mrs_01_1583__row515217114226"><td class="cellrowborder" valign="top" width="31.858585858585858%" headers="mcps1.3.2.6.2.7.2.4.1.1 "><p id="mrs_01_1583__p10152161142210">security.ssl.truststore-password</p>
</td>
<td class="cellrowborder" valign="top" width="23.484848484848484%" headers="mcps1.3.2.6.2.7.2.4.1.2 "><p id="mrs_01_1583__p1515210113229">-</p>
</td>
<td class="cellrowborder" valign="top" width="44.656565656565654%" headers="mcps1.3.2.6.2.7.2.4.1.3 "><p id="mrs_01_1583__p71521411172213">A user-defined password of <strong id="mrs_01_1583__b749388243101012">truststore</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="mrs_01_1583__p6814173753319">For versions earlier than MRS 3.x, the <strong id="mrs_01_1583__b7156142793619"><em id="mrs_01_1583__i315692716360">generate_keystore.sh</em></strong> command is generated automatically, and the configuration items in <a href="#mrs_01_1583__table93931053183719">Table 6</a> are set by default. You can also configure them manually.</p>
<div class="tablenoborder"><a name="mrs_01_1583__table93931053183719"></a><a name="table93931053183719"></a><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1583__table93931053183719" frame="border" border="1" rules="all"><caption><b>Table 6 </b>Parameter description</caption><thead align="left"><tr id="mrs_01_1583__row20393105319372"><th align="left" class="cellrowborder" valign="top" width="31.141414141414142%" id="mcps1.3.2.6.2.9.2.4.1.1"><p id="mrs_01_1583__p123941453123715"><strong id="mrs_01_1583__b296716391867">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.949494949494948%" id="mcps1.3.2.6.2.9.2.4.1.2"><p id="mrs_01_1583__p63941353153718"><strong id="mrs_01_1583__b1415814289">Example Value</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="43.90909090909091%" id="mcps1.3.2.6.2.9.2.4.1.3"><p id="mrs_01_1583__p17394353103716"><strong id="mrs_01_1583__b107691442765">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1583__row1339413532376"><td class="cellrowborder" valign="top" width="31.141414141414142%" headers="mcps1.3.2.6.2.9.2.4.1.1 "><p id="mrs_01_1583__p1861113313819">security.ssl.internal.keystore</p>
</td>
<td class="cellrowborder" valign="top" width="24.949494949494948%" headers="mcps1.3.2.6.2.9.2.4.1.2 "><p id="mrs_01_1583__p203943535379">${path}/flink.keystore</p>
</td>
<td class="cellrowborder" valign="top" width="43.90909090909091%" headers="mcps1.3.2.6.2.9.2.4.1.3 "><p id="mrs_01_1583__p23942539376">Path for storing the <strong id="mrs_01_1583__b4732124517612">keystore</strong>. <strong id="mrs_01_1583__b773304514612">flink.keystore</strong> indicates the name of the <strong id="mrs_01_1583__b67331445268">keystore</strong> file generated by the <strong id="mrs_01_1583__b77341845368">generate_keystore.sh*</strong> tool.</p>
</td>
</tr>
<tr id="mrs_01_1583__row1739410539378"><td class="cellrowborder" valign="top" width="31.141414141414142%" headers="mcps1.3.2.6.2.9.2.4.1.1 "><p id="mrs_01_1583__p18975201413816">security.ssl.internal.keystore-password</p>
</td>
<td class="cellrowborder" valign="top" width="24.949494949494948%" headers="mcps1.3.2.6.2.9.2.4.1.2 "><p id="mrs_01_1583__p1394115320370">-</p>
</td>
<td class="cellrowborder" valign="top" width="43.90909090909091%" headers="mcps1.3.2.6.2.9.2.4.1.3 "><p id="mrs_01_1583__p1639455314377">A user-defined password of <strong id="mrs_01_1583__b107125711717">keystore</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row339415363710"><td class="cellrowborder" valign="top" width="31.141414141414142%" headers="mcps1.3.2.6.2.9.2.4.1.1 "><p id="mrs_01_1583__p239495393716">security.ssl.internal.key-password</p>
</td>
<td class="cellrowborder" valign="top" width="24.949494949494948%" headers="mcps1.3.2.6.2.9.2.4.1.2 "><p id="mrs_01_1583__p1395953103717">-</p>
</td>
<td class="cellrowborder" valign="top" width="43.90909090909091%" headers="mcps1.3.2.6.2.9.2.4.1.3 "><p id="mrs_01_1583__p163951853183714">A user-defined password of the SSL key.</p>
</td>
</tr>
<tr id="mrs_01_1583__row1939516536372"><td class="cellrowborder" valign="top" width="31.141414141414142%" headers="mcps1.3.2.6.2.9.2.4.1.1 "><p id="mrs_01_1583__p1856511376387">security.ssl.internal.truststore</p>
</td>
<td class="cellrowborder" valign="top" width="24.949494949494948%" headers="mcps1.3.2.6.2.9.2.4.1.2 "><p id="mrs_01_1583__p18395053113711">${path}/flink.truststore</p>
</td>
<td class="cellrowborder" valign="top" width="43.90909090909091%" headers="mcps1.3.2.6.2.9.2.4.1.3 "><p id="mrs_01_1583__p1539513533374">Path for storing the <strong id="mrs_01_1583__b38774211679">truststore</strong>. <strong id="mrs_01_1583__b158826214710">flink.truststore</strong> indicates the name of the <strong id="mrs_01_1583__b148821121078">truststore</strong> file generated by the <strong id="mrs_01_1583__b198836216715">generate_keystore.sh*</strong> tool.</p>
</td>
</tr>
<tr id="mrs_01_1583__row16395105353715"><td class="cellrowborder" valign="top" width="31.141414141414142%" headers="mcps1.3.2.6.2.9.2.4.1.1 "><p id="mrs_01_1583__p27491947203817">security.ssl.internal.truststore-password</p>
</td>
<td class="cellrowborder" valign="top" width="24.949494949494948%" headers="mcps1.3.2.6.2.9.2.4.1.2 "><p id="mrs_01_1583__p939511532374">-</p>
</td>
<td class="cellrowborder" valign="top" width="43.90909090909091%" headers="mcps1.3.2.6.2.9.2.4.1.3 "><p id="mrs_01_1583__p0395153123713">A user-defined password of <strong id="mrs_01_1583__b324582510717">truststore</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="mrs_01_1583__p2152611122213">For versions earlier than MRS 3.x, if SSL for external connections is enabled, that is, <strong id="mrs_01_1583__b1695817353711">security.ssl.rest.enabled</strong> is set to <strong id="mrs_01_1583__b665133912714">true</strong>, you need to configure the parameters listed in <a href="#mrs_01_1583__table1615251112213">Table 7</a>.</p>
<div class="tablenoborder"><a name="mrs_01_1583__table1615251112213"></a><a name="table1615251112213"></a><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1583__table1615251112213" frame="border" border="1" rules="all"><caption><b>Table 7 </b>Parameters</caption><thead align="left"><tr id="mrs_01_1583__row1115381113221"><th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.2.6.2.11.2.4.1.1"><p id="mrs_01_1583__p1915361122214"><strong id="mrs_01_1583__b1897417566711">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="24.636363636363633%" id="mcps1.3.2.6.2.11.2.4.1.2"><p id="mrs_01_1583__p1515331112217"><strong id="mrs_01_1583__b12153181162219">Example Value</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="42.03030303030303%" id="mcps1.3.2.6.2.11.2.4.1.3"><p id="mrs_01_1583__p15153191172214"><strong id="mrs_01_1583__b815371102214">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1583__row13153141152215"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.6.2.11.2.4.1.1 "><p id="mrs_01_1583__p2153181142219">security.ssl.rest.enabled</p>
</td>
<td class="cellrowborder" valign="top" width="24.636363636363633%" headers="mcps1.3.2.6.2.11.2.4.1.2 "><p id="mrs_01_1583__p315320112227">true</p>
</td>
<td class="cellrowborder" valign="top" width="42.03030303030303%" headers="mcps1.3.2.6.2.11.2.4.1.3 "><p id="mrs_01_1583__p1115310110227">Enable external SSL. If this parameter is set to <strong id="mrs_01_1583__b1310810389101012">true</strong>, set the related parameters by referring to <a href="#mrs_01_1583__table1615251112213">Table 7</a>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row181531711202216"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.6.2.11.2.4.1.1 "><p id="mrs_01_1583__p11154211172212">security.ssl.rest.keystore</p>
</td>
<td class="cellrowborder" valign="top" width="24.636363636363633%" headers="mcps1.3.2.6.2.11.2.4.1.2 "><p id="mrs_01_1583__p1315412111221">${path}/flink.keystore</p>
</td>
<td class="cellrowborder" valign="top" width="42.03030303030303%" headers="mcps1.3.2.6.2.11.2.4.1.3 "><p id="mrs_01_1583__p8154111182213">Path for storing the <strong id="mrs_01_1583__b1531849743101012">keystore</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row1315451192215"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.6.2.11.2.4.1.1 "><p id="mrs_01_1583__p101541011172215">security.ssl.rest.keystore-password</p>
</td>
<td class="cellrowborder" valign="top" width="24.636363636363633%" headers="mcps1.3.2.6.2.11.2.4.1.2 "><p id="mrs_01_1583__p1415411112219">-</p>
</td>
<td class="cellrowborder" valign="top" width="42.03030303030303%" headers="mcps1.3.2.6.2.11.2.4.1.3 "><p id="mrs_01_1583__p171543111224">A user-defined password of <strong id="mrs_01_1583__b1669801055101012">keystore</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row15155151142218"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.6.2.11.2.4.1.1 "><p id="mrs_01_1583__p15155811162214">security.ssl.rest.key-password</p>
</td>
<td class="cellrowborder" valign="top" width="24.636363636363633%" headers="mcps1.3.2.6.2.11.2.4.1.2 "><p id="mrs_01_1583__p01554115222">-</p>
</td>
<td class="cellrowborder" valign="top" width="42.03030303030303%" headers="mcps1.3.2.6.2.11.2.4.1.3 "><p id="mrs_01_1583__p16155111182216">A user-defined password of the SSL key.</p>
</td>
</tr>
<tr id="mrs_01_1583__row415521182212"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.6.2.11.2.4.1.1 "><p id="mrs_01_1583__p51559117225">security.ssl.rest.truststore</p>
</td>
<td class="cellrowborder" valign="top" width="24.636363636363633%" headers="mcps1.3.2.6.2.11.2.4.1.2 "><p id="mrs_01_1583__p161551411132213">${path}/flink.truststore</p>
</td>
<td class="cellrowborder" valign="top" width="42.03030303030303%" headers="mcps1.3.2.6.2.11.2.4.1.3 "><p id="mrs_01_1583__p14156111112214">Path for storing the <strong id="mrs_01_1583__b2053201133101012">truststore</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1583__row215616119222"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.6.2.11.2.4.1.1 "><p id="mrs_01_1583__p10156101111229">security.ssl.rest.truststore-password</p>
</td>
<td class="cellrowborder" valign="top" width="24.636363636363633%" headers="mcps1.3.2.6.2.11.2.4.1.2 "><p id="mrs_01_1583__p101567113221">-</p>
</td>
<td class="cellrowborder" valign="top" width="42.03030303030303%" headers="mcps1.3.2.6.2.11.2.4.1.3 "><p id="mrs_01_1583__p1515631182213">A user-defined password of <strong id="mrs_01_1583__b951551815101012">truststore</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="mrs_01_1583__note015681112228"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1583__p1815617111229">The <strong id="mrs_01_1583__b1205197712101012">path</strong> directory is a user-defined directory for storing configuration files of the SSL keystore and truststore. The commands vary according to the relative path and absolute path. For details, see <a href="#mrs_01_1583__li02291947181712">3</a> and <a href="#mrs_01_1583__li15533111081818">4</a>.</p>
</div></div>
</li><li id="mrs_01_1583__li02291947181712"><a name="mrs_01_1583__li02291947181712"></a><a name="li02291947181712"></a>If the <strong id="mrs_01_1583__b1313606383101012">keystore</strong> or <strong id="mrs_01_1583__b1651215760101012">truststore</strong> file path is a relative path, the Flink client directory where the command is executed needs to access this relative path directly. Either of the following method can be used to transmit the keystore and truststore file:<ul id="mrs_01_1583__ul19691717192310"><li id="mrs_01_1583__li769101722314">Add <strong id="mrs_01_1583__b1146364344101012">-t</strong> option to the <strong id="mrs_01_1583__b808812728101012">CLI yarn-session.sh</strong> command to transfer the <strong id="mrs_01_1583__b1381081593101012">keystore</strong> and <strong id="mrs_01_1583__b259461042101012">truststore</strong> file to execution nodes. Example:<pre class="screen" id="mrs_01_1583__screen1569131792313">./bin/yarn-session.sh -t ssl/</pre>
</li><li id="mrs_01_1583__li1170141792312">Add <strong id="mrs_01_1583__b1909679154101012">-yt</strong> option to the <strong id="mrs_01_1583__b30169852101012">flink run</strong> command to transfer the <strong id="mrs_01_1583__b1193406759101012">keystore</strong> and <strong id="mrs_01_1583__b249744439101012">truststore</strong> file to execution nodes. Example:<pre class="screen" id="mrs_01_1583__screen1570191732312">./bin/flink run -yt ssl/ -ys 3 -m yarn-cluster -c org.apache.flink.examples.java.wordcount.WordCount /opt/client/Flink/flink/examples/batch/WordCount.jar</pre>
<div class="note" id="mrs_01_1583__note270317102316"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="mrs_01_1583__ul970717152318"><li id="mrs_01_1583__li67014178233">In the preceding example, <strong id="mrs_01_1583__b1141545185101012">ssl/</strong> is the sub-directory of the Flink client directory. It is used to store configuration files of the SSL keystore and truststore.</li><li id="mrs_01_1583__li2070417202312">The relative path of <strong id="mrs_01_1583__b1513973209101012">ssl/</strong> must be accessible from the current path where the Flink client command is run.</li></ul>
</div></div>
</li></ul>
</li><li id="mrs_01_1583__li15533111081818"><a name="mrs_01_1583__li15533111081818"></a><a name="li15533111081818"></a>If the keystore or truststore file path is an absolute path, the keystore and truststore files must exist in the absolute path on Flink Client and all nodes.<div class="note" id="mrs_01_1583__note2771125792316"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1583__p877245718234">For versions earlier than MRS 3.x, the user who submits the job must have the permission to read the keystore and truststore files.</p>
</div></div>
<p id="mrs_01_1583__p187721557172318">Either of the following methods can be used to execute applications. The <strong id="mrs_01_1583__b1625609797101012">-t</strong> or <strong id="mrs_01_1583__b1536739835101012">-yt</strong> option does not need to be added to transmit the <strong id="mrs_01_1583__b488098729101012">keystore</strong> and <strong id="mrs_01_1583__b2111240676101012">truststore</strong> files.</p>
<ul id="mrs_01_1583__ul977215713237"><li id="mrs_01_1583__li1077265716232">Run the <strong id="mrs_01_1583__b757442848101012">CLI yarn-session.sh</strong> command of Flink to execute applications. Example:<pre class="screen" id="mrs_01_1583__screen1777210573238">./bin/yarn-session.sh</pre>
</li><li id="mrs_01_1583__li9772857102312">Run the <strong id="mrs_01_1583__b453428774101012">Flink run</strong> command to execute applications. Example:<pre class="screen" id="mrs_01_1583__screen1077220578232">./bin/flink run -ys 3 -m yarn-cluster -c org.apache.flink.examples.java.wordcount.WordCount /opt/client/Flink/flink/examples/batch/WordCount.jar</pre>
</li></ul>
</li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_0594.html">Security Hardening</a></div>
</div>
</div>
View Git Blame Copy Permalink