[ https://issues.apache.org/jira/browse/FLINK-9261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16468737#comment-16468737 ]
ASF GitHub Bot commented on FLINK-9261: --------------------------------------- GitHub user GJL opened a pull request: https://github.com/apache/flink/pull/5973 [FLINK-9261][ssl] Fix SSL support for REST API and Web UI. ## What is the purpose of the change *Fix SSL support for REST API and Web UI.* cc: @tillrohrmann @StephanEwen @zentol ## Brief change log - *Remove wrong reuse of SSLEngine instances. SSLEngine must be re-created for every SocketChannel initialization.* - *Add ChunkedWriteHandler to REST server pipeline because StaticFileServerHandler relies on it.* - *Add integration tests to verify that SSL can be enabled.* ## Verifying this change This change added tests and can be verified as follows: - *Added integration tests for check if the RestServerEndpoint works with SSL enabled.* - *Manually verified the change by submitting a job to a cluster with SSL enabled via the CLI, and by accessing the Web UI.* ## Does this pull request potentially affect one of the following parts: - Dependencies (does it add or upgrade a dependency): (yes / **no**) - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: (yes / **no**) - The serializers: (yes / **no** / don't know) - The runtime per-record code paths (performance sensitive): (yes / **no** / don't know) - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: (**yes** / no / don't know) - The S3 file system connector: (yes / **no** / don't know) ## Documentation - Does this pull request introduce a new feature? (yes / **no**) - If yes, how is the feature documented? (**not applicable** / docs / JavaDocs / not documented) You can merge this pull request into a Git repository by running: $ git pull https://github.com/GJL/flink FLINK-9261 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/flink/pull/5973.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #5973 ---- commit a74fee4853e8b97427e9607b8ed6bdaeedae0c12 Author: gyao <gary@...> Date: 2018-05-09T11:30:23Z [FLINK-9261][ssl,flip6] Fix SSL support for REST API and Web UI. - Remove wrong reuse of SSLEngine instances. SSLEngine must be re-created for every SocketChannel initialization. - Add ChunkedWriteHandler to REST server pipeline because StaticFileServerHandler relies on it. - Add integration tests to verify that SSL can be enabled. commit 710c7e222ff7c13b48ecb4a1549571afae60312c Author: gyao <gary@...> Date: 2018-05-09T11:41:29Z [hotfix][ssl,docs] Use markdown hyperlink instead of writing out the URL. ---- > Regression - Flink CLI and Web UI not working when SSL is enabled > ----------------------------------------------------------------- > > Key: FLINK-9261 > URL: https://issues.apache.org/jira/browse/FLINK-9261 > Project: Flink > Issue Type: Bug > Components: Client, Network, Web Client > Affects Versions: 1.5.0 > Reporter: Edward Rojas > Assignee: Gary Yao > Priority: Blocker > Labels: regression > Fix For: 1.5.0 > > > When *security.ssl.enabled* config is set to true, Web UI is no longer > reachable; there is no logs on jobmanager. > > When setting *web.ssl.enabled* to false (keeping security.ssl.enabled to > true), the dashboard is not reachable and there is the following exception on > jobmanager: > {code:java} > WARN org.apache.flink.runtime.dispatcher.DispatcherRestEndpoint - > Unhandled exception > org.apache.flink.shaded.netty4.io.netty.handler.ssl.NotSslRecordException: > not an SSL/TLS record: > 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73743a383038310d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031305f31335f3329204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f36352e302e333332352e313831205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e380d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2c656e2d47423b713d302e392c65732d3431393b713d302e382c65733b713d302e372c66722d46523b713d302e362c66723b713d302e350d0a436f6f6b69653a20496465612d39326365626136363d39396464633637632d613838382d346439332d396166612d3737396631373636326264320d0a49662d4d6f6469666965642d53696e63653a205468752c2032362041707220323031382031313a30313a313520474d540d0a0d0a > at > org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:940) > at > org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:315) > at > org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:229) > at > org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:339) > at > org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:324) > at > org.apache.flink.shaded.netty4.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:847) > at > org.apache.flink.shaded.netty4.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131) > at > org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511) > at > org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468) > at > org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382) > at > org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354) > at > org.apache.flink.shaded.netty4.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:111) > at > org.apache.flink.shaded.netty4.io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) > at java.lang.Thread.run(Thread.java:745) > {code} > Also when trying to use the Flink CLI, it get stuck on "Waiting for > response..." and there is no error messages on jobmanager. None of the > commands works, list, run etc. > > Taskmanagers are able to registrate to Jobmanager, so the SSL configuration > is good. > > SSL configuration: > security.ssl.enabled: true > security.ssl.keystore: /path/to/keystore > security.ssl.keystore-password: xxxx > security.ssl.key-password: xxxx > security.ssl.truststore: /path/to/truststore > security.ssl.truststore-password: xxxx > web.ssl.enabled: false > This same configuration works perfectly on Flink 1.4. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)