[jira] [Commented] (FLINK-9261) Regression - Flink CLI and Web UI not working when SSL is enabled

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLINK-9261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16468737#comment-16468737
 ] 

ASF GitHub Bot commented on FLINK-9261:
---------------------------------------

GitHub user GJL opened a pull request:

    https://github.com/apache/flink/pull/5973

    [FLINK-9261][ssl] Fix SSL support for REST API and Web UI.

    ## What is the purpose of the change
    
    *Fix SSL support for REST API and Web UI.*
    
    cc: @tillrohrmann @StephanEwen @zentol 
    
    ## Brief change log
    
      - *Remove wrong reuse of SSLEngine instances. SSLEngine must be 
re-created for
        every SocketChannel initialization.*
      - *Add ChunkedWriteHandler to REST server pipeline because 
StaticFileServerHandler
        relies on it.*
      - *Add integration tests to verify that SSL can be enabled.*
    
    
    ## Verifying this change
    
    
    This change added tests and can be verified as follows:
      - *Added integration tests for check if the RestServerEndpoint works with 
SSL enabled.*
      - *Manually verified the change by submitting a job to a cluster with SSL 
enabled via the CLI, and  by accessing the Web UI.*
    
    ## Does this pull request potentially affect one of the following parts:
    
      - Dependencies (does it add or upgrade a dependency): (yes / **no**)
      - The public API, i.e., is any changed class annotated with 
`@Public(Evolving)`: (yes / **no**)
      - The serializers: (yes / **no** / don't know)
      - The runtime per-record code paths (performance sensitive): (yes / 
**no** / don't know)
      - Anything that affects deployment or recovery: JobManager (and its 
components), Checkpointing, Yarn/Mesos, ZooKeeper: (**yes** / no / don't know)
      - The S3 file system connector: (yes / **no** / don't know)
    
    ## Documentation
    
      - Does this pull request introduce a new feature? (yes / **no**)
      - If yes, how is the feature documented? (**not applicable** / docs / 
JavaDocs / not documented)


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/GJL/flink FLINK-9261

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flink/pull/5973.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #5973
    
----
commit a74fee4853e8b97427e9607b8ed6bdaeedae0c12
Author: gyao <gary@...>
Date:   2018-05-09T11:30:23Z

    [FLINK-9261][ssl,flip6] Fix SSL support for REST API and Web UI.
    
    - Remove wrong reuse of SSLEngine instances. SSLEngine must be re-created 
for
    every SocketChannel initialization.
    - Add ChunkedWriteHandler to REST server pipeline because 
StaticFileServerHandler
    relies on it.
    - Add integration tests to verify that SSL can be enabled.

commit 710c7e222ff7c13b48ecb4a1549571afae60312c
Author: gyao <gary@...>
Date:   2018-05-09T11:41:29Z

    [hotfix][ssl,docs] Use markdown hyperlink instead of writing out the URL.

----


> Regression - Flink CLI and Web UI not working when SSL is enabled
> -----------------------------------------------------------------
>
>                 Key: FLINK-9261
>                 URL: https://issues.apache.org/jira/browse/FLINK-9261
>             Project: Flink
>          Issue Type: Bug
>          Components: Client, Network, Web Client
>    Affects Versions: 1.5.0
>            Reporter: Edward Rojas
>            Assignee: Gary Yao
>            Priority: Blocker
>              Labels: regression
>             Fix For: 1.5.0
>
>
> When *security.ssl.enabled* config is set to true, Web UI is no longer 
> reachable; there is no logs on jobmanager. 
>  
> When setting *web.ssl.enabled* to false (keeping security.ssl.enabled to 
> true), the dashboard is not reachable and there is the following exception on 
> jobmanager: 
> {code:java}
> WARN  org.apache.flink.runtime.dispatcher.DispatcherRestEndpoint    - 
> Unhandled exception
> org.apache.flink.shaded.netty4.io.netty.handler.ssl.NotSslRecordException: 
> not an SSL/TLS record: 
> 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73743a383038310d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031305f31335f3329204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f36352e302e333332352e313831205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e380d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2c656e2d47423b713d302e392c65732d3431393b713d302e382c65733b713d302e372c66722d46523b713d302e362c66723b713d302e350d0a436f6f6b69653a20496465612d39326365626136363d39396464633637632d613838382d346439332d396166612d3737396631373636326264320d0a49662d4d6f6469666965642d53696e63653a205468752c2032362041707220323031382031313a30313a313520474d540d0a0d0a
> at 
> org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:940)
> at 
> org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:315)
> at 
> org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:229)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:339)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:324)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:847)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
> at 
> org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
> at 
> org.apache.flink.shaded.netty4.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:111)
> at 
> org.apache.flink.shaded.netty4.io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> Also when trying to use the Flink CLI, it get stuck on "Waiting for 
> response..." and there is no error messages on jobmanager. None of the 
> commands works, list, run etc.
>  
> Taskmanagers are able to registrate to Jobmanager, so the SSL configuration 
> is good.
>  
> SSL configuration:
> security.ssl.enabled: true
> security.ssl.keystore: /path/to/keystore
> security.ssl.keystore-password: xxxx
> security.ssl.key-password: xxxx
> security.ssl.truststore: /path/to/truststore
> security.ssl.truststore-password: xxxx
> web.ssl.enabled: false
> This same configuration works perfectly on Flink 1.4.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)