[jira] [Commented] (FLINK-3931) Implement Transport Encryption (SSL/TLS)

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLINK-3931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15555383#comment-15555383
 ] 

ASF GitHub Bot commented on FLINK-3931:
---------------------------------------

Github user skrishnappa commented on a diff in the pull request:

    https://github.com/apache/flink/pull/2518#discussion_r82412401
  
    --- Diff: docs/setup/config.md ---
    @@ -140,6 +140,8 @@ will be used under the directory specified by 
jobmanager.web.tmpdir.
     
     - `blob.server.port`: Port definition for the blob server (serving user 
jar's) on the Taskmanagers. By default the port is set to 0, which means that 
the operating system is picking an ephemeral port. Flink also accepts a list of 
ports ("50100,50101"), ranges ("50100-50200") or a combination of both. It is 
recommended to set a range of ports to avoid collisions when multiple 
JobManagers are running on the same machine.
     
    +- `blob.service.ssl.enabled`: Flag to enable ssl for the blob 
client/server communication. This is applicable only when the global ssl flag 
security.ssl.enabled is set to true (DEFAULT: true).
    --- End diff --
    
    Setting security.ssl.enabled to true will enable ssl for all communication. 
The other flags are required only for selectively disabling ssl (they are set 
to true by default). The reasons I chose to provide the extra flags are the 
following
    * web frontend - this is useful if the admin chooses to encrypt only 
external traffic
    * taskmanager data trasnfer - enabling ssl here might have significant 
performance impact and the admin might choose to encrypt only management and 
control traffic
    
    I am slightly biased towards keeping these extra config (based on past 
experiences) and wasn't sure what the community would prefer. I am fine 
removing these and doing SSL - all or nothing, please let me know.



> Implement Transport Encryption (SSL/TLS)
> ----------------------------------------
>
>                 Key: FLINK-3931
>                 URL: https://issues.apache.org/jira/browse/FLINK-3931
>             Project: Flink
>          Issue Type: New Feature
>            Reporter: Eron Wright 
>            Assignee: Suresh Krishnappa
>              Labels: security
>   Original Estimate: 1,008h
>  Remaining Estimate: 1,008h
>
> _This issue is part of a series of improvements detailed in the [Secure Data 
> Access|https://docs.google.com/document/d/1-GQB6uVOyoaXGwtqwqLV8BHDxWiMO2WnVzBoJ8oPaAs/edit?usp=sharing]
>  design doc._
> To assure privacy and data integrity between Flink components, enable TLS for 
> all communication channels.  As described in the design doc:
> - Accept a configured certificate or generate a certificate.
> - Enable Akka SSL
> - Implement Data Transfer SSL
> - Implement Blob Server SSL
> - Implement Web UI HTTPS



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)