[
https://issues.apache.org/jira/browse/FLUME-3269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16627482#comment-16627482
]
ASF GitHub Bot commented on FLUME-3269:
---------------------------------------
GitHub user turcsanyip opened a pull request:
https://github.com/apache/flume/pull/228
FLUME-3269: Support JSSE keystore/trustore -D system properties
It makes possible to specify global/common SSL keystore parameters (path,
password and type) at Flume agent (process) level for all sources/sinks.
In this way, it is not necessary to define (=copy) the SSL config for each
component in the agent config.
The global SSL parameters can be specified through the standard -D JSSE
system properties or in environment variables.
Component level configuration is still possible.
Priority:
1. component parameters in agent config
2. -D system properties
2. environment variables
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/turcsanyip/flume FLUME-3269
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flume/pull/228.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #228
----
commit 2aa65ae1c6bcd87844d17fffde84f6a058972c58
Author: turcsanyi <turcsanyi@...>
Date: 2018-09-13T17:08:01Z
FLUME-3269: Support JSSE keystore/trustore -D system properties
It makes possible to specify global/common SSL keystore parameters (path,
password and type) at Flume agent (process) level for all sources/sinks.
In this way, it is not necessary to define (=copy) the SSL config for each
component in the agent config.
The global SSL parameters can be specified through the standard -D JSSE
system properties or in environment variables.
Component level configuration is still possible.
Priority:
1. component parameters in agent config
2. -D system properties
2. environment variables
----
> Support JSSE keystore/trustore -D system properties
> ---------------------------------------------------
>
> Key: FLUME-3269
> URL: https://issues.apache.org/jira/browse/FLUME-3269
> Project: Flume
> Issue Type: Improvement
> Reporter: Peter Turcsanyi
> Assignee: Peter Turcsanyi
> Priority: Major
>
> Several Flume components support SSL, but they all have their own config
> parameters for specifying the location and password for keystore and
> truststore.
> These parameters could be passed as standard JSSE system properties
> (specified in flume-env.sh):
> {code}
> -Djavax.net.ssl.keyStore=/path/to/keystore
> -Djavax.net.ssl.keyStorePassword=keystore-password
> -Djavax.net.ssl.keyStoreType=keystore-type
> -Djavax.net.ssl.trustStore=/path/to/truststore
> -Djavax.net.ssl.trustStorePassword=truststore-password
> -Djavax.net.ssl.trustStoreType=truststore-type
> {code}
> This would be a more consistent and standard based configuration.
> Specifying passwords in system properties means that the passwords can be
> seen in the process list. For cases where it is not acceptable, it will also
> be possible to define the parameters in environment variables.
> {code}
> FLUME_SSL_KEYSTORE_PATH
> FLUME_SSL_KEYSTORE_PASSWORD
> FLUME_SSL_KEYSTORE_TYPE
> FLUME_SSL_TRUSTSTORE_PATH
> FLUME_SSL_TRUSTSTORE_PASSWORD
> FLUME_SSL_TRUSTSTORE_TYPE
> {code}
> The logic of applying the SSL config parameters for an SSL-enabled
> source/sink:
> - if the agent config defines the SSL parameter for the component, then they
> will be used (allowing customisation and backward compatibility)
> - if no SSL parameters are defined for the component, but the -D system
> properties are present, then they will be used
> - if neither the component SSL parameters nor the -D system properties are
> defined, but the environment variable are present, then they will be used
> - otherwise config error
> So the priority:
> # component parameters in agent config
> # -D system properties
> # environment variables
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
