[
https://issues.apache.org/jira/browse/FLINK-10069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16573514#comment-16573514
]
ASF GitHub Bot commented on FLINK-10069:
asfgit closed pull request #6507: [FLINK-10069] [docs] Update SSL docs to
reflect internal vs. external communication
URL: https://github.com/apache/flink/pull/6507
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/docs/fig/ssl_internal_external.svg
b/docs/fig/ssl_internal_external.svg
new file mode 100755
index 000..04262d29cbc
--- /dev/null
+++ b/docs/fig/ssl_internal_external.svg
@@ -0,0 +1,336 @@
+
+
+http://purl.org/dc/elements/1.1/;
+ xmlns:cc="http://creativecommons.org/ns#;
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#;
+ xmlns:svg="http://www.w3.org/2000/svg;
+ xmlns="http://www.w3.org/2000/svg;
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd;
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape;
+ width="831.19"
+ height="364.59875"
+ id="svg2"
+ version="1.1"
+ inkscape:version="0.48.5 r10040">
+
+
+
+
+
+image/svg+xml
+http://purl.org/dc/dcmitype/StillImage; />
+
+
+
+
+
+
+
+ Task
+ Manager
+
+ Task
+ Manager
+
+ Task
+ Manager
+
+ Resource
+ Manager
+
+ Job
+ Manager
+
+ Master Process
+
+
+
+
+
+
+
+
+
+
+ RPC / BLOB
+ Data Plane
+ Data Plane
+
+
+
+ REST
+ Internal
+ External
+
+ Browser
+
+ CLI
+
+ Tools
+
+
+ HTTP
+
+ Dispatcher
+
+
+
diff --git a/docs/ops/security-ssl.md b/docs/ops/security-ssl.md
index 1a3c3810250..ed5f4d771bc 100644
--- a/docs/ops/security-ssl.md
+++ b/docs/ops/security-ssl.md
@@ -22,16 +22,111 @@ specific language governing permissions and limitations
under the License.
-->
-This page provides instructions on how to enable SSL for the network
communication between different Flink components.
+This page provides instructions on how to enable TLS/SSL authentication and
encryption for network communication with and between Flink processes.
-## SSL Configuration
+## Internal and External Connectivity
-SSL can be enabled for all network communication between Flink components. SSL
keystores and truststore has to be deployed on each Flink node and configured
(conf/flink-conf.yaml) using keys in the security.ssl.* namespace (Please see
the [configuration page](config.html) for details). SSL can be selectively
enabled/disabled for different transports using the following flags. These
flags are only applicable when security.ssl.enabled is set to true.
+When securing network connections between machines processes through
authentication and encryption, Apache Flink differentiates between *internal*
and *external* connectivity.
+*Internal Connectivity* refers to all connections made between Flink
processes. These connections run Flink custom protocols. Users never connect
directly to internal connectivity endpoints.
+*External / REST Connectivity* endpoints refers to all connections made from
the outside to Flink processes. This includes the web UI and REST commands to
+start and control running Flink jobs/applications, including the communication
of the Flink CLI with the JobManager / Dispatcher.
-* **taskmanager.data.ssl.enabled**: SSL flag for data communication between
task managers
-* **blob.service.ssl.enabled**: SSL flag for blob service client/server
communication
-* **akka.ssl.enabled**: SSL flag for akka based control connection between the
Flink client, jobmanager and taskmanager
-* **jobmanager.web.ssl.enabled**: Flag to enable https access to the
jobmanager's web frontend
+For more flexibility, security for internal and external connectivity can be
enabled and configured separately.
+
+
+
+
+
+ Internal Connectivity
+
+Internal connectivity includes:
+
+ - Control messages: RPC between JobManager / TaskManager / Dispatcher /
ResourceManager
+ - The data plane: The connections between TaskManagers to exchange data
during shuffles, broadcasts, redistribution, etc.
+ - The Blob Service (distribution of libraries and other artifacts).
+
+All internal connections are SSL authenticated and encrypted. The connections
use **mutual authentication**, meaning both server
+and client side of each connection need to present the certificate to each
other. The certificate acts effectively as a shared
+secret.
+
+A common setup is to generate a dedicated certificate (may
