Hi Jiahui, using the yarn.container-start-command-template is indeed a good idea.
I was also wondering whether the Flink YARN client that submits the Flink cluster to YARN has knowledge of the host where the ApplicationMaster gets deployed to. But that doesn't seem to be the case. On Wed, Nov 11, 2020 at 7:57 PM Jiahui Jiang <qzhzm173...@hotmail.com> wrote: > Since the issue is right now we can't dynamically generate a keystore when > the YARN application launches, but before the JobManager process starts. Do > you think the best short term solution we will hack around ` > yarn.container-start-command-template`and have it execute a custom script > that can generate the keystore, then start the JM process? Will that be > allowed given the current Flink architecture? > > Thanks! > ------------------------------ > *From:* Jiahui Jiang <qzhzm173...@hotmail.com> > *Sent:* Wednesday, November 11, 2020 9:09 AM > *To:* matth...@ververica.com <matth...@ververica.com> > *Cc:* user@flink.apache.org <user@flink.apache.org>; aljos...@apache.org < > aljos...@apache.org> > *Subject:* Re: SSL setup for YARN deployment when hostnames are unknown. > > Hello Matthias, > > Thank you for the links! I did see the documentations and went through the > sourcecode. But unfortunately it looks like only a prebuilt keystore can be > supported for YARN right now. > > In term of dynamic loading security modules, the link you sent seems to > mainly for zookeeper's security? I checked the part of code that sets up > SSL for rest server [1], it doesn't look like the SslContext creation path > is pluggable. > > > > <https://github.com/apache/flink/blob/be419e2560ef89683b7795c75eb08ae2337fefee/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestServerEndpointConfiguration.java#L160> > [1] > https://github.com/apache/flink/blob/be419e2560ef89683b7795c75eb08ae2337fefee/flink-runtime/src/main/java/org/apache/flink/runtime/rest/RestServerEndpointConfiguration.java#L160 > ------------------------------ > *From:* Matthias Pohl <matth...@ververica.com> > *Sent:* Wednesday, November 11, 2020 3:58 AM > *To:* Jiahui Jiang <qzhzm173...@hotmail.com> > *Cc:* user@flink.apache.org <user@flink.apache.org>; aljos...@apache.org < > aljos...@apache.org> > *Subject:* Re: SSL setup for YARN deployment when hostnames are unknown. > > Hi Jiahui, > thanks for reaching out to the mailing list. This is not something I have > expertise in. But have you checked out the Flink SSL Setup documentation > [1]? Maybe, you'd find some help there. > > Additionally, I did go through the code a bit: A SecurityContext is loaded > during ClusterEntrypoint startup [2]. It supports dynamic loading of > security modules. You might have to implement > org.apache.flink.runtime.security.contexts.SecurityContextFactory and > configure it in your flink-conf.yaml. Is this something that might help > you? I'm adding Aljoscha to this thread as he worked on dynamically loading > these modules recently. > > Best, > Matthias > > [1] > https://ci.apache.org/projects/flink/flink-docs-release-1.11/ops/security-ssl.html > [2] > https://github.com/apache/flink/blob/2c8631a4eb7a247ce8fb4205f838e8c0f8019367/flink-runtime/src/main/java/org/apache/flink/runtime/entrypoint/ClusterEntrypoint.java#L170 > > On Wed, Nov 11, 2020 at 6:17 AM Jiahui Jiang <qzhzm173...@hotmail.com> > wrote: > > Ping on this 🙂 It there anyway I can run a script or implement some > interface to run before the Dispatcher service starts up to dynamically > generate the keystore? > > Thank you! > ------------------------------ > *From:* Jiahui Jiang <qzhzm173...@hotmail.com> > *Sent:* Monday, November 9, 2020 3:19 PM > *To:* user@flink.apache.org <user@flink.apache.org> > *Subject:* SSL setup for YARN deployment when hostnames are unknown. > > Hello Flink! > > We are working on turning on REST SSL for YARN deployments. We built a > generic orchestration server that can submit Flink clusters to any YARN > clusters given the relevant Hadoop configs. But this means we may not know > the hostname the Job Managers can be deployed onto - not even through wild > card DNS names > <https://ci.apache.org/projects/flink/flink-docs-stable/ops/security-ssl.html#tips-for-yarn--mesos-deployment> > as recommended in the documentation. > > I’m wondering is there any factory class that I can implement that can > allow me to generate a private key and import that to JM’s keystore at > runtime? > Or is there any other recommended way to handle the cases where we don’t > know the potential JM hosts at all? > > Thank you! > >
