更新时间:2024-08-01 GMT+08:00
签发Flink证书样例
将该样例代码生成generate_keystore.sh脚本,放置在Flink客户端的bin目录下。
#!/bin/bash
KEYTOOL=${JAVA_HOME}/bin/keytool
KEYSTOREPATH="$FLINK_HOME/conf/"
CA_ALIAS="ca"
CA_KEYSTORE_NAME="ca.keystore"
CA_DNAME="CN=Flink_CA"
CA_KEYALG="RSA"
CLIENT_CONF_YAML="$FLINK_HOME/conf/flink-conf.yaml"
KEYTABPRINCEPAL=""
function getConf()
{
if [ $# -ne 2 ]; then
echo "invalid parameters for getConf"
exit 1
fi
confName="$1"
if [ -z "$confName" ]; then
echo "conf name is empty."
exit 2
fi
configFile=$FLINK_HOME/conf/client.properties
if [ ! -f $configFile ]; then
echo $configFile" is not exist."
exit 3
fi
defaultValue="$2"
cnt=$(grep $1 $configFile | wc -l)
if [ $cnt -gt 1 ]; then
echo $confName" has multi values in "$configFile
exit 4
elif [ $cnt -lt 1 ]; then
echo $defaultValue
else
line=$(grep $1 $configFile)
confValue=$(echo "${line#*=}")
echo "$confValue"
fi
}
function createSelfSignedCA()
{
#varible from user input
keystorePath=$1
storepassValue=$2
keypassValue=$3
#generate ca keystore
rm -rf $keystorePath/$CA_KEYSTORE_NAME
$KEYTOOL -genkeypair -alias $CA_ALIAS -keystore $keystorePath/$CA_KEYSTORE_NAME -dname $CA_DNAME -storepass $storepassValue -keypass $keypassValue -validity 3650 -keyalg $CA_KEYALG -keysize 3072 -ext bc=ca:true
if [ $? -ne 0 ]; then
echo "generate ca.keystore failed."
exit 1
fi
#generate ca.cer
rm -rf "$keystorePath/ca.cer"
$KEYTOOL -keystore "$keystorePath/$CA_KEYSTORE_NAME" -storepass "$storepassValue" -alias $CA_ALIAS -validity 3650 -exportcert > "$keystorePath/ca.cer"
if [ $? -ne 0 ]; then
echo "generate ca.cer failed."
exit 1
fi
#generate ca.truststore
rm -rf "$keystorePath/flink.truststore"
$KEYTOOL -importcert -keystore "$keystorePath/flink.truststore" -alias $CA_ALIAS -storepass "$storepassValue" -noprompt -file "$keystorePath/ca.cer"
if [ $? -ne 0 ]; then
echo "generate ca.truststore failed."
exit 1
fi
}
function generateKeystore()
{
#get path/pass from input
keystorePath=$1
storepassValue=$2
keypassValue=$3
#get value from conf
aliasValue=$(getConf "flink.keystore.rsa.alias" "flink")
validityValue=$(getConf "flink.keystore.rsa.validity" "3650")
keyalgValue=$(getConf "flink.keystore.rsa.keyalg" "RSA")
dnameValue=$(getConf "flink.keystore.rsa.dname" "CN=flink.huawei.com")
SANValue=$(getConf "flink.keystore.rsa.ext" "ip:127.0.0.1")
SANValue=$(echo "$SANValue" | xargs)
SANValue="ip:$(echo "$SANValue"| sed 's/,/,ip:/g')"
#generate keystore
rm -rf $keystorePath/flink.keystore
$KEYTOOL -genkeypair -alias $aliasValue -keystore $keystorePath/flink.keystore -dname $dnameValue -ext SAN=$SANValue -storepass $storepassValue -keypass $keypassValue -keyalg $keyalgValue -keysize 3072 -validity 3650
if [ $? -ne 0 ]; then
echo "generate flink.keystore failed."
exit 1
fi
#generate cer
rm -rf $keystorePath/flink.csr
$KEYTOOL -certreq -keystore $keystorePath/flink.keystore -storepass $storepassValue -alias $aliasValue -file $keystorePath/flink.csr
if [ $? -ne 0 ]; then
echo "generate flink.csr failed."
exit 1
fi
#generate flink.cer
rm -rf $keystorePath/flink.cer
$KEYTOOL -gencert -keystore $keystorePath/ca.keystore -storepass $storepassValue -alias $CA_ALIAS -ext SAN=$SANValue -infile $keystorePath/flink.csr -outfile $keystorePath/flink.cer -validity 3650
if [ $? -ne 0 ]; then
echo "generate flink.cer failed."
exit 1
fi
#import cer into keystore
$KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/ca.cer -alias $CA_ALIAS -noprompt
if [ $? -ne 0 ]; then
echo "importcert ca."
exit 1
fi
$KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/flink.cer -alias $aliasValue -noprompt;
if [ $? -ne 0 ]; then
echo "generate flink.truststore failed."
exit 1
fi
}
function configureFlinkConf()
{
# set config
if [ -f "$CLIENT_CONF_YAML" ]; then
SSL_ENCRYPT_ENABLED=$(grep "security.ssl.encrypt.enabled" "$CLIENT_CONF_YAML" | awk '{print $2}')
if [ "$SSL_ENCRYPT_ENABLED" = "false" ];then
sed -i s/"security.ssl.key-password:".*/"security.ssl.key-password:"\ "${keyPass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.key-password failed."
return 1
fi
sed -i s/"security.ssl.keystore-password:".*/"security.ssl.keystore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore-password failed."
return 1
fi
sed -i s/"security.ssl.truststore-password:".*/"security.ssl.truststore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore-password failed."
return 1
fi
echo "security.ssl.encrypt.enabled is false, set security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password success."
else
echo "security.ssl.encrypt.enabled is true, please enter security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password encrypted value in flink-conf.yaml."
fi
keystoreFilePath="${keystorePath}"/flink.keystore
sed -i 's#'"security.ssl.keystore:".*'#'"security.ssl.keystore:"\ "$keystoreFilePath"'#g' "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore failed."
return 1
fi
truststoreFilePath="${keystorePath}/flink.truststore"
sed -i 's#'"security.ssl.truststore:".*'#'"security.ssl.truststore:"\ "$truststoreFilePath"'#g' "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.truststore failed."
return 1
fi
command -v sha256sum >/dev/null
if [ $? -ne 0 ];then
echo "sha256sum is not exist, it will produce security.cookie with date +%F-%H-%M-%s-%N."
cookie=$(date +%F-%H-%M-%s-%N)
else
cookie="$(echo "${KEYTABPRINCEPAL}"| sha256sum | awk '{print $1}')"
fi
sed -i s/"security.cookie:".*/"security.cookie:"\ "${cookie}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.cookie failed."
return 1
fi
fi
return 0;
}
main()
{
#check environment variable is set or not
if [ -z ${FLINK_HOME+x} ]; then
echo "errro: environment variables are not set."
exit 1
fi
stty -echo
read -rp "Enter password:" password
stty echo
echo
KEYTABPRINCEPAL=$(grep "security.kerberos.login.principal" "$CLIENT_CONF_YAML" | awk '{print $2}')
if [ -z "$KEYTABPRINCEPAL" ];then
echo "please config security.kerberos.login.principal info first."
exit 1
fi
#get input
keystorePath="$KEYSTOREPATH"
storePass="$password"
keyPass="$password"
#generate self signed CA
createSelfSignedCA "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "create self signed ca failed."
exit 1
fi
#generate keystore
generateKeystore "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "create keystore failed."
exit 1
fi
echo "generate keystore/truststore success."
# set flink config
configureFlinkConf "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "configure Flink failed."
exit 1
fi
return 0;
}
#the start main
main "$@"
exit 0
执行命令“sh generate_keystore.sh <password>”即可,<password>由用户自定义输入
- 若<password>中包含特殊字符"$",应使用如下方式,以防止被转义,“sh generate_keystore.sh 'password'”。命令中如果携带认证密码信息可能存在安全风险,在执行命令前建议关闭系统的history命令记录功能,避免信息泄露。
- 密码不允许包含“#”。
- 使用该generate_keystore.sh脚本前需要在客户端目录下执行source bigdata_env。
- 使用该generate_keystore.sh脚本会自动将security.ssl.keystore、security.ssl.truststore的绝对路径填写到flink-conf.yaml中,所以需要用户根据实际情况手动修改为相对路径。例如:
- 将security.ssl.keystore: /opt/client/Flink/flink/conf//flink.keystore修改为security.ssl.keystore: ssl/flink.keystore;
- 将security.ssl.truststore: /opt/client/Flink/flink/conf//flink.truststore修改为security.ssl.truststore: ssl/flink.truststore;
- 需要在Flink客户端环境中任意目录下创建ssl文件夹,如在“/opt/client/Flink/flink/conf/”目录下新建目录ssl,将flink.keystore、flink.truststore文件放入ssl文件夹中;
- 执行yarn-session或者flink run -m yarn-cluster命令时需要在ssl文件夹同级目录下执行:yarn-session.sh -t ssl -d 或者 flink run -m yarn-cluster -yt ssl -d WordCount.jar 。
父主题: 使用Flink
