Example of Issuing a Certificate
Generate the generate_keystore.sh script based on the sample code and save the script to the bin directory on the Flink client.
#!/bin/bash KEYTOOL=${JAVA_HOME}/bin/keytool KEYSTOREPATH="$FLINK_HOME/conf/" CA_ALIAS="ca" CA_KEYSTORE_NAME="ca.keystore" CA_DNAME="CN=Flink_CA" CA_KEYALG="RSA" CLIENT_CONF_YAML="$FLINK_HOME/conf/flink-conf.yaml" KEYTABPRINCEPAL="" function getConf() { if [ $# -ne 2 ]; then echo "invalid parameters for getConf" exit 1 fi confName="$1" if [ -z "$confName" ]; then echo "conf name is empty." exit 2 fi configFile=$FLINK_HOME/conf/client.properties if [ ! -f $configFile ]; then echo $configFile" is not exist." exit 3 fi defaultValue="$2" cnt=$(grep $1 $configFile | wc -l) if [ $cnt -gt 1 ]; then echo $confName" has multi values in "$configFile exit 4 elif [ $cnt -lt 1 ]; then echo $defaultValue else line=$(grep $1 $configFile) confValue=$(echo "${line#*=}") echo "$confValue" fi } function createSelfSignedCA() { #varible from user input keystorePath=$1 storepassValue=$2 keypassValue=$3 #generate ca keystore rm -rf $keystorePath/$CA_KEYSTORE_NAME $KEYTOOL -genkeypair -alias $CA_ALIAS -keystore $keystorePath/$CA_KEYSTORE_NAME -dname $CA_DNAME -storepass $storepassValue -keypass $keypassValue -validity 3650 -keyalg $CA_KEYALG -keysize 3072 -ext bc=ca:true if [ $? -ne 0 ]; then echo "generate ca.keystore failed." exit 1 fi #generate ca.cer rm -rf "$keystorePath/ca.cer" $KEYTOOL -keystore "$keystorePath/$CA_KEYSTORE_NAME" -storepass "$storepassValue" -alias $CA_ALIAS -validity 3650 -exportcert > "$keystorePath/ca.cer" if [ $? -ne 0 ]; then echo "generate ca.cer failed." exit 1 fi #generate ca.truststore rm -rf "$keystorePath/flink.truststore" $KEYTOOL -importcert -keystore "$keystorePath/flink.truststore" -alias $CA_ALIAS -storepass "$storepassValue" -noprompt -file "$keystorePath/ca.cer" if [ $? -ne 0 ]; then echo "generate ca.truststore failed." exit 1 fi } function generateKeystore() { #get path/pass from input keystorePath=$1 storepassValue=$2 keypassValue=$3 #get value from conf aliasValue=$(getConf "flink.keystore.rsa.alias" "flink") validityValue=$(getConf "flink.keystore.rsa.validity" "3650") keyalgValue=$(getConf "flink.keystore.rsa.keyalg" "RSA") dnameValue=$(getConf "flink.keystore.rsa.dname" "CN=flink.com") SANValue=$(getConf "flink.keystore.rsa.ext" "ip:127.0.0.1") SANValue=$(echo "$SANValue" | xargs) SANValue="ip:$(echo "$SANValue"| sed 's/,/,ip:/g')" #generate keystore rm -rf $keystorePath/flink.keystore $KEYTOOL -genkeypair -alias $aliasValue -keystore $keystorePath/flink.keystore -dname $dnameValue -ext SAN=$SANValue -storepass $storepassValue -keypass $keypassValue -keyalg $keyalgValue -keysize 3072 -validity 3650 if [ $? -ne 0 ]; then echo "generate flink.keystore failed." exit 1 fi #generate cer rm -rf $keystorePath/flink.csr $KEYTOOL -certreq -keystore $keystorePath/flink.keystore -storepass $storepassValue -alias $aliasValue -file $keystorePath/flink.csr if [ $? -ne 0 ]; then echo "generate flink.csr failed." exit 1 fi #generate flink.cer rm -rf $keystorePath/flink.cer $KEYTOOL -gencert -keystore $keystorePath/ca.keystore -storepass $storepassValue -alias $CA_ALIAS -ext SAN=$SANValue -infile $keystorePath/flink.csr -outfile $keystorePath/flink.cer -validity 3650 if [ $? -ne 0 ]; then echo "generate flink.cer failed." exit 1 fi #import cer into keystore $KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/ca.cer -alias $CA_ALIAS -noprompt if [ $? -ne 0 ]; then echo "importcert ca." exit 1 fi $KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/flink.cer -alias $aliasValue -noprompt; if [ $? -ne 0 ]; then echo "generate flink.truststore failed." exit 1 fi } function configureFlinkConf() { # set config if [ -f "$CLIENT_CONF_YAML" ]; then SSL_ENCRYPT_ENABLED=$(grep "security.ssl.encrypt.enabled" "$CLIENT_CONF_YAML" | awk '{print $2}') if [ "$SSL_ENCRYPT_ENABLED" = "false" ];then sed -i s/"security.ssl.key-password:".*/"security.ssl.key-password:"\ "${keyPass}"/g "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.key-password failed." return 1 fi sed -i s/"security.ssl.keystore-password:".*/"security.ssl.keystore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.keystore-password failed." return 1 fi sed -i s/"security.ssl.truststore-password:".*/"security.ssl.truststore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.keystore-password failed." return 1 fi echo "security.ssl.encrypt.enabled is false, set security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password success." else echo "security.ssl.encrypt.enabled is true, please enter security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password encrypted value in flink-conf.yaml." fi keystoreFilePath="${keystorePath}"/flink.keystore sed -i 's#'"security.ssl.keystore:".*'#'"security.ssl.keystore:"\ "$keystoreFilePath"'#g' "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.keystore failed." return 1 fi truststoreFilePath="${keystorePath}/flink.truststore" sed -i 's#'"security.ssl.truststore:".*'#'"security.ssl.truststore:"\ "$truststoreFilePath"'#g' "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.truststore failed." return 1 fi command -v sha256sum >/dev/null if [ $? -ne 0 ];then echo "sha256sum is not exist, it will produce security.cookie with date +%F-%H-%M-%s-%N." cookie=$(date +%F-%H-%M-%s-%N) else cookie="$(echo "${KEYTABPRINCEPAL}"| sha256sum | awk '{print $1}')" fi sed -i s/"security.cookie:".*/"security.cookie:"\ "${cookie}"/g "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.cookie failed." return 1 fi fi return 0; } main() { #check environment variable is set or not if [ -z ${FLINK_HOME+x} ]; then echo "errro: environment variables are not set." exit 1 fi stty -echo read -rp "Enter password:" password stty echo echo KEYTABPRINCEPAL=$(grep "security.kerberos.login.principal" "$CLIENT_CONF_YAML" | awk '{print $2}') if [ -z "$KEYTABPRINCEPAL" ];then echo "please config security.kerberos.login.principal info first." exit 1 fi #get input keystorePath="$KEYSTOREPATH" storePass="$password" keyPass="$password" #generate self signed CA createSelfSignedCA "$keystorePath" "$storePass" "$keyPass" if [ $? -ne 0 ]; then echo "create self signed ca failed." exit 1 fi #generate keystore generateKeystore "$keystorePath" "$storePass" "$keyPass" if [ $? -ne 0 ]; then echo "create keystore failed." exit 1 fi echo "generate keystore/truststore success." # set flink config configureFlinkConf "$keystorePath" "$storePass" "$keyPass" if [ $? -ne 0 ]; then echo "configure Flink failed." exit 1 fi return 0; } #the start main main "$@" exit 0
Run the sh generate_keystore.sh <password> command. <password> is user-defined.
- If <password> contains the special character $, use the following method to avoid the password being escaped: sh generate_keystore.sh 'Bigdata_2013'.
- The password cannot contain #.
- Before using the generate_keystore.sh script, run the source bigdata_env command in the client directory.
- When the generate_keystore.sh script is used, the absolute paths of security.ssl.keystore and security.ssl.truststore are automatically filled in flink-conf.yaml. Therefore, you need to manually change the paths to relative paths as required. Example:
- Change /opt/client/Flink/flink/conf//flink.keystore to security.ssl.keystore: ssl/flink.keystore.
- Change /opt/client/Flink/flink/conf//flink.truststore to security.ssl.truststore: ssl/flink.truststore.
- Create the ssl folder in any directory on the Flink client. For example, create the ssl folder in the /opt/client/Flink/flink/conf/ directory and save the flink.keystore and flink.truststore files to the ssl folder.
- When you run the yarn-session or flink run -m yarn-cluster command, run the yarn-session.sh -t ssl -d or flink run -m yarn-cluster -yt ssl -d WordCount.jar command in the same directory as the ssl folder.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.