Help Center/
MapReduce Service/
Component Operation Guide (Normal)/
Using Flink/
Example of Issuing a Certificate
Updated on 2024-10-08 GMT+08:00
Example of Issuing a Certificate
Generate the generate_keystore.sh script based on the sample code and save the script to the bin directory on the Flink client.
#!/bin/bash
KEYTOOL=${JAVA_HOME}/bin/keytool
KEYSTOREPATH="$FLINK_HOME/conf/"
CA_ALIAS="ca"
CA_KEYSTORE_NAME="ca.keystore"
CA_DNAME="CN=Flink_CA"
CA_KEYALG="RSA"
CLIENT_CONF_YAML="$FLINK_HOME/conf/flink-conf.yaml"
KEYTABPRINCEPAL=""
function getConf()
{
if [ $# -ne 2 ]; then
echo "invalid parameters for getConf"
exit 1
fi
confName="$1"
if [ -z "$confName" ]; then
echo "conf name is empty."
exit 2
fi
configFile=$FLINK_HOME/conf/client.properties
if [ ! -f $configFile ]; then
echo $configFile" is not exist."
exit 3
fi
defaultValue="$2"
cnt=$(grep $1 $configFile | wc -l)
if [ $cnt -gt 1 ]; then
echo $confName" has multi values in "$configFile
exit 4
elif [ $cnt -lt 1 ]; then
echo $defaultValue
else
line=$(grep $1 $configFile)
confValue=$(echo "${line#*=}")
echo "$confValue"
fi
}
function createSelfSignedCA()
{
#varible from user input
keystorePath=$1
storepassValue=$2
keypassValue=$3
#generate ca keystore
rm -rf $keystorePath/$CA_KEYSTORE_NAME
$KEYTOOL -genkeypair -alias $CA_ALIAS -keystore $keystorePath/$CA_KEYSTORE_NAME -dname $CA_DNAME -storepass $storepassValue -keypass $keypassValue -validity 3650 -keyalg $CA_KEYALG -keysize 3072 -ext bc=ca:true
if [ $? -ne 0 ]; then
echo "generate ca.keystore failed."
exit 1
fi
#generate ca.cer
rm -rf "$keystorePath/ca.cer"
$KEYTOOL -keystore "$keystorePath/$CA_KEYSTORE_NAME" -storepass "$storepassValue" -alias $CA_ALIAS -validity 3650 -exportcert > "$keystorePath/ca.cer"
if [ $? -ne 0 ]; then
echo "generate ca.cer failed."
exit 1
fi
#generate ca.truststore
rm -rf "$keystorePath/flink.truststore"
$KEYTOOL -importcert -keystore "$keystorePath/flink.truststore" -alias $CA_ALIAS -storepass "$storepassValue" -noprompt -file "$keystorePath/ca.cer"
if [ $? -ne 0 ]; then
echo "generate ca.truststore failed."
exit 1
fi
}
function generateKeystore()
{
#get path/pass from input
keystorePath=$1
storepassValue=$2
keypassValue=$3
#get value from conf
aliasValue=$(getConf "flink.keystore.rsa.alias" "flink")
validityValue=$(getConf "flink.keystore.rsa.validity" "3650")
keyalgValue=$(getConf "flink.keystore.rsa.keyalg" "RSA")
dnameValue=$(getConf "flink.keystore.rsa.dname" "CN=flink.huawei.com")
SANValue=$(getConf "flink.keystore.rsa.ext" "ip:127.0.0.1")
SANValue=$(echo "$SANValue" | xargs)
SANValue="ip:$(echo "$SANValue"| sed 's/,/,ip:/g')"
#generate keystore
rm -rf $keystorePath/flink.keystore
$KEYTOOL -genkeypair -alias $aliasValue -keystore $keystorePath/flink.keystore -dname $dnameValue -ext SAN=$SANValue -storepass $storepassValue -keypass $keypassValue -keyalg $keyalgValue -keysize 3072 -validity 3650
if [ $? -ne 0 ]; then
echo "generate flink.keystore failed."
exit 1
fi
#generate cer
rm -rf $keystorePath/flink.csr
$KEYTOOL -certreq -keystore $keystorePath/flink.keystore -storepass $storepassValue -alias $aliasValue -file $keystorePath/flink.csr
if [ $? -ne 0 ]; then
echo "generate flink.csr failed."
exit 1
fi
#generate flink.cer
rm -rf $keystorePath/flink.cer
$KEYTOOL -gencert -keystore $keystorePath/ca.keystore -storepass $storepassValue -alias $CA_ALIAS -ext SAN=$SANValue -infile $keystorePath/flink.csr -outfile $keystorePath/flink.cer -validity 3650
if [ $? -ne 0 ]; then
echo "generate flink.cer failed."
exit 1
fi
#import cer into keystore
$KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/ca.cer -alias $CA_ALIAS -noprompt
if [ $? -ne 0 ]; then
echo "importcert ca."
exit 1
fi
$KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/flink.cer -alias $aliasValue -noprompt;
if [ $? -ne 0 ]; then
echo "generate flink.truststore failed."
exit 1
fi
}
function configureFlinkConf()
{
# set config
if [ -f "$CLIENT_CONF_YAML" ]; then
SSL_ENCRYPT_ENABLED=$(grep "security.ssl.encrypt.enabled" "$CLIENT_CONF_YAML" | awk '{print $2}')
if [ "$SSL_ENCRYPT_ENABLED" = "false" ];then
sed -i s/"security.ssl.key-password:".*/"security.ssl.key-password:"\ "${keyPass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.key-password failed."
return 1
fi
sed -i s/"security.ssl.keystore-password:".*/"security.ssl.keystore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore-password failed."
return 1
fi
sed -i s/"security.ssl.truststore-password:".*/"security.ssl.truststore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore-password failed."
return 1
fi
echo "security.ssl.encrypt.enabled is false, set security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password success."
else
echo "security.ssl.encrypt.enabled is true, please enter security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password encrypted value in flink-conf.yaml."
fi
keystoreFilePath="${keystorePath}"/flink.keystore
sed -i 's#'"security.ssl.keystore:".*'#'"security.ssl.keystore:"\ "$keystoreFilePath"'#g' "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.keystore failed."
return 1
fi
truststoreFilePath="${keystorePath}/flink.truststore"
sed -i 's#'"security.ssl.truststore:".*'#'"security.ssl.truststore:"\ "$truststoreFilePath"'#g' "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.ssl.truststore failed."
return 1
fi
command -v sha256sum >/dev/null
if [ $? -ne 0 ];then
echo "sha256sum is not exist, it will produce security.cookie with date +%F-%H-%M-%s-%N."
cookie=$(date +%F-%H-%M-%s-%N)
else
cookie="$(echo "${KEYTABPRINCEPAL}"| sha256sum | awk '{print $1}')"
fi
sed -i s/"security.cookie:".*/"security.cookie:"\ "${cookie}"/g "$CLIENT_CONF_YAML"
if [ $? -ne 0 ]; then
echo "set security.cookie failed."
return 1
fi
fi
return 0;
}
main()
{
#check environment variable is set or not
if [ -z ${FLINK_HOME+x} ]; then
echo "errro: environment variables are not set."
exit 1
fi
stty -echo
read -rp "Enter password:" password
stty echo
echo
KEYTABPRINCEPAL=$(grep "security.kerberos.login.principal" "$CLIENT_CONF_YAML" | awk '{print $2}')
if [ -z "$KEYTABPRINCEPAL" ];then
echo "please config security.kerberos.login.principal info first."
exit 1
fi
#get input
keystorePath="$KEYSTOREPATH"
storePass="$password"
keyPass="$password"
#generate self signed CA
createSelfSignedCA "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "create self signed ca failed."
exit 1
fi
#generate keystore
generateKeystore "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "create keystore failed."
exit 1
fi
echo "generate keystore/truststore success."
# set flink config
configureFlinkConf "$keystorePath" "$storePass" "$keyPass"
if [ $? -ne 0 ]; then
echo "configure Flink failed."
exit 1
fi
return 0;
}
#the start main
main "$@"
exit 0
Run the sh generate_keystore.sh <password> command. <password> is user-defined.
- If <password> contains the special character $, use the following method to avoid the password being escaped: sh generate_keystore.sh 'Bigdata_2013'. There can be security risks if a command contains the authentication password. You are advised to disable the command recording function (history) before running the command.
- The password cannot contain #.
- Before using the generate_keystore.sh script, run the source bigdata_env command in the client directory.
- When the generate_keystore.sh script is used, the absolute paths of security.ssl.keystore and security.ssl.truststore are automatically filled in flink-conf.yaml. Therefore, you need to manually change the paths to relative paths as required. Example:
- Change /opt/client/Flink/flink/conf//flink.keystore to security.ssl.keystore: ssl/flink.keystore.
- Change /opt/client/Flink/flink/conf//flink.truststore to security.ssl.truststore: ssl/flink.truststore.
- Create the ssl folder in any directory on the Flink client. For example, create the ssl folder in the /opt/client/Flink/flink/conf/ directory and save the flink.keystore and flink.truststore files to the ssl folder.
- When you run the yarn-session or flink run -m yarn-cluster command, run the yarn-session.sh -t ssl -d or flink run -m yarn-cluster -yt ssl -d WordCount.jar command in the same directory as the ssl folder.
Parent topic: Using Flink
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
