更新时间:2024-08-16 GMT+08:00
签发Flink证书样例
将该样例代码生成generate_keystore.sh脚本,放置在Flink客户端的bin目录下。
#!/bin/bash KEYTOOL=${JAVA_HOME}/bin/keytool KEYSTOREPATH="$FLINK_HOME/conf/" CA_ALIAS="ca" CA_KEYSTORE_NAME="ca.keystore" CA_DNAME="CN=Flink_CA" CA_KEYALG="RSA" CLIENT_CONF_YAML="$FLINK_HOME/conf/flink-conf.yaml" KEYTABPRINCEPAL="" function getConf() { if [ $# -ne 2 ]; then echo "invalid parameters for getConf" exit 1 fi confName="$1" if [ -z "$confName" ]; then echo "conf name is empty." exit 2 fi configFile=$FLINK_HOME/conf/client.properties if [ ! -f $configFile ]; then echo $configFile" is not exist." exit 3 fi defaultValue="$2" cnt=$(grep $1 $configFile | wc -l) if [ $cnt -gt 1 ]; then echo $confName" has multi values in "$configFile exit 4 elif [ $cnt -lt 1 ]; then echo $defaultValue else line=$(grep $1 $configFile) confValue=$(echo "${line#*=}") echo "$confValue" fi } function createSelfSignedCA() { #varible from user input keystorePath=$1 storepassValue=$2 keypassValue=$3 #generate ca keystore rm -rf $keystorePath/$CA_KEYSTORE_NAME $KEYTOOL -genkeypair -alias $CA_ALIAS -keystore $keystorePath/$CA_KEYSTORE_NAME -dname $CA_DNAME -storepass $storepassValue -keypass $keypassValue -validity 3650 -keyalg $CA_KEYALG -keysize 3072 -ext bc=ca:true if [ $? -ne 0 ]; then echo "generate ca.keystore failed." exit 1 fi #generate ca.cer rm -rf "$keystorePath/ca.cer" $KEYTOOL -keystore "$keystorePath/$CA_KEYSTORE_NAME" -storepass "$storepassValue" -alias $CA_ALIAS -validity 3650 -exportcert > "$keystorePath/ca.cer" if [ $? -ne 0 ]; then echo "generate ca.cer failed." exit 1 fi #generate ca.truststore rm -rf "$keystorePath/flink.truststore" $KEYTOOL -importcert -keystore "$keystorePath/flink.truststore" -alias $CA_ALIAS -storepass "$storepassValue" -noprompt -file "$keystorePath/ca.cer" if [ $? -ne 0 ]; then echo "generate ca.truststore failed." exit 1 fi } function generateKeystore() { #get path/pass from input keystorePath=$1 storepassValue=$2 keypassValue=$3 #get value from conf aliasValue=$(getConf "flink.keystore.rsa.alias" "flink") validityValue=$(getConf "flink.keystore.rsa.validity" "3650") keyalgValue=$(getConf "flink.keystore.rsa.keyalg" "RSA") dnameValue=$(getConf "flink.keystore.rsa.dname" "CN=flink.huawei.com") SANValue=$(getConf "flink.keystore.rsa.ext" "ip:127.0.0.1") SANValue=$(echo "$SANValue" | xargs) SANValue="ip:$(echo "$SANValue"| sed 's/,/,ip:/g')" #generate keystore rm -rf $keystorePath/flink.keystore $KEYTOOL -genkeypair -alias $aliasValue -keystore $keystorePath/flink.keystore -dname $dnameValue -ext SAN=$SANValue -storepass $storepassValue -keypass $keypassValue -keyalg $keyalgValue -keysize 3072 -validity 3650 if [ $? -ne 0 ]; then echo "generate flink.keystore failed." exit 1 fi #generate cer rm -rf $keystorePath/flink.csr $KEYTOOL -certreq -keystore $keystorePath/flink.keystore -storepass $storepassValue -alias $aliasValue -file $keystorePath/flink.csr if [ $? -ne 0 ]; then echo "generate flink.csr failed." exit 1 fi #generate flink.cer rm -rf $keystorePath/flink.cer $KEYTOOL -gencert -keystore $keystorePath/ca.keystore -storepass $storepassValue -alias $CA_ALIAS -ext SAN=$SANValue -infile $keystorePath/flink.csr -outfile $keystorePath/flink.cer -validity 3650 if [ $? -ne 0 ]; then echo "generate flink.cer failed." exit 1 fi #import cer into keystore $KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/ca.cer -alias $CA_ALIAS -noprompt if [ $? -ne 0 ]; then echo "importcert ca." exit 1 fi $KEYTOOL -importcert -keystore $keystorePath/flink.keystore -storepass $storepassValue -file $keystorePath/flink.cer -alias $aliasValue -noprompt; if [ $? -ne 0 ]; then echo "generate flink.truststore failed." exit 1 fi } function configureFlinkConf() { # set config if [ -f "$CLIENT_CONF_YAML" ]; then SSL_ENCRYPT_ENABLED=$(grep "security.ssl.encrypt.enabled" "$CLIENT_CONF_YAML" | awk '{print $2}') if [ "$SSL_ENCRYPT_ENABLED" = "false" ];then sed -i s/"security.ssl.key-password:".*/"security.ssl.key-password:"\ "${keyPass}"/g "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.key-password failed." return 1 fi sed -i s/"security.ssl.keystore-password:".*/"security.ssl.keystore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.keystore-password failed." return 1 fi sed -i s/"security.ssl.truststore-password:".*/"security.ssl.truststore-password:"\ "${storePass}"/g "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.keystore-password failed." return 1 fi echo "security.ssl.encrypt.enabled is false, set security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password success." else echo "security.ssl.encrypt.enabled is true, please enter security.ssl.key-password security.ssl.keystore-password security.ssl.truststore-password encrypted value in flink-conf.yaml." fi keystoreFilePath="${keystorePath}"/flink.keystore sed -i 's#'"security.ssl.keystore:".*'#'"security.ssl.keystore:"\ "$keystoreFilePath"'#g' "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.keystore failed." return 1 fi truststoreFilePath="${keystorePath}/flink.truststore" sed -i 's#'"security.ssl.truststore:".*'#'"security.ssl.truststore:"\ "$truststoreFilePath"'#g' "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.ssl.truststore failed." return 1 fi command -v sha256sum >/dev/null if [ $? -ne 0 ];then echo "sha256sum is not exist, it will produce security.cookie with date +%F-%H-%M-%s-%N." cookie=$(date +%F-%H-%M-%s-%N) else cookie="$(echo "${KEYTABPRINCEPAL}"| sha256sum | awk '{print $1}')" fi sed -i s/"security.cookie:".*/"security.cookie:"\ "${cookie}"/g "$CLIENT_CONF_YAML" if [ $? -ne 0 ]; then echo "set security.cookie failed." return 1 fi fi return 0; } main() { #check environment variable is set or not if [ -z ${FLINK_HOME+x} ]; then echo "errro: environment variables are not set." exit 1 fi stty -echo read -rp "Enter password:" password stty echo echo KEYTABPRINCEPAL=$(grep "security.kerberos.login.principal" "$CLIENT_CONF_YAML" | awk '{print $2}') if [ -z "$KEYTABPRINCEPAL" ];then echo "please config security.kerberos.login.principal info first." exit 1 fi #get input keystorePath="$KEYSTOREPATH" storePass="$password" keyPass="$password" #generate self signed CA createSelfSignedCA "$keystorePath" "$storePass" "$keyPass" if [ $? -ne 0 ]; then echo "create self signed ca failed." exit 1 fi #generate keystore generateKeystore "$keystorePath" "$storePass" "$keyPass" if [ $? -ne 0 ]; then echo "create keystore failed." exit 1 fi echo "generate keystore/truststore success." # set flink config configureFlinkConf "$keystorePath" "$storePass" "$keyPass" if [ $? -ne 0 ]; then echo "configure Flink failed." exit 1 fi return 0; } #the start main main "$@" exit 0
执行命令“sh generate_keystore.sh <password>”即可,<password>由用户自定义输入
- 若<password>中包含特殊字符"$",应使用如下方式,以防止被转义,“sh generate_keystore.sh 'password'”。命令中如果携带认证密码信息可能存在安全风险,在执行命令前建议关闭系统的history命令记录功能,避免信息泄露。
- 密码不允许包含“#”。
- 使用该generate_keystore.sh脚本前需要在客户端目录下执行source bigdata_env。
- 使用该generate_keystore.sh脚本会自动将security.ssl.keystore、security.ssl.truststore的绝对路径填写到flink-conf.yaml中,所以需要用户根据实际情况手动修改为相对路径。例如:
- 将security.ssl.keystore: /opt/client/Flink/flink/conf//flink.keystore修改为security.ssl.keystore: ssl/flink.keystore;
- 将security.ssl.truststore: /opt/client/Flink/flink/conf//flink.truststore修改为security.ssl.truststore: ssl/flink.truststore;
- 需要在Flink客户端环境中任意目录下创建ssl文件夹,如在“/opt/client/Flink/flink/conf/”目录下新建目录ssl,将flink.keystore、flink.truststore文件放入ssl文件夹中;
- 执行yarn-session或者flink run -m yarn-cluster命令时需要在ssl文件夹同级目录下执行:yarn-session.sh -t ssl -d 或者 flink run -m yarn-cluster -yt ssl -d WordCount.jar 。
父主题: 使用Flink