Details
-
New Feature
-
Status: Open
-
Not a Priority
-
Resolution: Unresolved
-
None
-
None
-
None
Description
In order to be able to use Apache Flink in certain environments with strict compliance requirements, the application may need to be compliant with FIPS-140-2.
The path to produce a FIPS complaint image can vary, depending on the programming language and application itself. For Java, this may involve:
- For any bundled crypto, utilising FIPS versions, i.e the FIPS version of BouncyCastle (bcfips). Alternatively, ensuring there is no bundled crypto, and all operations fallback to the JRE / OpenSSL on the host
- Where keystores are required, support for creating bckfs keystore types
- Producing a base image with OpenSSL configured for FIPS, as well as a JRE configured for FIPS (such as bcfips)
- No use of unapproved crypto algorithms, such as DES, MD5, SHA1 etc
It would be great if Flink was able to support FIPS - by that, I mean ensuring all requirements are met, and some documentation outlining how this is met and enforced.
From a quick scan of the codebase, I don't see any direct references to bouncycastle (either non-fips or fips), but I do see several places where md5 and sha1 are used for example.
Support for FIPS would increase the use-cases for deploying Flink in secure environments. Thanks for taking this into consideration.