Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-9103

SSL verification on TaskManager when parallelism > 1

    XMLWordPrintableJSON

    Details

      Description

      In dynamic environments like Kubernetes, the SSL certificates can be generated to use only the DNS addresses for validation of the identity of servers, given that the IP can change eventually.

       

      In this cases when executing Jobs with Parallelism set to 1, the SSL validations are good and the Jobmanager can communicate with Task manager and vice versa.

       

      But with parallelism set to more than 1, SSL validation fails when Task Managers communicate to each other as it seems to try to validate against IP address:

      Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 172.xx.xxx.xxx found 
      at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168) 
      at sun.security.util.HostnameChecker.match(HostnameChecker.java:94) 
      at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) 
      at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) 
      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) 
      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) 
      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) 
      ... 21 more 
       
      From the logs, it seems the task managers register successfully its full address to Netty, but still the IP is used.
       
      Attached pertinent logs from JobManager and a TaskManager. 

        Attachments

        1. job.log
          20 kB
          Edward Rojas
        2. task0.log
          112 kB
          Edward Rojas

          Issue Links

            Activity

              People

              • Assignee:
                edRojas Edward Rojas
                Reporter:
                edRojas Edward Rojas
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: