我的书签
添加书签
移除书签SSL/TLS support
Several Flume components support the SSL/TLS protocols in order to communicate with other systemssecurely.
| Component | SSL server or client |
|---|---|
| Avro Source | server |
| Avro Sink | client |
| Thrift Source | server |
| Thrift Sink | client |
| Kafka Source | client |
| Kafka Channel | client |
| Kafka Sink | client |
| HTTP Source | server |
| JMS Source | client |
| Syslog TCP Source | server |
| Multiport Syslog TCP Source | server |
The SSL compatible components have several configuration parameters to set up SSL, likeenable SSL flag, keystore / truststore parameters (location, password, type) and additionalSSL parameters (eg. disabled protocols).
Enabling SSL for a component is always specified at component level in the agent configuration file.So some components may be configured to use SSL while others not (even with the same component type).
The keystore / truststore setup can be specified at component level or globally.
In case of the component level setup, the keystore / truststore is configured in the agentconfiguration file through component specific parameters. The advantage of this method is that thecomponents can use different keystores (if this would be needed). The disadvantage is that thekeystore parameters must be copied for each component in the agent configuration file.The component level setup is optional, but if it is defined, it has higher precedence thanthe global parameters.
With the global setup, it is enough to define the keystore / truststore parameters onceand use the same settings for all components, which means less and more centralized configuration.
The global setup can be configured either through system properties or through environment variables.
| System property | Environment variable | Description |
|---|---|---|
| javax.net.ssl.keyStore | FLUME_SSL_KEYSTORE_PATH | Keystore location |
| javax.net.ssl.keyStorePassword | FLUME_SSL_KEYSTORE_PASSWORD | Keystore password |
| javax.net.ssl.keyStoreType | FLUME_SSL_KEYSTORE_TYPE | Keystore type (by default JKS) |
| javax.net.ssl.trustStore | FLUME_SSL_TRUSTSTORE_PATH | Truststore location |
| javax.net.ssl.trustStorePassword | FLUME_SSL_TRUSTSTORE_PASSWORD | Truststore password |
| javax.net.ssl.trustStoreType | FLUME_SSL_TRUSTSTORE_TYPE | Truststore type (by default JKS) |
| flume.ssl.include.protocols | FLUME_SSL_INCLUDE_PROTOCOLS | Protocols to include when calculating enabled protocols. A comma (,) separated list.Excluded protocols will be excluded from this list if provided. |
| flume.ssl.exclude.protocols | FLUME_SSL_EXCLUDE_PROTOCOLS | Protocols to exclude when calculating enabled protocols. A comma (,) separated list. |
| flume.ssl.include.cipherSuites | FLUME_SSL_INCLUDE_CIPHERSUITES | Cipher suites to include when calculating enabled cipher suites. A comma (,) separated list.Excluded cipher suites will be excluded from this list if provided. |
| flume.ssl.exclude.cipherSuites | FLUME_SSL_EXCLUDE_CIPHERSUITES | Cipher suites to exclude when calculating enabled cipher suites. A comma (,) separated list. |
The SSL system properties can either be passed on the command line or by setting the JAVAOPTSenvironment variable in _conf/flume-env.sh. (Although, using the command line is inadvisable becausethe commands including the passwords will be saved to the command history.)
- export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore.jks"
- export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=password"
Flume uses the system properties defined in JSSE (Java Secure Socket Extension), so this isa standard way for setting up SSL. On the other hand, specifying passwords in system propertiesmeans that the passwords can be seen in the process list. For cases where it is not acceptable,it is also be possible to define the parameters in environment variables. Flume initializesthe JSSE system properties from the corresponding environment variables internally in this case.
The SSL environment variables can either be set in the shell environment beforestarting Flume or in conf/flume-env.sh. (Although, using the command line is inadvisable becausethe commands including the passwords will be saved to the command history.)
- export FLUME_SSL_KEYSTORE_PATH=/path/to/keystore.jks
- export FLUME_SSL_KEYSTORE_PASSWORD=password
Please note:
- SSL must be enabled at component level. Specifying the global SSL parameters alone will nothave any effect.
- If the global SSL parameters are specified at multiple levels, the priority is thefollowing (from higher to lower):
- component parameters in agent config
- system properties
- environment variables
- If SSL is enabled for a component, but the SSL parameters are not specified in any of the waysdescribed above, then
- in case of keystores: configuration error
- in case of truststores: the default truststore will be used (jssecacerts / cacerts in Oracle JDK)
- The trustore password is optional in all cases. If not specified, then no integrity check will beperformed on the truststore when it is opened by the JDK.
