You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Rajini Sivaram (JIRA)" <ji...@apache.org> on 2019/05/15 08:18:00 UTC

[jira] [Resolved] (KAFKA-8336) Enable dynamic update of client-side SSL factory in brokers

     [ https://issues.apache.org/jira/browse/KAFKA-8336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rajini Sivaram resolved KAFKA-8336.
-----------------------------------
    Resolution: Fixed
      Reviewer: Manikumar

> Enable dynamic update of client-side SSL factory in brokers
> -----------------------------------------------------------
>
>                 Key: KAFKA-8336
>                 URL: https://issues.apache.org/jira/browse/KAFKA-8336
>             Project: Kafka
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 2.2.0
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>            Priority: Major
>             Fix For: 2.3.0
>
>
> We currently support dynamic update of server-side keystores. This allows expired certs to be updated on brokers without a rolling restart. When mutual authentication is enabled for inter-broker-communication (ssl.client.auth=required), we dont currently dynamically update client-side keystores for controller or transaction coordinator. So a broker restart (or controller change) is required for cert update for this case. Since short-lived SSL cert is a common usecase, we should enable client-side cert updates for all client connections initiated by the broker to ensure that SSL certificate expiry can be handled with dynamic config updates on brokers for all configurations.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)