You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Elliot West (Jira)" <ji...@apache.org> on 2021/09/13 13:13:00 UTC
[jira] [Comment Edited] (KAFKA-13293) Support client reload of PEM
certificates
[ https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414192#comment-17414192 ]
Elliot West edited comment on KAFKA-13293 at 9/13/21, 1:12 PM:
---------------------------------------------------------------
Hey [~rsivaram] - thank you for your reply. I believe you are correct - I was certain that JKS reload was the case, but must admit that having looked through the Kafka source code again, I cannot find an obvious code path that would provide a JKS reload capability for clients. I believe this functionality would be beneficial (both for JKS and PEM) and can update the ticket accordingly if you concur.
In the meantime, could you advise what the current best practice approach would be? I resume pulling new certs and then restarting the clients?
was (Author: teabot):
Hey [~rsivaram] - thank you for your reply. I was certain that JKS reload was the case, but must admit that having looked through the Kafka source code again, I cannot find an obvious code path that would provide a JKS reload capability for clients. I believe this functionality would be beneficial (both for JKS and PEM) and can update the ticket accordingly if you concur.
In the meantime, could you advise what the current best practice approach would be? I resume pulling new certs and then restarting the clients?
> Support client reload of PEM certificates
> -----------------------------------------
>
> Key: KAFKA-13293
> URL: https://issues.apache.org/jira/browse/KAFKA-13293
> Project: Kafka
> Issue Type: Improvement
> Components: clients, security
> Affects Versions: 2.7.0, 2.8.0, 2.7.1
> Reporter: Elliot West
> Priority: Major
>
> Since Kafka 2.7.0, clients are able to authenticate using PEM certificates as client configuration properties in addition to JKS file based key stores (KAFKA-10338). With PEM, certificate chains are passed into clients as simple string based key-value properties, alongside existing client configuration. This offers a number of benefits: it provides a JVM agnostic security mechanism from the perspective of clients, removes the client's dependency on the local filesystem, and allows the the encapsulation of the entire client configuration into a single payload.
> However, the current client PEM implement has a feature regression when compared with the JKS implementation. With the JKS approach, clients would automatically reload certificates when the key stores were modified on disk. This enables a seamless approach for the replacement of certificates when they are due to expire; no further configuration or explicit interference with the client lifecycle is needed for the client to migrate to renewed certificates.
> Such a capability does not currently exist for PEM. One supplies key chains when instantiating clients only - there is no mechanism available to either directly reconfigure the client, or for the client to observe changes to the original properties set reference used in construction. Additionally, no work-arounds are documented that might given users alternative strategies for dealing with expiring certificates. Given that expiration and renewal of certificates is an industry standard practice, it could be argued that the current PEM client implementation is not fit for purpose.
> In summary, a mechanism should be provided such that clients can automatically detect, load, and use updated PEM key chains from some non-file based source (object ref, method invocation, listener, etc.)
> Finally, It is suggested that in the short-term Kafka documentation be updated to describe any viable mechanism for updating client PEM certs (perhaps closing existing client and then recreating?).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)