You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Darshan <pu...@gmail.com> on 2019/05/16 21:08:25 UTC
Help - Updating Keystore Dynamically - KAFKA-6810
Hi
I am testing out Kafka 2.2.0 and was hoping to test out "Enable dynamic
reconfiguration of SSL truststores"
https://issues.apache.org/jira/browse/KAFKA-6810. But unfortunately I could
not get it work. Please find the server.properties. Just wondering if we
need an change of config. Please advise..
1. I added a new entry in the truststore, and validated it that it is
present.
2. The client (kafka writer) could not write to Kafka due to SSLException.
3. I restarted Kafka broker.
4. The client could write messages.
server.properties
----------------------------------------------------------------------------
############################# Server Basics #############################
# The id of the broker. This must be set to a unique integer for each
broker.
broker.id=1
auto.create.topics.enable=true
delete.topic.enable=true
#################### Upgrading from 1.1.0 to 2.2.0 ####################
inter.broker.protocol.version=1.1
log.message.format.version=1.1
############################# Socket Server Settings
#############################
listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443
,INTERNAL_PLAINTEXT://1.1.1.65:9094
advertised.listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443
,INTERNAL_PLAINTEXT://1.1.1.65:9094
listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,INTERNAL_PLAINTEXT:PLAINTEXT
inter.broker.listener.name=INTERNAL_PLAINTEXT
default.replication.factor=1
offsets.topic.replication.factor=1
# Hostname the broker will bind to. If not set, the server will bind to all
interfaces
host.name=10.28.118.172
# The number of threads handling network requests
num.network.threads=12
# The number of threads doing disk I/O
num.io.threads=12
# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400
# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400
# The maximum size of a request that the socket server will accept
(protection against OOM)
socket.request.max.bytes=104857600
# Max message size is 10 MB
message.max.bytes=10000120
# Consumer side largest message size is 10 MB
fetch.message.max.bytes=10000120
# Replica max fetch size is 10MB
replica.fetch.max.bytes=10000120
# Max request size 10MB
max.request.size=10000120
################ SHUTDOWN and REBALANCING #######################
# Both the following properties are also enabled by default as well, also
explicitly settings here
controlled.shutdown.enable=true
auto.leader.rebalance.enable=true
unclean.leader.election.enable=true
######################### Security Settings ##########################
ssl.endpoint.identification.algorithm=""
ssl.keystore.location=/dir/keystore.jks
ssl.keystore.password=pwd
ssl.key.password=pwd
ssl.truststore.location=/dir/truststore.jks
ssl.truststore.password=pwd
ssl.keystore.type=JKS
ssl.truststore.type=JKS
security.protocol=SSL
ssl.client.auth=required
allow.everyone.if.no.acl.found=false
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
# User.ANONYMOUS is included for AMS to be able to program ACL via 9094 port
super.users=User:CN=KafkaBroker1;User:ANONYMOUS
Re: Help - Updating SSL Truststore Dynamically - KAFKA-6810
Posted by Darshan <pu...@gmail.com>.
I edited the email subject since it was not correct. Thanks.
On Thu, May 16, 2019 at 2:08 PM Darshan <pu...@gmail.com> wrote:
> Hi
>
> I am testing out Kafka 2.2.0 and was hoping to test out "Enable dynamic
> reconfiguration of SSL truststores"
> https://issues.apache.org/jira/browse/KAFKA-6810. But unfortunately I
> could not get it work. Please find the server.properties. Just wondering if
> we need an change of config. Please advise..
>
> 1. I added a new entry in the truststore, and validated it that it is
> present.
> 2. The client (kafka writer) could not write to Kafka due to SSLException.
> 3. I restarted Kafka broker.
> 4. The client could write messages.
>
>
> server.properties
>
> ----------------------------------------------------------------------------
>
> ############################# Server Basics #############################
>
> # The id of the broker. This must be set to a unique integer for each
> broker.
> broker.id=1
> auto.create.topics.enable=true
> delete.topic.enable=true
>
> #################### Upgrading from 1.1.0 to 2.2.0 ####################
> inter.broker.protocol.version=1.1
> log.message.format.version=1.1
>
> ############################# Socket Server Settings
> #############################
>
> listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443
> ,INTERNAL_PLAINTEXT://1.1.1.65:9094
> advertised.listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443
> ,INTERNAL_PLAINTEXT://1.1.1.65:9094
>
> listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,INTERNAL_PLAINTEXT:PLAINTEXT
> inter.broker.listener.name=INTERNAL_PLAINTEXT
>
> default.replication.factor=1
> offsets.topic.replication.factor=1
>
> # Hostname the broker will bind to. If not set, the server will bind to
> all interfaces
> host.name=10.28.118.172
>
> # The number of threads handling network requests
> num.network.threads=12
>
> # The number of threads doing disk I/O
> num.io.threads=12
>
> # The send buffer (SO_SNDBUF) used by the socket server
> socket.send.buffer.bytes=102400
>
> # The receive buffer (SO_RCVBUF) used by the socket server
> socket.receive.buffer.bytes=102400
>
> # The maximum size of a request that the socket server will accept
> (protection against OOM)
> socket.request.max.bytes=104857600
>
> # Max message size is 10 MB
> message.max.bytes=10000120
>
> # Consumer side largest message size is 10 MB
> fetch.message.max.bytes=10000120
>
> # Replica max fetch size is 10MB
> replica.fetch.max.bytes=10000120
>
> # Max request size 10MB
> max.request.size=10000120
>
> ################ SHUTDOWN and REBALANCING #######################
> # Both the following properties are also enabled by default as well, also
> explicitly settings here
> controlled.shutdown.enable=true
> auto.leader.rebalance.enable=true
> unclean.leader.election.enable=true
>
>
> ######################### Security Settings ##########################
> ssl.endpoint.identification.algorithm=""
> ssl.keystore.location=/dir/keystore.jks
> ssl.keystore.password=pwd
> ssl.key.password=pwd
> ssl.truststore.location=/dir/truststore.jks
> ssl.truststore.password=pwd
> ssl.keystore.type=JKS
> ssl.truststore.type=JKS
> security.protocol=SSL
> ssl.client.auth=required
> allow.everyone.if.no.acl.found=false
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> # User.ANONYMOUS is included for AMS to be able to program ACL via 9094
> port
> super.users=User:CN=KafkaBroker1;User:ANONYMOUS
>
>
Re: Help - Updating Keystore Dynamically - KAFKA-6810
Posted by Peter Bukowinski <pm...@gmail.com>.
Yes, it is still relevant — unless you’ve enabled SSL for inter-broker communication and you are trying to update the truststore associated with that listener.
You should use the kafka-configs command to set the dynamic config value: https://kafka.apache.org/21/documentation.html#dynamicbrokerconfigs <https://kafka.apache.org/21/documentation.html#dynamicbrokerconfigs>
> bin/kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers --entity-default --alter --add-config {listener.name.[listener_name].}ssl.truststore.location=/path/to/new/truststore
The part in brackets may be optional if you don’t have more than one listener configured with a truststore.
> On May 16, 2019, at 3:26 PM, Darshan <pu...@gmail.com> wrote:
>
> I sent another email that I am looking to dynamically update SSL
> truststore, and not keystore. Would that be still relevant? Thanks.
>
> On Thu, May 16, 2019 at 2:54 PM Peter Bukowinski <pm...@gmail.com> wrote:
>
>> It’s my understanding that dynamic configuration requires you to write
>> znodes, e.g. /config/brokers/ssl.keystore.location. I believe you can use
>> the same path. Brokers should be watching that path and if a node is added
>> or updated the config values will be read in and loaded over existing
>> values.
>>
>>
>> https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore
>> <
>> https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore
>>>
>>
>>
>>> On May 16, 2019, at 2:08 PM, Darshan <pu...@gmail.com>
>> wrote:
>>>
>>> Hi
>>>
>>> I am testing out Kafka 2.2.0 and was hoping to test out "Enable dynamic
>>> reconfiguration of SSL truststores"
>>> https://issues.apache.org/jira/browse/KAFKA-6810. But unfortunately I
>> could
>>> not get it work. Please find the server.properties. Just wondering if we
>>> need an change of config. Please advise..
>>>
>>> 1. I added a new entry in the truststore, and validated it that it is
>>> present.
>>> 2. The client (kafka writer) could not write to Kafka due to
>> SSLException.
>>> 3. I restarted Kafka broker.
>>> 4. The client could write messages.
>>>
>>>
>>> server.properties
>>>
>> ----------------------------------------------------------------------------
>>>
>>> ############################# Server Basics #############################
>>>
>>> # The id of the broker. This must be set to a unique integer for each
>>> broker.
>>> broker.id=1
>>> auto.create.topics.enable=true
>>> delete.topic.enable=true
>>>
>>> #################### Upgrading from 1.1.0 to 2.2.0 ####################
>>> inter.broker.protocol.version=1.1
>>> log.message.format.version=1.1
>>>
>>> ############################# Socket Server Settings
>>> #############################
>>>
>>> listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443
>>> ,INTERNAL_PLAINTEXT://1.1.1.65:9094
>>> advertised.listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://
>> 10.28.118.172:443
>>> ,INTERNAL_PLAINTEXT://1.1.1.65:9094
>>>
>> listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,INTERNAL_PLAINTEXT:PLAINTEXT
>>> inter.broker.listener.name=INTERNAL_PLAINTEXT
>>>
>>> default.replication.factor=1
>>> offsets.topic.replication.factor=1
>>>
>>> # Hostname the broker will bind to. If not set, the server will bind to
>> all
>>> interfaces
>>> host.name=10.28.118.172
>>>
>>> # The number of threads handling network requests
>>> num.network.threads=12
>>>
>>> # The number of threads doing disk I/O
>>> num.io.threads=12
>>>
>>> # The send buffer (SO_SNDBUF) used by the socket server
>>> socket.send.buffer.bytes=102400
>>>
>>> # The receive buffer (SO_RCVBUF) used by the socket server
>>> socket.receive.buffer.bytes=102400
>>>
>>> # The maximum size of a request that the socket server will accept
>>> (protection against OOM)
>>> socket.request.max.bytes=104857600
>>>
>>> # Max message size is 10 MB
>>> message.max.bytes=10000120
>>>
>>> # Consumer side largest message size is 10 MB
>>> fetch.message.max.bytes=10000120
>>>
>>> # Replica max fetch size is 10MB
>>> replica.fetch.max.bytes=10000120
>>>
>>> # Max request size 10MB
>>> max.request.size=10000120
>>>
>>> ################ SHUTDOWN and REBALANCING #######################
>>> # Both the following properties are also enabled by default as well, also
>>> explicitly settings here
>>> controlled.shutdown.enable=true
>>> auto.leader.rebalance.enable=true
>>> unclean.leader.election.enable=true
>>>
>>>
>>> ######################### Security Settings ##########################
>>> ssl.endpoint.identification.algorithm=""
>>> ssl.keystore.location=/dir/keystore.jks
>>> ssl.keystore.password=pwd
>>> ssl.key.password=pwd
>>> ssl.truststore.location=/dir/truststore.jks
>>> ssl.truststore.password=pwd
>>> ssl.keystore.type=JKS
>>> ssl.truststore.type=JKS
>>> security.protocol=SSL
>>> ssl.client.auth=required
>>> allow.everyone.if.no.acl.found=false
>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>>> # User.ANONYMOUS is included for AMS to be able to program ACL via 9094
>> port
>>> super.users=User:CN=KafkaBroker1;User:ANONYMOUS
>>
>>
Re: Help - Updating Keystore Dynamically - KAFKA-6810
Posted by Darshan <pu...@gmail.com>.
I sent another email that I am looking to dynamically update SSL
truststore, and not keystore. Would that be still relevant? Thanks.
On Thu, May 16, 2019 at 2:54 PM Peter Bukowinski <pm...@gmail.com> wrote:
> It’s my understanding that dynamic configuration requires you to write
> znodes, e.g. /config/brokers/ssl.keystore.location. I believe you can use
> the same path. Brokers should be watching that path and if a node is added
> or updated the config values will be read in and loaded over existing
> values.
>
>
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore
> <
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore
> >
>
>
> > On May 16, 2019, at 2:08 PM, Darshan <pu...@gmail.com>
> wrote:
> >
> > Hi
> >
> > I am testing out Kafka 2.2.0 and was hoping to test out "Enable dynamic
> > reconfiguration of SSL truststores"
> > https://issues.apache.org/jira/browse/KAFKA-6810. But unfortunately I
> could
> > not get it work. Please find the server.properties. Just wondering if we
> > need an change of config. Please advise..
> >
> > 1. I added a new entry in the truststore, and validated it that it is
> > present.
> > 2. The client (kafka writer) could not write to Kafka due to
> SSLException.
> > 3. I restarted Kafka broker.
> > 4. The client could write messages.
> >
> >
> > server.properties
> >
> ----------------------------------------------------------------------------
> >
> > ############################# Server Basics #############################
> >
> > # The id of the broker. This must be set to a unique integer for each
> > broker.
> > broker.id=1
> > auto.create.topics.enable=true
> > delete.topic.enable=true
> >
> > #################### Upgrading from 1.1.0 to 2.2.0 ####################
> > inter.broker.protocol.version=1.1
> > log.message.format.version=1.1
> >
> > ############################# Socket Server Settings
> > #############################
> >
> > listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443
> > ,INTERNAL_PLAINTEXT://1.1.1.65:9094
> > advertised.listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://
> 10.28.118.172:443
> > ,INTERNAL_PLAINTEXT://1.1.1.65:9094
> >
> listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,INTERNAL_PLAINTEXT:PLAINTEXT
> > inter.broker.listener.name=INTERNAL_PLAINTEXT
> >
> > default.replication.factor=1
> > offsets.topic.replication.factor=1
> >
> > # Hostname the broker will bind to. If not set, the server will bind to
> all
> > interfaces
> > host.name=10.28.118.172
> >
> > # The number of threads handling network requests
> > num.network.threads=12
> >
> > # The number of threads doing disk I/O
> > num.io.threads=12
> >
> > # The send buffer (SO_SNDBUF) used by the socket server
> > socket.send.buffer.bytes=102400
> >
> > # The receive buffer (SO_RCVBUF) used by the socket server
> > socket.receive.buffer.bytes=102400
> >
> > # The maximum size of a request that the socket server will accept
> > (protection against OOM)
> > socket.request.max.bytes=104857600
> >
> > # Max message size is 10 MB
> > message.max.bytes=10000120
> >
> > # Consumer side largest message size is 10 MB
> > fetch.message.max.bytes=10000120
> >
> > # Replica max fetch size is 10MB
> > replica.fetch.max.bytes=10000120
> >
> > # Max request size 10MB
> > max.request.size=10000120
> >
> > ################ SHUTDOWN and REBALANCING #######################
> > # Both the following properties are also enabled by default as well, also
> > explicitly settings here
> > controlled.shutdown.enable=true
> > auto.leader.rebalance.enable=true
> > unclean.leader.election.enable=true
> >
> >
> > ######################### Security Settings ##########################
> > ssl.endpoint.identification.algorithm=""
> > ssl.keystore.location=/dir/keystore.jks
> > ssl.keystore.password=pwd
> > ssl.key.password=pwd
> > ssl.truststore.location=/dir/truststore.jks
> > ssl.truststore.password=pwd
> > ssl.keystore.type=JKS
> > ssl.truststore.type=JKS
> > security.protocol=SSL
> > ssl.client.auth=required
> > allow.everyone.if.no.acl.found=false
> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> > # User.ANONYMOUS is included for AMS to be able to program ACL via 9094
> port
> > super.users=User:CN=KafkaBroker1;User:ANONYMOUS
>
>
Re: Help - Updating Keystore Dynamically - KAFKA-6810
Posted by Peter Bukowinski <pm...@gmail.com>.
It’s my understanding that dynamic configuration requires you to write znodes, e.g. /config/brokers/ssl.keystore.location. I believe you can use the same path. Brokers should be watching that path and if a node is added or updated the config values will be read in and loaded over existing values.
https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore <https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore>
> On May 16, 2019, at 2:08 PM, Darshan <pu...@gmail.com> wrote:
>
> Hi
>
> I am testing out Kafka 2.2.0 and was hoping to test out "Enable dynamic
> reconfiguration of SSL truststores"
> https://issues.apache.org/jira/browse/KAFKA-6810. But unfortunately I could
> not get it work. Please find the server.properties. Just wondering if we
> need an change of config. Please advise..
>
> 1. I added a new entry in the truststore, and validated it that it is
> present.
> 2. The client (kafka writer) could not write to Kafka due to SSLException.
> 3. I restarted Kafka broker.
> 4. The client could write messages.
>
>
> server.properties
> ----------------------------------------------------------------------------
>
> ############################# Server Basics #############################
>
> # The id of the broker. This must be set to a unique integer for each
> broker.
> broker.id=1
> auto.create.topics.enable=true
> delete.topic.enable=true
>
> #################### Upgrading from 1.1.0 to 2.2.0 ####################
> inter.broker.protocol.version=1.1
> log.message.format.version=1.1
>
> ############################# Socket Server Settings
> #############################
>
> listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443
> ,INTERNAL_PLAINTEXT://1.1.1.65:9094
> advertised.listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443
> ,INTERNAL_PLAINTEXT://1.1.1.65:9094
> listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,INTERNAL_PLAINTEXT:PLAINTEXT
> inter.broker.listener.name=INTERNAL_PLAINTEXT
>
> default.replication.factor=1
> offsets.topic.replication.factor=1
>
> # Hostname the broker will bind to. If not set, the server will bind to all
> interfaces
> host.name=10.28.118.172
>
> # The number of threads handling network requests
> num.network.threads=12
>
> # The number of threads doing disk I/O
> num.io.threads=12
>
> # The send buffer (SO_SNDBUF) used by the socket server
> socket.send.buffer.bytes=102400
>
> # The receive buffer (SO_RCVBUF) used by the socket server
> socket.receive.buffer.bytes=102400
>
> # The maximum size of a request that the socket server will accept
> (protection against OOM)
> socket.request.max.bytes=104857600
>
> # Max message size is 10 MB
> message.max.bytes=10000120
>
> # Consumer side largest message size is 10 MB
> fetch.message.max.bytes=10000120
>
> # Replica max fetch size is 10MB
> replica.fetch.max.bytes=10000120
>
> # Max request size 10MB
> max.request.size=10000120
>
> ################ SHUTDOWN and REBALANCING #######################
> # Both the following properties are also enabled by default as well, also
> explicitly settings here
> controlled.shutdown.enable=true
> auto.leader.rebalance.enable=true
> unclean.leader.election.enable=true
>
>
> ######################### Security Settings ##########################
> ssl.endpoint.identification.algorithm=""
> ssl.keystore.location=/dir/keystore.jks
> ssl.keystore.password=pwd
> ssl.key.password=pwd
> ssl.truststore.location=/dir/truststore.jks
> ssl.truststore.password=pwd
> ssl.keystore.type=JKS
> ssl.truststore.type=JKS
> security.protocol=SSL
> ssl.client.auth=required
> allow.everyone.if.no.acl.found=false
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> # User.ANONYMOUS is included for AMS to be able to program ACL via 9094 port
> super.users=User:CN=KafkaBroker1;User:ANONYMOUS