You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2021/05/26 13:16:15 UTC
[GitHub] [kafka] jlprat opened a new pull request #10770: MINOR: fix code listings security.html
jlprat opened a new pull request #10770:
URL: https://github.com/apache/kafka/pull/10770
Fix examples under security.html so they use the right bash icon (`>`
instead of `$`) and also uses the right tool for showing code listings
Some of the diffs are caused also by the IDE aligning html code properly.
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#issuecomment-852066684
Thanks @cadonna !
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on a change in pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r640516748
##########
File path: docs/security.html
##########
@@ -443,134 +443,133 @@ <h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href
user_admin="admin-secret" \
user_alice="alice-secret";</code></pre>
- If JAAS configuration is defined at different levels, the order of precedence used is:
- <ul>
- <li>Broker configuration property <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code></li>
- <li><code>{listenerName}.KafkaServer</code> section of static JAAS configuration</code></li>
- <li><code>KafkaServer</code> section of static JAAS configuration</code></li>
- </ul>
- Note that ZooKeeper JAAS config may only be configured using static JAAS configuration.
-
- <p>See <a href="#security_sasl_kerberos_brokerconfig">GSSAPI (Kerberos)</a>,
- <a href="#security_sasl_plain_brokerconfig">PLAIN</a>,
- <a href="#security_sasl_scram_brokerconfig">SCRAM</a> or
- <a href="#security_sasl_oauthbearer_brokerconfig">OAUTHBEARER</a> for example broker configurations.</p></li>
-
- </li>
- <li><h5><a id="security_jaas_client"
- href="#security_jaas_client">JAAS configuration for Kafka clients</a></h5>
-
- <p>Clients may configure JAAS using the client configuration property
- <a href="#security_client_dynamicjaas">sasl.jaas.config</a>
- or using the <a href="#security_client_staticjaas">static JAAS config file</a>
- similar to brokers.</p>
-
- <ol>
- <li><h6><a id="security_client_dynamicjaas"
- href="#security_client_dynamicjaas">JAAS configuration using client configuration property</a></h6>
- <p>Clients may specify JAAS configuration as a producer or consumer property without
- creating a physical configuration file. This mode also enables different producers
- and consumers within the same JVM to use different credentials by specifying
- different properties for each client. If both static JAAS configuration system property
- <code>java.security.auth.login.config</code> and client property <code>sasl.jaas.config</code>
- are specified, the client property will be used.</p>
-
- <p>See <a href="#security_sasl_kerberos_clientconfig">GSSAPI (Kerberos)</a>,
- <a href="#security_sasl_plain_clientconfig">PLAIN</a>,
- <a href="#security_sasl_scram_clientconfig">SCRAM</a> or
- <a href="#security_sasl_oauthbearer_clientconfig">OAUTHBEARER</a> for example configurations.</p></li>
-
- <li><h6 class="anchor-heading"><a id="security_client_staticjaas" class="anchor-link"></a><a href="#security_client_staticjaas">JAAS configuration using static config file</a></h6>
- To configure SASL authentication on the clients using static JAAS config file:
- <ol>
- <li>Add a JAAS config file with a client login section named <tt>KafkaClient</tt>. Configure
- a login module in <tt>KafkaClient</tt> for the selected mechanism as described in the examples
- for setting up <a href="#security_sasl_kerberos_clientconfig">GSSAPI (Kerberos)</a>,
- <a href="#security_sasl_plain_clientconfig">PLAIN</a>,
- <a href="#security_sasl_scram_clientconfig">SCRAM</a> or
- <a href="#security_sasl_oauthbearer_clientconfig">OAUTHBEARER</a>.
- For example, <a href="#security_sasl_gssapi_clientconfig">GSSAPI</a>
- credentials may be configured as:
- <pre class="line-numbers"><code class="language-text">KafkaClient {
+ If JAAS configuration is defined at different levels, the order of precedence used is:
Review comment:
Same as previous, you are right, it needs to be aligned with the contents of the header `JAAS configuration for Kafka brokers`. However, the problem here was that the previous content was misaligned.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat edited a comment on pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat edited a comment on pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#issuecomment-849539579
Hi @cadonna thanks a lot for the feedback. I fixed the missing `>` characters. About the misalignment, you were right, however it was not from the lines you mention, but the previous ones.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] cadonna merged pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
cadonna merged pull request #10770:
URL: https://github.com/apache/kafka/pull/10770
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on a change in pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r640352656
##########
File path: docs/security.html
##########
@@ -428,12 +428,12 @@ <h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href
<tt>zookeeper.sasl.client.username</tt> to the appropriate name
(<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
Review comment:
That `li` tag is currently closed at line 508. It's a 3 level nested ordered lists. Between line 402 and 508 we have the whole sublists as part of that `li` element. That's the reason the closing `li` element seems to be missing, it's just really down the page.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#issuecomment-848762769
CC. @cadonna as you reviewed the last doc changes on formatting and styling, you might want to review these as well. I split the changes in several PRs so it's more bearable to review.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#issuecomment-851963549
Thanks @cadonna All comments addressed!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#issuecomment-849539579
Hi @cadonna thanks a lot for the feedback. I fixed the missing `>` characters. About the misalignment, you were right, it was but not from the lines you mention, but the previous ones.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] showuon commented on a change in pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
showuon commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r640339525
##########
File path: docs/security.html
##########
@@ -1835,28 +1834,28 @@ <h5 class="anchor-heading"><a id="operations_resources_and_protocols" class="anc
<td></td>
<td></td>
<td>Creating delegation tokens has special rules, for this please see the
- <a id="security_delegation_token" href="#security_delegation_token">Authentication using Delegation Tokens</a> section.</td>
+ <a id="security_delegation_token_1" href="#security_delegation_token">Authentication using Delegation Tokens</a> section.</td>
Review comment:
Nice fix!
##########
File path: docs/security.html
##########
@@ -428,12 +428,12 @@ <h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href
<tt>zookeeper.sasl.client.username</tt> to the appropriate name
(<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
Review comment:
Line 402-408 has `ol` and `li` tag not get handled. Please help. Thanks.
https://github.com/apache/kafka/pull/10770/files#diff-3485b37e32662f4925ee0374c4f6eb1d4dfa589bbb1c148b2a70e92b4acbe8bdR402-R408
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] cadonna commented on a change in pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
cadonna commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r642904792
##########
File path: docs/security.html
##########
@@ -384,56 +384,56 @@ <h5>SSL key and certificates in PEM format</h5>
ssl.key.password=test1234</code></pre>
Other configuration settings that may also be needed depending on our requirements and the broker configuration:
- <ol>
- <li>ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.</li>
- <li>ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.</li>
- <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should list at least one of the protocols configured on the broker side</li>
- <li>ssl.truststore.type=JKS</li>
- <li>ssl.keystore.type=JKS</li>
- </ol>
- <br>
+ <ol>
+ <li>ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.</li>
+ <li>ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.</li>
+ <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should list at least one of the protocols configured on the broker side</li>
+ <li>ssl.truststore.type=JKS</li>
+ <li>ssl.keystore.type=JKS</li>
+ </ol>
+ <br>
Examples using console-producer and console-consumer:
- <pre class="line-numbers"><code class="language-bash">kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config client-ssl.properties
-kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config client-ssl.properties</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config client-ssl.properties
+> kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config client-ssl.properties</code></pre>
</li>
</ol>
<h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href="#security_sasl">7.3 Authentication using SASL</a></h3>
<ol>
- <li><h4 class="anchor-heading"><a id="security_sasl_jaasconfig" class="anchor-link"></a><a href="#security_sasl_jaasconfig">JAAS configuration</a></h4>
- <p>Kafka uses the Java Authentication and Authorization Service
- (<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS</a>)
- for SASL configuration.</p>
- <ol>
- <li><h5><a id="security_jaas_broker"
- href="#security_jaas_broker">JAAS configuration for Kafka brokers</a></h5>
-
- <p><tt>KafkaServer</tt> is the section name in the JAAS file used by each
- KafkaServer/Broker. This section provides SASL configuration options
- for the broker including any SASL client connections made by the broker
- for inter-broker communication. If multiple listeners are configured to use
- SASL, the section name may be prefixed with the listener name in lower-case
- followed by a period, e.g. <tt>sasl_ssl.KafkaServer</tt>.</p>
-
- <p><tt>Client</tt> section is used to authenticate a SASL connection with
- zookeeper. It also allows the brokers to set SASL ACL on zookeeper
- nodes which locks these nodes down so that only the brokers can
- modify it. It is necessary to have the same principal name across all
- brokers. If you want to use a section name other than Client, set the
- system property <tt>zookeeper.sasl.clientconfig</tt> to the appropriate
- name (<i>e.g.</i>, <tt>-Dzookeeper.sasl.clientconfig=ZkClient</tt>).</p>
-
- <p>ZooKeeper uses "zookeeper" as the service name by default. If you
- want to change this, set the system property
- <tt>zookeeper.sasl.client.username</tt> to the appropriate name
- (<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
-
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <li><h4 class="anchor-heading"><a id="security_sasl_jaasconfig" class="anchor-link"></a><a href="#security_sasl_jaasconfig">JAAS configuration</a></h4>
+ <p>Kafka uses the Java Authentication and Authorization Service
+ (<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS</a>)
+ for SASL configuration.</p>
+ <ol>
+ <li><h5><a id="security_jaas_broker"
+ href="#security_jaas_broker">JAAS configuration for Kafka brokers</a></h5>
+
+ <p><tt>KafkaServer</tt> is the section name in the JAAS file used by each
+ KafkaServer/Broker. This section provides SASL configuration options
+ for the broker including any SASL client connections made by the broker
+ for inter-broker communication. If multiple listeners are configured to use
+ SASL, the section name may be prefixed with the listener name in lower-case
+ followed by a period, e.g. <tt>sasl_ssl.KafkaServer</tt>.</p>
+
+ <p><tt>Client</tt> section is used to authenticate a SASL connection with
+ zookeeper. It also allows the brokers to set SASL ACL on zookeeper
+ nodes which locks these nodes down so that only the brokers can
+ modify it. It is necessary to have the same principal name across all
+ brokers. If you want to use a section name other than Client, set the
+ system property <tt>zookeeper.sasl.clientconfig</tt> to the appropriate
+ name (<i>e.g.</i>, <tt>-Dzookeeper.sasl.clientconfig=ZkClient</tt>).</p>
+
+ <p>ZooKeeper uses "zookeeper" as the service name by default. If you
+ want to change this, set the system property
+ <tt>zookeeper.sasl.client.username</tt> to the appropriate name
+ (<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
+
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
Review comment:
I could not find the `</p>` for this `<p>`.
##########
File path: docs/security.html
##########
@@ -76,7 +76,7 @@ <h5>Host Name Verification</h5>
Server host name verification may be disabled by setting <code>ssl.endpoint.identification.algorithm</code> to an empty string.<br>
For dynamically configured broker listeners, hostname verification may be disabled using <code>kafka-configs.sh</code>:<br>
- <pre class="line-numbers"><code class="language-text">bin/kafka-configs.sh --bootstrap-server localhost:9093 --entity-type brokers --entity-name 0 --alter --add-config "listener.name.internal.ssl.endpoint.identification.algorithm="</code></pre>
+ <pre class="line-numbers"><code class="language-text">> bin/kafka-configs.sh --bootstrap-server localhost:9093 --entity-type brokers --entity-name 0 --alter --add-config "listener.name.internal.ssl.endpoint.identification.algorithm="</code></pre>
Review comment:
I think this should be `class="language-bash"` instead of `class="language-text"`.
##########
File path: docs/security.html
##########
@@ -99,7 +99,7 @@ <h5>Host Name Verification</h5>
To add a SAN field append the following argument <code> -ext SAN=DNS:{FQDN},IP:{IPADDRESS} </code> to the keytool command:
Review comment:
```suggestion
To add a SAN field append the following argument <code> -ext SAN=DNS:{FQDN},IP:{IPADDRESS}</code> to the keytool command:
```
##########
File path: docs/security.html
##########
@@ -428,12 +428,12 @@ <h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href
<tt>zookeeper.sasl.client.username</tt> to the appropriate name
(<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
+ The property name must be prefixed with the listener prefix including the SASL mechanism,
+ i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
+ login module may be specified in the config value. If multiple mechanisms are configured on a
+ listener, configs must be provided for each mechanism using the listener and mechanism prefix.
+ For example,
Review comment:
I think we misunderstood each other. The line that starts with `The property name ...` should be aligned with `<p>Brokers may also ...`. I am also fine, if you do not fix that. I think it is understandable and I see that the indentation is not really consistent in this file.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on a change in pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r642923211
##########
File path: docs/security.html
##########
@@ -384,56 +384,56 @@ <h5>SSL key and certificates in PEM format</h5>
ssl.key.password=test1234</code></pre>
Other configuration settings that may also be needed depending on our requirements and the broker configuration:
- <ol>
- <li>ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.</li>
- <li>ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.</li>
- <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should list at least one of the protocols configured on the broker side</li>
- <li>ssl.truststore.type=JKS</li>
- <li>ssl.keystore.type=JKS</li>
- </ol>
- <br>
+ <ol>
+ <li>ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.</li>
+ <li>ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.</li>
+ <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should list at least one of the protocols configured on the broker side</li>
+ <li>ssl.truststore.type=JKS</li>
+ <li>ssl.keystore.type=JKS</li>
+ </ol>
+ <br>
Examples using console-producer and console-consumer:
- <pre class="line-numbers"><code class="language-bash">kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config client-ssl.properties
-kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config client-ssl.properties</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config client-ssl.properties
+> kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config client-ssl.properties</code></pre>
</li>
</ol>
<h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href="#security_sasl">7.3 Authentication using SASL</a></h3>
<ol>
- <li><h4 class="anchor-heading"><a id="security_sasl_jaasconfig" class="anchor-link"></a><a href="#security_sasl_jaasconfig">JAAS configuration</a></h4>
- <p>Kafka uses the Java Authentication and Authorization Service
- (<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS</a>)
- for SASL configuration.</p>
- <ol>
- <li><h5><a id="security_jaas_broker"
- href="#security_jaas_broker">JAAS configuration for Kafka brokers</a></h5>
-
- <p><tt>KafkaServer</tt> is the section name in the JAAS file used by each
- KafkaServer/Broker. This section provides SASL configuration options
- for the broker including any SASL client connections made by the broker
- for inter-broker communication. If multiple listeners are configured to use
- SASL, the section name may be prefixed with the listener name in lower-case
- followed by a period, e.g. <tt>sasl_ssl.KafkaServer</tt>.</p>
-
- <p><tt>Client</tt> section is used to authenticate a SASL connection with
- zookeeper. It also allows the brokers to set SASL ACL on zookeeper
- nodes which locks these nodes down so that only the brokers can
- modify it. It is necessary to have the same principal name across all
- brokers. If you want to use a section name other than Client, set the
- system property <tt>zookeeper.sasl.clientconfig</tt> to the appropriate
- name (<i>e.g.</i>, <tt>-Dzookeeper.sasl.clientconfig=ZkClient</tt>).</p>
-
- <p>ZooKeeper uses "zookeeper" as the service name by default. If you
- want to change this, set the system property
- <tt>zookeeper.sasl.client.username</tt> to the appropriate name
- (<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
-
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <li><h4 class="anchor-heading"><a id="security_sasl_jaasconfig" class="anchor-link"></a><a href="#security_sasl_jaasconfig">JAAS configuration</a></h4>
+ <p>Kafka uses the Java Authentication and Authorization Service
+ (<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS</a>)
+ for SASL configuration.</p>
+ <ol>
+ <li><h5><a id="security_jaas_broker"
+ href="#security_jaas_broker">JAAS configuration for Kafka brokers</a></h5>
+
+ <p><tt>KafkaServer</tt> is the section name in the JAAS file used by each
+ KafkaServer/Broker. This section provides SASL configuration options
+ for the broker including any SASL client connections made by the broker
+ for inter-broker communication. If multiple listeners are configured to use
+ SASL, the section name may be prefixed with the listener name in lower-case
+ followed by a period, e.g. <tt>sasl_ssl.KafkaServer</tt>.</p>
+
+ <p><tt>Client</tt> section is used to authenticate a SASL connection with
+ zookeeper. It also allows the brokers to set SASL ACL on zookeeper
+ nodes which locks these nodes down so that only the brokers can
+ modify it. It is necessary to have the same principal name across all
+ brokers. If you want to use a section name other than Client, set the
+ system property <tt>zookeeper.sasl.clientconfig</tt> to the appropriate
+ name (<i>e.g.</i>, <tt>-Dzookeeper.sasl.clientconfig=ZkClient</tt>).</p>
+
+ <p>ZooKeeper uses "zookeeper" as the service name by default. If you
+ want to change this, set the system property
+ <tt>zookeeper.sasl.client.username</tt> to the appropriate name
+ (<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
+
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
Review comment:
It was missing, good spot
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on a change in pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r640515305
##########
File path: docs/security.html
##########
@@ -428,12 +428,12 @@ <h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href
<tt>zookeeper.sasl.client.username</tt> to the appropriate name
(<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
+ The property name must be prefixed with the listener prefix including the SASL mechanism,
+ i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
+ login module may be specified in the config value. If multiple mechanisms are configured on a
+ listener, configs must be provided for each mechanism using the listener and mechanism prefix.
+ For example,
Review comment:
Actually, it seems the above paragraphs should be indented to the right, there are several nested `<ol>` and `<li>` and `<p>` that didn't follow indentation.
I'm fixing these now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] cadonna commented on pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
cadonna commented on pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#issuecomment-852043836
The test failures are unrelated since this is a pure doc change.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] cadonna commented on a change in pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
cadonna commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r640479762
##########
File path: docs/security.html
##########
@@ -208,25 +208,25 @@ <h5>Host Name Verification</h5>
Then create a database and serial number file, these will be used to keep track of which certificates were signed with this CA. Both of
these are simply text files that reside in the same directory as your CA keys.
- <pre class="line-numbers"><code class="language-bash">echo 01 > serial.txt
+ <pre class="line-numbers"><code class="language-bash">> echo 01 > serial.txt
touch index.txt</code></pre>
Review comment:
If we decide to keep the `>`, then it is missing here.
##########
File path: docs/security.html
##########
@@ -384,16 +384,16 @@ <h5>SSL key and certificates in PEM format</h5>
ssl.key.password=test1234</code></pre>
Other configuration settings that may also be needed depending on our requirements and the broker configuration:
- <ol>
- <li>ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.</li>
- <li>ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.</li>
- <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should list at least one of the protocols configured on the broker side</li>
- <li>ssl.truststore.type=JKS</li>
- <li>ssl.keystore.type=JKS</li>
- </ol>
- <br>
+ <ol>
+ <li>ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.</li>
+ <li>ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.</li>
+ <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should list at least one of the protocols configured on the broker side</li>
+ <li>ssl.truststore.type=JKS</li>
+ <li>ssl.keystore.type=JKS</li>
+ </ol>
+ <br>
Examples using console-producer and console-consumer:
- <pre class="line-numbers"><code class="language-bash">kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config client-ssl.properties
+ <pre class="line-numbers"><code class="language-bash">> kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config client-ssl.properties
kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config client-ssl.properties</code></pre>
Review comment:
If we decide to keep the `>`, then it is missing here.
##########
File path: docs/security.html
##########
@@ -47,7 +47,7 @@ <h3 class="anchor-heading"><a id="security_ssl" class="anchor-link"></a><a href=
The tool supports two different keystore formats, the Java specific jks format which has been deprecated by now, as well as PKCS12.
PKCS12 is the default format as of Java version 9, to ensure this format is being used regardless of the Java version in use all following
commands explicitly specify the PKCS12 format.
- <pre class="line-numbers"><code class="language-bash">keytool -keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg RSA -storetype pkcs12</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> keytool -keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg RSA -storetype pkcs12</code></pre>
Review comment:
Now I saw that it has been already used further down. I fine with keeping it to distingiush better between configs and commands. However, I found some places where `>` is still missing (see further down).
##########
File path: docs/security.html
##########
@@ -47,7 +47,7 @@ <h3 class="anchor-heading"><a id="security_ssl" class="anchor-link"></a><a href=
The tool supports two different keystore formats, the Java specific jks format which has been deprecated by now, as well as PKCS12.
PKCS12 is the default format as of Java version 9, to ensure this format is being used regardless of the Java version in use all following
commands explicitly specify the PKCS12 format.
- <pre class="line-numbers"><code class="language-bash">keytool -keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg RSA -storetype pkcs12</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> keytool -keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg RSA -storetype pkcs12</code></pre>
Review comment:
I am wondering if it is a good idea to add `>` in front of the commands. It is something additional users need to remove when they copy & paste the commands.
##########
File path: docs/security.html
##########
@@ -428,12 +428,12 @@ <h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href
<tt>zookeeper.sasl.client.username</tt> to the appropriate name
(<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
+ The property name must be prefixed with the listener prefix including the SASL mechanism,
+ i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
+ login module may be specified in the config value. If multiple mechanisms are configured on a
+ listener, configs must be provided for each mechanism using the listener and mechanism prefix.
+ For example,
Review comment:
Why the indentation here? It should be on the same level as the previous paragraph, right?
##########
File path: docs/security.html
##########
@@ -237,10 +237,10 @@ <h5>Host Name Verification</h5>
</li>
<li><h4 class="anchor-heading"><a id="security_ssl_signing" class="anchor-link"></a><a href="#security_ssl_signing">Signing the certificate</a></h4>
Then sign it with the CA:
- <pre class="line-numbers"><code class="language-bash">openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out {server certificate} -infiles {certificate signing request}</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out {server certificate} -infiles {certificate signing request}</code></pre>
Finally, you need to import both the certificate of the CA and the signed certificate into the keystore:
- <pre class="line-numbers"><code class="language-bash">keytool -keystore {keystore} -alias CARoot -import -file {CA certificate}
+ <pre class="line-numbers"><code class="language-bash">> keytool -keystore {keystore} -alias CARoot -import -file {CA certificate}
keytool -keystore {keystore} -alias localhost -import -file cert-signed</code></pre>
Review comment:
If we decide to keep the `>`, then it is missing here.
##########
File path: docs/security.html
##########
@@ -443,134 +443,133 @@ <h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href
user_admin="admin-secret" \
user_alice="alice-secret";</code></pre>
- If JAAS configuration is defined at different levels, the order of precedence used is:
- <ul>
- <li>Broker configuration property <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code></li>
- <li><code>{listenerName}.KafkaServer</code> section of static JAAS configuration</code></li>
- <li><code>KafkaServer</code> section of static JAAS configuration</code></li>
- </ul>
- Note that ZooKeeper JAAS config may only be configured using static JAAS configuration.
-
- <p>See <a href="#security_sasl_kerberos_brokerconfig">GSSAPI (Kerberos)</a>,
- <a href="#security_sasl_plain_brokerconfig">PLAIN</a>,
- <a href="#security_sasl_scram_brokerconfig">SCRAM</a> or
- <a href="#security_sasl_oauthbearer_brokerconfig">OAUTHBEARER</a> for example broker configurations.</p></li>
-
- </li>
- <li><h5><a id="security_jaas_client"
- href="#security_jaas_client">JAAS configuration for Kafka clients</a></h5>
-
- <p>Clients may configure JAAS using the client configuration property
- <a href="#security_client_dynamicjaas">sasl.jaas.config</a>
- or using the <a href="#security_client_staticjaas">static JAAS config file</a>
- similar to brokers.</p>
-
- <ol>
- <li><h6><a id="security_client_dynamicjaas"
- href="#security_client_dynamicjaas">JAAS configuration using client configuration property</a></h6>
- <p>Clients may specify JAAS configuration as a producer or consumer property without
- creating a physical configuration file. This mode also enables different producers
- and consumers within the same JVM to use different credentials by specifying
- different properties for each client. If both static JAAS configuration system property
- <code>java.security.auth.login.config</code> and client property <code>sasl.jaas.config</code>
- are specified, the client property will be used.</p>
-
- <p>See <a href="#security_sasl_kerberos_clientconfig">GSSAPI (Kerberos)</a>,
- <a href="#security_sasl_plain_clientconfig">PLAIN</a>,
- <a href="#security_sasl_scram_clientconfig">SCRAM</a> or
- <a href="#security_sasl_oauthbearer_clientconfig">OAUTHBEARER</a> for example configurations.</p></li>
-
- <li><h6 class="anchor-heading"><a id="security_client_staticjaas" class="anchor-link"></a><a href="#security_client_staticjaas">JAAS configuration using static config file</a></h6>
- To configure SASL authentication on the clients using static JAAS config file:
- <ol>
- <li>Add a JAAS config file with a client login section named <tt>KafkaClient</tt>. Configure
- a login module in <tt>KafkaClient</tt> for the selected mechanism as described in the examples
- for setting up <a href="#security_sasl_kerberos_clientconfig">GSSAPI (Kerberos)</a>,
- <a href="#security_sasl_plain_clientconfig">PLAIN</a>,
- <a href="#security_sasl_scram_clientconfig">SCRAM</a> or
- <a href="#security_sasl_oauthbearer_clientconfig">OAUTHBEARER</a>.
- For example, <a href="#security_sasl_gssapi_clientconfig">GSSAPI</a>
- credentials may be configured as:
- <pre class="line-numbers"><code class="language-text">KafkaClient {
+ If JAAS configuration is defined at different levels, the order of precedence used is:
Review comment:
Also this indentation do not seem to align to the previous section header `JAAS configuration for Kafka brokers`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] jlprat commented on a change in pull request #10770: MINOR: fix code listings security.html
Posted by GitBox <gi...@apache.org>.
jlprat commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r640512166
##########
File path: docs/security.html
##########
@@ -47,7 +47,7 @@ <h3 class="anchor-heading"><a id="security_ssl" class="anchor-link"></a><a href=
The tool supports two different keystore formats, the Java specific jks format which has been deprecated by now, as well as PKCS12.
PKCS12 is the default format as of Java version 9, to ensure this format is being used regardless of the Java version in use all following
commands explicitly specify the PKCS12 format.
- <pre class="line-numbers"><code class="language-bash">keytool -keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg RSA -storetype pkcs12</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> keytool -keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg RSA -storetype pkcs12</code></pre>
Review comment:
The examples present in the documentation, use more frequently the `>` character when showing commands. Sometimes a `$` is shown, and really occasionally nothing is put in there.
As `>` was the most common used one already in the codebase, I decided to unify on this character.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org