You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2021/06/01 08:56:56 UTC
[GitHub] [kafka] cadonna commented on a change in pull request #10770: MINOR: fix code listings security.html
cadonna commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r642904792
##########
File path: docs/security.html
##########
@@ -384,56 +384,56 @@ <h5>SSL key and certificates in PEM format</h5>
ssl.key.password=test1234</code></pre>
Other configuration settings that may also be needed depending on our requirements and the broker configuration:
- <ol>
- <li>ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.</li>
- <li>ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.</li>
- <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should list at least one of the protocols configured on the broker side</li>
- <li>ssl.truststore.type=JKS</li>
- <li>ssl.keystore.type=JKS</li>
- </ol>
- <br>
+ <ol>
+ <li>ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.</li>
+ <li>ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.</li>
+ <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should list at least one of the protocols configured on the broker side</li>
+ <li>ssl.truststore.type=JKS</li>
+ <li>ssl.keystore.type=JKS</li>
+ </ol>
+ <br>
Examples using console-producer and console-consumer:
- <pre class="line-numbers"><code class="language-bash">kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config client-ssl.properties
-kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config client-ssl.properties</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config client-ssl.properties
+> kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config client-ssl.properties</code></pre>
</li>
</ol>
<h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href="#security_sasl">7.3 Authentication using SASL</a></h3>
<ol>
- <li><h4 class="anchor-heading"><a id="security_sasl_jaasconfig" class="anchor-link"></a><a href="#security_sasl_jaasconfig">JAAS configuration</a></h4>
- <p>Kafka uses the Java Authentication and Authorization Service
- (<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS</a>)
- for SASL configuration.</p>
- <ol>
- <li><h5><a id="security_jaas_broker"
- href="#security_jaas_broker">JAAS configuration for Kafka brokers</a></h5>
-
- <p><tt>KafkaServer</tt> is the section name in the JAAS file used by each
- KafkaServer/Broker. This section provides SASL configuration options
- for the broker including any SASL client connections made by the broker
- for inter-broker communication. If multiple listeners are configured to use
- SASL, the section name may be prefixed with the listener name in lower-case
- followed by a period, e.g. <tt>sasl_ssl.KafkaServer</tt>.</p>
-
- <p><tt>Client</tt> section is used to authenticate a SASL connection with
- zookeeper. It also allows the brokers to set SASL ACL on zookeeper
- nodes which locks these nodes down so that only the brokers can
- modify it. It is necessary to have the same principal name across all
- brokers. If you want to use a section name other than Client, set the
- system property <tt>zookeeper.sasl.clientconfig</tt> to the appropriate
- name (<i>e.g.</i>, <tt>-Dzookeeper.sasl.clientconfig=ZkClient</tt>).</p>
-
- <p>ZooKeeper uses "zookeeper" as the service name by default. If you
- want to change this, set the system property
- <tt>zookeeper.sasl.client.username</tt> to the appropriate name
- (<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
-
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <li><h4 class="anchor-heading"><a id="security_sasl_jaasconfig" class="anchor-link"></a><a href="#security_sasl_jaasconfig">JAAS configuration</a></h4>
+ <p>Kafka uses the Java Authentication and Authorization Service
+ (<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS</a>)
+ for SASL configuration.</p>
+ <ol>
+ <li><h5><a id="security_jaas_broker"
+ href="#security_jaas_broker">JAAS configuration for Kafka brokers</a></h5>
+
+ <p><tt>KafkaServer</tt> is the section name in the JAAS file used by each
+ KafkaServer/Broker. This section provides SASL configuration options
+ for the broker including any SASL client connections made by the broker
+ for inter-broker communication. If multiple listeners are configured to use
+ SASL, the section name may be prefixed with the listener name in lower-case
+ followed by a period, e.g. <tt>sasl_ssl.KafkaServer</tt>.</p>
+
+ <p><tt>Client</tt> section is used to authenticate a SASL connection with
+ zookeeper. It also allows the brokers to set SASL ACL on zookeeper
+ nodes which locks these nodes down so that only the brokers can
+ modify it. It is necessary to have the same principal name across all
+ brokers. If you want to use a section name other than Client, set the
+ system property <tt>zookeeper.sasl.clientconfig</tt> to the appropriate
+ name (<i>e.g.</i>, <tt>-Dzookeeper.sasl.clientconfig=ZkClient</tt>).</p>
+
+ <p>ZooKeeper uses "zookeeper" as the service name by default. If you
+ want to change this, set the system property
+ <tt>zookeeper.sasl.client.username</tt> to the appropriate name
+ (<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
+
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
Review comment:
I could not find the `</p>` for this `<p>`.
##########
File path: docs/security.html
##########
@@ -76,7 +76,7 @@ <h5>Host Name Verification</h5>
Server host name verification may be disabled by setting <code>ssl.endpoint.identification.algorithm</code> to an empty string.<br>
For dynamically configured broker listeners, hostname verification may be disabled using <code>kafka-configs.sh</code>:<br>
- <pre class="line-numbers"><code class="language-text">bin/kafka-configs.sh --bootstrap-server localhost:9093 --entity-type brokers --entity-name 0 --alter --add-config "listener.name.internal.ssl.endpoint.identification.algorithm="</code></pre>
+ <pre class="line-numbers"><code class="language-text">> bin/kafka-configs.sh --bootstrap-server localhost:9093 --entity-type brokers --entity-name 0 --alter --add-config "listener.name.internal.ssl.endpoint.identification.algorithm="</code></pre>
Review comment:
I think this should be `class="language-bash"` instead of `class="language-text"`.
##########
File path: docs/security.html
##########
@@ -99,7 +99,7 @@ <h5>Host Name Verification</h5>
To add a SAN field append the following argument <code> -ext SAN=DNS:{FQDN},IP:{IPADDRESS} </code> to the keytool command:
Review comment:
```suggestion
To add a SAN field append the following argument <code> -ext SAN=DNS:{FQDN},IP:{IPADDRESS}</code> to the keytool command:
```
##########
File path: docs/security.html
##########
@@ -428,12 +428,12 @@ <h3 class="anchor-heading"><a id="security_sasl" class="anchor-link"></a><a href
<tt>zookeeper.sasl.client.username</tt> to the appropriate name
(<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
- <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix including the SASL mechanism,
- i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
- login module may be specified in the config value. If multiple mechanisms are configured on a
- listener, configs must be provided for each mechanism using the listener and mechanism prefix.
- For example,
+ <p>Brokers may also configure JAAS using the broker configuration property <code>sasl.jaas.config</code>.
+ The property name must be prefixed with the listener prefix including the SASL mechanism,
+ i.e. <code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>. Only one
+ login module may be specified in the config value. If multiple mechanisms are configured on a
+ listener, configs must be provided for each mechanism using the listener and mechanism prefix.
+ For example,
Review comment:
I think we misunderstood each other. The line that starts with `The property name ...` should be aligned with `<p>Brokers may also ...`. I am also fine, if you do not fix that. I think it is understandable and I see that the indentation is not really consistent in this file.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org