You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Richard Wise (Jira)" <ji...@apache.org> on 2019/12/05 01:30:00 UTC
[jira] [Created] (KAFKA-9269) Warn if security.protocol does not
match security configuration
Richard Wise created KAFKA-9269:
-----------------------------------
Summary: Warn if security.protocol does not match security configuration
Key: KAFKA-9269
URL: https://issues.apache.org/jira/browse/KAFKA-9269
Project: Kafka
Issue Type: Improvement
Components: clients
Affects Versions: 2.0.1
Reporter: Richard Wise
I find it non-intuitive to have to set the security.protocol to "SSL" when I have already configured all the SSL security parameters (e.g. keystore location etc...).
Example (using Springboot autoconfig, but also applicable using .properties files or setting the properties programmatically):
{code:java}
kafka:
consumer:
bootstrap-servers: <server>
key-serializer: org.apache.kafka.common.serialization.StringSerializer
value-serializer: org.apache.kafka.common.serialization.StringSerializer
ssl:
truststore-location: <trust store location>
truststore-password: <password>
properties:
security.protocol: SSL{code}
If I forget to set the security.protocol, it defaults to "PLAINTEXT" and therefore fails SSL handshake. This indicates that there is an issue with my SSL configuration (locations or passwords) so I enable SSL debugging, only to see no logs. Finally I realise that it is not even trying to use SSL.
One solution would be to warn if any security settings are configured that are unused given the security protocol configured (so in this example, it would warn me that my ssl.truststore properties will be ignored).
Another solution is to automatically infer the security protocol to use based on the settings provided, given that it seems as though you can infer the security protocol to use (plaintext, ssl, sasl or sasl+ssl) based on the settings defined.
I believe that making this change will improve the usability of security in Kafka clients and avoid confusion when trying to debug security issues.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)