You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Richard Wise (Jira)" <ji...@apache.org> on 2019/12/05 01:30:00 UTC

[jira] [Created] (KAFKA-9269) Warn if security.protocol does not match security configuration

Richard Wise created KAFKA-9269:
-----------------------------------

             Summary: Warn if security.protocol does not match security configuration
                 Key: KAFKA-9269
                 URL: https://issues.apache.org/jira/browse/KAFKA-9269
             Project: Kafka
          Issue Type: Improvement
          Components: clients
    Affects Versions: 2.0.1
            Reporter: Richard Wise


I find it non-intuitive to have to set the security.protocol to "SSL" when I have already configured all the SSL security parameters (e.g. keystore location etc...).

Example (using Springboot autoconfig, but also applicable using .properties files or setting the properties programmatically):
{code:java}
kafka:
  consumer:
    bootstrap-servers: <server>
    key-serializer: org.apache.kafka.common.serialization.StringSerializer
    value-serializer: org.apache.kafka.common.serialization.StringSerializer
    ssl:
      truststore-location: <trust store location>
      truststore-password: <password>
    properties:
      security.protocol: SSL{code}
 

If I forget to set the security.protocol, it defaults to "PLAINTEXT" and therefore fails SSL handshake. This indicates that there is an issue with my SSL configuration (locations or passwords) so I enable SSL debugging, only to see no logs. Finally I realise that it is not even trying to use SSL.

 

One solution would be to warn if any security settings are configured that are unused given the security protocol configured (so in this example, it would warn me that my ssl.truststore properties will be ignored).

 

Another solution is to automatically infer the security protocol to use based on the settings provided, given that it seems as though you can infer the security protocol to use (plaintext, ssl, sasl or sasl+ssl) based on the settings defined.

I believe that making this change will improve the usability of security in Kafka clients and avoid confusion when trying to debug security issues.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)