You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/02/18 21:31:00 UTC
[jira] [Commented] (KAFKA-9570) SSL cannot be configured for
Connect in standalone mode
[ https://issues.apache.org/jira/browse/KAFKA-9570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039477#comment-17039477 ]
ASF GitHub Bot commented on KAFKA-9570:
---------------------------------------
C0urante commented on pull request #8135: KAFKA-9570: Define SSL configs in all worker config classes, not just distributed
URL: https://github.com/apache/kafka/pull/8135
[Jira](https://issues.apache.org/jira/browse/KAFKA-9570)
All SSL-related configs are currently defined only in the `DistributedConfig` class, even though they are applicable for standalone mode as well (since standalone mode also supports the Connect REST API). Because of how these configs are parsed by the framework, it's currently impossible to configure Connect in standalone mode to use SSL for the REST API with a password-protected keystore, key, or truststore, and even if no password protection is required, SSL configs will not be picked up correctly by the worker if any of the worker configs start with the `listeners.https.` prefix.
These changes define the relevant SSL-related configs in the parent `WorkerConfig` class, which should fix how they are picked up in standalone mode.
A new unit test is added to verify that the `StandaloneConfig` picks up these configs correctly.
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> SSL cannot be configured for Connect in standalone mode
> -------------------------------------------------------
>
> Key: KAFKA-9570
> URL: https://issues.apache.org/jira/browse/KAFKA-9570
> Project: Kafka
> Issue Type: Bug
> Components: KafkaConnect
> Affects Versions: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.1.1, 2.0.2, 2.3.0, 2.1.2, 2.2.1, 2.2.2, 2.4.0, 2.3.1, 2.2.3, 2.5.0, 2.3.2, 2.4.1
> Reporter: Chris Egerton
> Assignee: Chris Egerton
> Priority: Major
>
> When Connect is brought up in standalone, if the worker config contains _any_ properties that begin with the {{listeners.https.}} prefix, SSL will not be enabled on the worker.
> This is because the relevant SSL configs are only defined in the [distributed worker config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/distributed/DistributedConfig.java#L260] instead of the [superclass worker config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerConfig.java]. This, in conjunction with [a call to|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L42] [AbstractConfig::valuesWithPrefixAllOrNothing|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java], causes all configs not defined in the {{WorkerConfig}} used by the worker to be silently dropped when the worker configures its REST server if there is at least one config present with the {{listeners.https.}} prefix.
> Unfortunately, the workaround of specifying all SSL configs without the {{listeners.https.}} prefix will also fail if any passwords need to be specified. This is because the password values in the {{Map}} returned from {{AbstractConfig::valuesWithPrefixAllOrNothing}} aren't parsed as passwords, but the [framework expects them to be|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L87]. However, if no keystore, truststore, or key passwords need to be configured, then it should be possible to work around the issue by specifying all of those configurations without a prefix (as long as they don't conflict with any other configs in that namespace).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)