You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Linyuxin <li...@huawei.com> on 2016/03/21 04:18:12 UTC

For SSL config, Any way to avoid the cleartext passwords?

Hi All,
Kafka 0.9.0 support ssl.
And in the document, password in ssl config is cleartext passwords.
e.g.
      ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
        ssl.keystore.password=test1234
        ssl.key.password=test1234
        ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
        ssl.truststore.password=test1234
any way to avoid this "test1234" cleartext in the file?
Like some encryption?

答复: For SSL config, Any way to avoid the cleartext passwords?

Posted by Linyuxin <li...@huawei.com>.

Hi Adam,
What do you mean by "app read password from xxx".
Doesn't the kafka read the server.properties ?
So, is there any way to let kafka read an encryption?
I don't want to put cleartext password in the kafka property config file

-----邮件原件-----
发件人: Adam Kunicki [mailto:adam@streamsets.com] 
发送时间: 2016年3月21日 11:45
收件人: users@kafka.apache.org
主题: Re: For SSL config, Any way to avoid the cleartext passwords?

One option is that your application could read the password from an access restricted file (e.g. owner read/write only) or retrieve it from a credentials server (e.g. hadoop kms, hashicorp vault)

For what its worth, java keystore passwords are pretty useless anyway and keystores can be read without even knowing it as demonstrated in this code
snippet:

https://gist.github.com/zach-klippenstein/4631307

On Sun, Mar 20, 2016 at 8:18 PM, Linyuxin <li...@huawei.com> wrote:

> Hi All,
> Kafka 0.9.0 support ssl.
> And in the document, password in ssl config is cleartext passwords.
> e.g.
>       ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
>         ssl.keystore.password=test1234
>         ssl.key.password=test1234
>
> ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
>         ssl.truststore.password=test1234 any way to avoid this 
> "test1234" cleartext in the file?
> Like some encryption?
>

--
Adam Kunicki
StreamSets | Field Engineer
mobile: 415.890.DATA (3282) | linkedin <http://www.adamkunicki.com>

Re: For SSL config, Any way to avoid the cleartext passwords?

Posted by Adam Kunicki <ad...@streamsets.com>.

One option is that your application could read the password from an access
restricted file (e.g. owner read/write only) or retrieve it from a
credentials server (e.g. hadoop kms, hashicorp vault)

For what its worth, java keystore passwords are pretty useless anyway and
keystores can be read without even knowing it as demonstrated in this code
snippet:

https://gist.github.com/zach-klippenstein/4631307


On Sun, Mar 20, 2016 at 8:18 PM, Linyuxin <li...@huawei.com> wrote:

> Hi All,
> Kafka 0.9.0 support ssl.
> And in the document, password in ssl config is cleartext passwords.
> e.g.
>       ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
>         ssl.keystore.password=test1234
>         ssl.key.password=test1234
>
> ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
>         ssl.truststore.password=test1234
> any way to avoid this "test1234" cleartext in the file?
> Like some encryption?
>



-- 
Adam Kunicki
StreamSets | Field Engineer
mobile: 415.890.DATA (3282) | linkedin <http://www.adamkunicki.com>