You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Chris Egerton (Jira)" <ji...@apache.org> on 2023/03/20 16:41:00 UTC

[jira] [Resolved] (KAFKA-14816) Connect loading SSL configs when contacting non-HTTPS URLs

     [ https://issues.apache.org/jira/browse/KAFKA-14816?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Egerton resolved KAFKA-14816.
-----------------------------------
      Reviewer: Justine Olshan
    Resolution: Fixed

> Connect loading SSL configs when contacting non-HTTPS URLs
> ----------------------------------------------------------
>
>                 Key: KAFKA-14816
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14816
>             Project: Kafka
>          Issue Type: Bug
>          Components: KafkaConnect
>    Affects Versions: 3.4.0
>            Reporter: Ian McDonald
>            Assignee: Chris Egerton
>            Priority: Blocker
>             Fix For: 3.5.0, 3.4.1
>
>
> Due to changes made here: [https://github.com/apache/kafka/pull/12828]
> Connect now unconditionally loads SSL configs from the worker into rest clients it uses for cross-worker communication and uses them even when issuing requests to HTTP (i.e., non-HTTPS) URLs. Previously, it would only attempt to load (and validate) SSL properties when issuing requests to HTTPS URLs. This can cause issues when a Connect cluster has stopped securing its REST API with SSL but its worker configs still contain the old (and now-invalid) SSL properties. When this happens, REST requests that hit a follower worker but need to be forwarded to the leader will fail, and connectors that perform dynamic reconfigurations via [ConnectorContext::requestTaskReconfiguration|https://kafka.apache.org/34/javadoc/org/apache/kafka/connect/connector/ConnectorContext.html#requestTaskReconfiguration()] will fail to trigger that reconfiguration if they are not running on the leader.
> In our testing environments - older versions without the linked changes pass with the following configuration, and newer versions with the changes fail:
> {{ssl.keystore.location = /mnt/security/test.keystore.jks}}
> {{ssl.keystore.password = [hidden]}}
> {{ssl.keystore.type = JKS}}
> {{ssl.protocol = TLSv1.2}}
> It's important to note that the file {{/mnt/security/test.keystore.jks}} isn't generated for our non-SSL tests, however these configs are still included in our worker config file.
> This leads to a 500 response when hitting the create connector REST endpoint with the following error:
> bq. { "error_code":500,   "message":"Failed to start RestClient:   /mnt/security/test.keystore.jks is not a valid keystore" }



--
This message was sent by Atlassian Jira
(v8.20.10#820010)