You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Elliot West (Jira)" <ji...@apache.org> on 2022/02/03 16:16:00 UTC

[jira] [Comment Edited] (KAFKA-13293) Support client reload of JKS/PEM certificates

    [ https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17486563#comment-17486563 ] 

Elliot West edited comment on KAFKA-13293 at 2/3/22, 4:15 PM:
--------------------------------------------------------------

FWIW we've implemented a custom {{SslEngineFactory}} here: https://github.com/apache/kafka/pull/11731

Would this be more generally useful as an interim solution? Or is there process on the dynamic client configuration work?


was (Author: teabot):
FWIW we've implemented a custom {{SslEngineFactory}} here: https://github.com/apache/kafka/pull/11731

> Support client reload of JKS/PEM certificates
> ---------------------------------------------
>
>                 Key: KAFKA-13293
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13293
>             Project: Kafka
>          Issue Type: Improvement
>          Components: clients, security
>    Affects Versions: 2.7.0, 2.8.0, 2.7.1
>            Reporter: Elliot West
>            Priority: Major
>
> Producer/Consumer clients do not currently automatically reload certificates when the key stores were modified, or certificates expire. Currently one supplies key chains when instantiating clients only - there is no mechanism available to either directly reconfigure the client, or for the client to observe changes to the original properties set reference used in construction. Additionally, no work-arounds are documented that might given users alternative strategies for dealing with expiring certificates. 
> Given that expiration and renewal of certificates is an industry standard practice, it could be argued that the current client certificate implementation is not fit for purpose. A mechanism should be provided such that clients can automatically detect, load, and use updated key chains from some abstracted source.
> Finally, It is suggested that in the short-term Kafka documentation be updated to describe any viable mechanism for updating client certs (perhaps closing existing client and then recreating?).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)