You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2019/05/13 15:02:00 UTC

[jira] [Commented] (KAFKA-8336) Enable dynamic update of client-side SSL factory in brokers

    [ https://issues.apache.org/jira/browse/KAFKA-8336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16838605#comment-16838605 ] 

ASF GitHub Bot commented on KAFKA-8336:
---------------------------------------

rajinisivaram commented on pull request #6721: KAFKA-8336; Enable dynamic reconfiguration of broker's client-side certs
URL: https://github.com/apache/kafka/pull/6721
 
 
   Enable reconfiguration of SSL keystores and truststores in client-side channel builders used by brokers for controller, transaction coordinator and replica fetchers. This enables brokers using TLS mutual authentication for inter-broker listener to use short-lived certs that may be updated before expiry without restarting brokers.
   
   ### Committer Checklist (excluded from commit message)
   - [ ] Verify design and implementation 
   - [ ] Verify test coverage and CI build status
   - [ ] Verify documentation (including upgrade notes)
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Enable dynamic update of client-side SSL factory in brokers
> -----------------------------------------------------------
>
>                 Key: KAFKA-8336
>                 URL: https://issues.apache.org/jira/browse/KAFKA-8336
>             Project: Kafka
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 2.2.0
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>            Priority: Major
>             Fix For: 2.3.0
>
>
> We currently support dynamic update of server-side keystores. This allows expired certs to be updated on brokers without a rolling restart. When mutual authentication is enabled for inter-broker-communication (ssl.client.auth=required), we dont currently dynamically update client-side keystores for controller or transaction coordinator. So a broker restart (or controller change) is required for cert update for this case. Since short-lived SSL cert is a common usecase, we should enable client-side cert updates for all client connections initiated by the broker to ensure that SSL certificate expiry can be handled with dynamic config updates on brokers for all configurations.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)