You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Chris Egerton (Jira)" <ji...@apache.org> on 2020/02/18 21:26:00 UTC

[jira] [Created] (KAFKA-9570) SSL cannot be configured for Connect in standalone mode

Chris Egerton created KAFKA-9570:
------------------------------------

             Summary: SSL cannot be configured for Connect in standalone mode
                 Key: KAFKA-9570
                 URL: https://issues.apache.org/jira/browse/KAFKA-9570
             Project: Kafka
          Issue Type: Bug
          Components: KafkaConnect
    Affects Versions: 2.3.1, 2.4.0, 2.2.2, 2.2.1, 2.3.0, 2.1.1, 2.2.0, 2.1.0, 2.0.1, 2.0.0, 2.0.2, 2.1.2, 2.2.3, 2.5.0, 2.3.2, 2.4.1
            Reporter: Chris Egerton
            Assignee: Chris Egerton


When Connect is brought up in standalone, if the worker config contains _any_ properties that begin with the {{listeners.https.}} prefix, SSL will not be enabled on the worker.

This is because the relevant SSL configs are only defined in the [distributed worker config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/distributed/DistributedConfig.java#L260] instead of the [superclass worker config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerConfig.java]. This, in conjunction with [a call to|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L42] [AbstractConfig::valuesWithPrefixAllOrNothing|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java], causes all configs not defined in the {{WorkerConfig}} used by the worker to be silently dropped when the worker configures its REST server if there is at least one config present with the {{listeners.https.}} prefix.

Unfortunately, the workaround of specifying all SSL configs without the {{listeners.https.}} prefix will also fail if any passwords need to be specified. This is because the password values in the {{Map}} returned from {{AbstractConfig::valuesWithPrefixAllOrNothing}} aren't parsed as passwords, but the [framework expects them to be|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L87]. However, if no keystore, truststore, or key passwords need to be configured, then it should be possible to work around the issue by specifying all of those configurations without a prefix (as long as they don't conflict with any other configs in that namespace).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)