KAFKA-10338; Support PEM format for SSL key and trust stores (KIP-651)#9345
Merged
rajinisivaram merged 3 commits intoapache:trunkfrom Oct 6, 2020
Merged
KAFKA-10338; Support PEM format for SSL key and trust stores (KIP-651)#9345rajinisivaram merged 3 commits intoapache:trunkfrom
rajinisivaram merged 3 commits intoapache:trunkfrom
Conversation
rajinisivaram
force-pushed
the
KAFKA-10338-ssl-pem
branch
from
0594fc4 to
671a2a5
Compare
Contributor
Author
|
retest this please |
omkreddy
approved these changes
Oct 6, 2020
Contributor
omkreddy
left a comment
omkreddy
left a comment
There was a problem hiding this comment.
@rajinisivaram Thanks for the PR. LGTM.
Contributor
There was a problem hiding this comment.
Can we remove empty else block?
Contributor
There was a problem hiding this comment.
SslConfigs.SSL_TRUSTSTORE_CERTIFICATES_CONFIG => SslConfigs.SSL_TRUSTSTORE_CERTIFICATES_DOC
Contributor
There was a problem hiding this comment.
SslConfigs.SSL_TRUSTSTORE_CERTIFICATES_CONFIG => SslConfigs.SSL_TRUSTSTORE_CERTIFICATES_DOC
Contributor
There was a problem hiding this comment.
unused node variable here and other methods.
Contributor
Author
There was a problem hiding this comment.
fixed these and few other warnings
rajinisivaram
force-pushed
the
KAFKA-10338-ssl-pem
branch
from
2f229f1 to
19b83fa
Compare
Contributor
Author
|
@omkreddy Thanks for the review, have addressed the comments. |
Contributor
Author
|
@omkreddy Thanks for the review, merging to trunk. |
javierfreire
pushed a commit
to javierfreire/kafka
that referenced
this pull request
Oct 8, 2020
apache#9345) Adds support for SSL key and trust stores to be specified in PEM format either as files or directly as configuration values. Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>
ijuma
added a commit
to confluentinc/kafka
that referenced
this pull request
Oct 8, 2020
* commit '2804257fe221f37e5098bd': (67 commits) KAFKA-10562: Properly invoke new StateStoreContext init (apache#9388) MINOR: trivial cleanups, javadoc errors, omitted StateStore tests, etc. (apache#8130) KAFKA-10564: only process non-empty task directories when internally cleaning obsolete state stores (apache#9373) KAFKA-9274: fix incorrect default value for `task.timeout.ms` config (apache#9385) KAFKA-10362: When resuming Streams active task with EOS, the checkpoint file is deleted (apache#9247) KAFKA-10028: Implement write path for feature versioning system (KIP-584) (apache#9001) KAFKA-10402: Upgrade system tests to python3 (apache#9196) KAFKA-10186; Abort transaction with pending data with TransactionAbortedException (apache#9280) MINOR: Remove `TargetVoters` from `DescribeQuorum` (apache#9376) Revert "KAFKA-10469: Resolve logger levels hierarchically (apache#9266)" MINOR: Don't publish javadocs for raft module (apache#9336) KAFKA-9929: fix: add missing default implementations (apache#9321) KAFKA-10188: Prevent SinkTask::preCommit from being called after SinkTask::stop (apache#8910) KAFKA-10338; Support PEM format for SSL key and trust stores (KIP-651) (apache#9345) KAFKA-10527; Voters should not reinitialize as leader in same epoch (apache#9348) MINOR: Refactor unit tests around RocksDBConfigSetter (apache#9358) KAFKA-6733: Printing additional ConsumerRecord fields in DefaultMessageFormatter (apache#9099) MINOR: Annotate test BlockingConnectorTest as integration test (apache#9379) MINOR: Fix failing test due to KAFKA-10556 PR (apache#9372) KAFKA-10439: Connect's Values to parse BigInteger as Decimal with zero scale. (apache#9320) ...
rgo
pushed a commit
to rgo/kafka
that referenced
this pull request
Oct 20, 2020
apache#9345) Adds support for SSL key and trust stores to be specified in PEM format either as files or directly as configuration values. Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>
|
How is PEM certificate renewal possible on the producer/consumer client? Is this documented anywhere? |
amccague
reviewed
Nov 29, 2021
Comment on lines
+290
to
+291
| else if (keyPassword == null) | ||
| throw new InvalidConfigurationException("SSL PEM key store is specified, but key password is not specified."); |
Contributor
There was a problem hiding this comment.
Is there an intention here to not allow a FileBasedPemStore containing an unencrypted private key when a key could be provided to PemStore with a null keyPassword?
|
Was this change meant to work for the schema registry client as well? I've tried connecting to the schema registry using these settings, but it fails with a message indicating it's looking for a file still. |
|
… On Mon, 14 Mar 2022 at 14:44, Peter Vendamere ***@***.***> wrote:
Was this change meant to work for the schema registry client as well? I've
tried connecting to the schema registry using these settings, but it fails
with a message indicating it's looking for a file still.
—
Reply to this email directly, view it on GitHub
<#9345 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABX4VWRLMTKQFQABRUB553U75GETANCNFSM4R43VXXA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
3 tasks
Contributor
Hi @teabot , could find the answer to your question? I have also faced a similar. More precisely, is it possible to update the certificate without requiring a restart of the broker? |
|
Hello,
It's been quite a while since I looked at this. We ended up taking the PEM
approach into the Confluent Schema registry also (
https://medium.com/expedia-group-tech/kafka-schema-registry-pem-authentication-bb434f32f99f).
IIRC, one simply disconnects, and reconnects with the new certificate, but
it's been a while so I might be mistaken.
Elliot.
…On Sat, 27 Jan 2024 at 13:33, bachmanity1 ***@***.***> wrote:
How is PEM certificate renewal possible on the producer/consumer client?
Is this documented anywhere?
Hi @teabot <https://github.com/teabot> , could find the answer to your
question? I have also faced a similar. More precisely, is it possible to
update the certificate without requiring a restart of the broker?
—
Reply to this email directly, view it on GitHub
<#9345 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABX4VTDVUMUPNELFSBVMGLYQT6ZVAVCNFSM4R43VXXKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJRGMYTKNZVG44A>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for SSL key and trust stores to be specified in PEM format either as files or directly as configuration values.
Committer Checklist (excluded from commit message)