[jira] [Created] (KAFKA-9570) SSL cannot be configured for Connect in standalone mode

Tue, 18 Feb 2020 13:26:07 -0800 

Chris Egerton created KAFKA-9570:
------------------------------------

             Summary: SSL cannot be configured for Connect in standalone mode
                 Key: KAFKA-9570
                 URL: https://issues.apache.org/jira/browse/KAFKA-9570
             Project: Kafka
          Issue Type: Bug
          Components: KafkaConnect
    Affects Versions: 2.3.1, 2.4.0, 2.2.2, 2.2.1, 2.3.0, 2.1.1, 2.2.0, 2.1.0, 
2.0.1, 2.0.0, 2.0.2, 2.1.2, 2.2.3, 2.5.0, 2.3.2, 2.4.1
            Reporter: Chris Egerton
            Assignee: Chris Egerton


When Connect is brought up in standalone, if the worker config contains _any_ 
properties that begin with the {{listeners.https.}} prefix, SSL will not be 
enabled on the worker.

This is because the relevant SSL configs are only defined in the [distributed 
worker 
config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/distributed/DistributedConfig.java#L260]
 instead of the [superclass worker 
config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerConfig.java].
 This, in conjunction with [a call 
to|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L42]
 
[AbstractConfig::valuesWithPrefixAllOrNothing|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java],
 causes all configs not defined in the {{WorkerConfig}} used by the worker to 
be silently dropped when the worker configures its REST server if there is at 
least one config present with the {{listeners.https.}} prefix.

Unfortunately, the workaround of specifying all SSL configs without the 
{{listeners.https.}} prefix will also fail if any passwords need to be 
specified. This is because the password values in the {{Map}} returned from 
{{AbstractConfig::valuesWithPrefixAllOrNothing}} aren't parsed as passwords, 
but the [framework expects them to 
be|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L87].
 However, if no keystore, truststore, or key passwords need to be configured, 
then it should be possible to work around the issue by specifying all of those 
configurations without a prefix (as long as they don't conflict with any other 
configs in that namespace).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to