Sai Sandeep created KAFKA-8191:
----------------------------------
Summary: Add pluggability of KeyManager to generate the broker
Private Keys and Certificates
Key: KAFKA-8191
URL: https://issues.apache.org/jira/browse/KAFKA-8191
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 1.1.1, 1.1.0
Reporter: Sai Sandeep
Fix For: 1.1.1, 1.1.0
*Context:* Currently, in SslFactory.java, if the keystore is created null
(caused by passing an empty config value to ssl.keystore.location), the default
Sun KeyManager is used ignoring the 'ssl.keymanager.algorithm' provided.
We need changes to fetch KeyManager from the KeyManagerFactory based on the
provided keymanager algorithm, populated by 'ssl.keymanager.algorithm' if the
keystore is found empty
*Background and Use Case:* Kafka allows users to configure truststore and
keystore to enable TLS connections from clients to brokers. Often this means
during deployment, one needs to pre-provision keystores to enable clients to
communicate with brokers on TLS port. Most of the time users end up configuring
a long-lived certificate which is not good for security. Although KAFKA-4701
introduced the reload of keystores it still a cumbersome to distribute these
files onto compute system for clients.
There are several projects that allows one to distribute the certificates
through a local agent, example [Spiffe|[https://spiffe.io/]]. To take advantage
of such systems we need changes to consider 'ssl.keymanager.algorithm' for
KeyManagerFactory creation
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
