[jira] [Commented] (KAFKA-7685) Support loading trust stores from classpath

Thu, 30 Apr 2020 04:25:20 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-7685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17096438#comment-17096438
 ] 

Noa Resare commented on KAFKA-7685:
-----------------------------------

Actually, we found a solution to this that did not require any changes to 
Kafka, by implementing a custom KeyStoreProvider. I will try to come up with a 
proper writeup later, but briefly you use the {{security.provider.classes}} 
configuration key to specify a security provider that provides a KeyStore that 
defines a new type, then we specify this new keystore type with 
{{ssl.keystore.type}}.

Unfortunately, {{ssl.keystore.location}} will need to be set to a readable 
file, even though it is not used by our KeyStore implementation, so we set it 
to {{/dev/null}} and we set {{ssl.keystore.password}} to ignored.

> Support loading trust stores from classpath
> -------------------------------------------
>
>                 Key: KAFKA-7685
>                 URL: https://issues.apache.org/jira/browse/KAFKA-7685
>             Project: Kafka
>          Issue Type: Improvement
>          Components: clients
>    Affects Versions: 2.1.0
>            Reporter: Noa Resare
>            Priority: Minor
>
> Certificate pinning as well as authenticating kafka brokers using a 
> non-public CA certificate maintained inside an organisation is desirable to a 
> lot of users. This can be accomplished today using the 
> {{ssl.truststore.location}} configuration property. Unfortunately, this value 
> is always interpreted as a filesystem path which makes distribution of such 
> an alternative truststore a needlessly cumbersome process. If we had the 
> ability to load a trust store from the classpath as well as from a file, the 
> trust store could be shipped in a jar that could be declared as a regular 
> maven style dependency.
> If we did this by supporting prefixing {{ssl.truststore.location}} with 
> {{classpath:}} this could be a backwards compatible change, one that builds 
> on prior design patterns established by for example the Spring project.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to