[
https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414137#comment-17414137
]
Rajini Sivaram commented on KAFKA-13293:
----------------------------------------
[~teabot] Which client (and configs) do you use to dynamically reload JKS
keystores in clients today? As far as I understand, default implementation in
Apache Kafka supports reloading of keystores and truststores from files only
for brokers. Clients can override `ssl.engine.factory.class`, but not sure if
that is what you were referring to for dynamic reloading in clients.
> Support client reload of PEM certificates
> -----------------------------------------
>
> Key: KAFKA-13293
> URL: https://issues.apache.org/jira/browse/KAFKA-13293
> Project: Kafka
> Issue Type: Improvement
> Components: clients, security
> Affects Versions: 2.7.0, 2.8.0, 2.7.1
> Reporter: Elliot West
> Priority: Major
>
> Since Kafka 2.7.0, clients are able to authenticate using PEM certificates as
> client configuration properties in addition to JKS file based key stores
> (KAFKA-10338). With PEM, certificate chains are passed into clients as simple
> string based key-value properties, alongside existing client configuration.
> This offers a number of benefits: it provides a JVM agnostic security
> mechanism from the perspective of clients, removes the client's dependency on
> the local filesystem, and allows the the encapsulation of the entire client
> configuration into a single payload.
> However, the current client PEM implement has a feature regression when
> compared with the JKS implementation. With the JKS approach, clients would
> automatically reload certificates when the key stores were modified on disk.
> This enables a seamless approach for the replacement of certificates when
> they are due to expire; no further configuration or explicit interference
> with the client lifecycle is needed for the client to migrate to renewed
> certificates.
> Such a capability does not currently exist for PEM. One supplies key chains
> when instantiating clients only - there is no mechanism available to either
> directly reconfigure the client, or for the client to observe changes to the
> original properties set reference used in construction. Additionally, no
> work-arounds are documented that might given users alternative strategies for
> dealing with expiring certificates. Given that expiration and renewal of
> certificates is an industry standard practice, it could be argued that the
> current PEM client implementation is not fit for purpose.
> In summary, a mechanism should be provided such that clients can
> automatically detect, load, and use updated PEM key chains from some non-file
> based source (object ref, method invocation, listener, etc.)
> Finally, It is suggested that in the short-term Kafka documentation be
> updated to describe any viable mechanism for updating client PEM certs
> (perhaps closing existing client and then recreating?).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
