[
https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Elliot West updated KAFKA-13293:
--------------------------------
Description:
Producer/Consumer clients do not currently automatically reload certificates
when the key stores were modified, or certificates expire. Currently one
supplies key chains when instantiating clients only - there is no mechanism
available to either directly reconfigure the client, or for the client to
observe changes to the original properties set reference used in construction.
Additionally, no work-arounds are documented that might given users alternative
strategies for dealing with expiring certificates.
Given that expiration and renewal of certificates is an industry standard
practice, it could be argued that the current client certificate implementation
is not fit for purpose. A mechanism should be provided such that clients can
automatically detect, load, and use updated key chains from some abstracted
source.
Finally, It is suggested that in the short-term Kafka documentation be updated
to describe any viable mechanism for updating client certs (perhaps closing
existing client and then recreating?).
was:
Since Kafka 2.7.0, clients are able to authenticate using PEM certificates as
client configuration properties in addition to JKS file based key stores
(KAFKA-10338). With PEM, certificate chains are passed into clients as simple
string based key-value properties, alongside existing client configuration.
This offers a number of benefits: it provides a JVM agnostic security mechanism
from the perspective of clients, removes the client's dependency on the local
filesystem, and allows the the encapsulation of the entire client configuration
into a single payload.
However, the current client PEM implement has a feature regression when
compared with the JKS implementation. With the JKS approach, clients would
automatically reload certificates when the key stores were modified on disk.
This enables a seamless approach for the replacement of certificates when they
are due to expire; no further configuration or explicit interference with the
client lifecycle is needed for the client to migrate to renewed certificates.
Such a capability does not currently exist for PEM. One supplies key chains
when instantiating clients only - there is no mechanism available to either
directly reconfigure the client, or for the client to observe changes to the
original properties set reference used in construction. Additionally, no
work-arounds are documented that might given users alternative strategies for
dealing with expiring certificates. Given that expiration and renewal of
certificates is an industry standard practice, it could be argued that the
current PEM client implementation is not fit for purpose.
In summary, a mechanism should be provided such that clients can automatically
detect, load, and use updated PEM key chains from some non-file based source
(object ref, method invocation, listener, etc.)
Finally, It is suggested that in the short-term Kafka documentation be updated
to describe any viable mechanism for updating client PEM certs (perhaps closing
existing client and then recreating?).
> Support client reload of JKS/PEM certificates
> ---------------------------------------------
>
> Key: KAFKA-13293
> URL: https://issues.apache.org/jira/browse/KAFKA-13293
> Project: Kafka
> Issue Type: Improvement
> Components: clients, security
> Affects Versions: 2.7.0, 2.8.0, 2.7.1
> Reporter: Elliot West
> Priority: Major
>
> Producer/Consumer clients do not currently automatically reload certificates
> when the key stores were modified, or certificates expire. Currently one
> supplies key chains when instantiating clients only - there is no mechanism
> available to either directly reconfigure the client, or for the client to
> observe changes to the original properties set reference used in
> construction. Additionally, no work-arounds are documented that might given
> users alternative strategies for dealing with expiring certificates.
> Given that expiration and renewal of certificates is an industry standard
> practice, it could be argued that the current client certificate
> implementation is not fit for purpose. A mechanism should be provided such
> that clients can automatically detect, load, and use updated key chains from
> some abstracted source.
> Finally, It is suggested that in the short-term Kafka documentation be
> updated to describe any viable mechanism for updating client certs (perhaps
> closing existing client and then recreating?).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
