[jira] [Created] (KAFKA-15273) Log common name of expired client certificate

2023-07-30 Thread Eike Thaden (Jira) 
Eike Thaden created KAFKA-15273:
---

 Summary: Log common name of expired client certificate
 Key: KAFKA-15273
 URL: https://issues.apache.org/jira/browse/KAFKA-15273
 Project: Kafka
  Issue Type: Improvement
  Components: clients, core, security
Affects Versions: 3.6.0
Reporter: Eike Thaden
Assignee: Eike Thaden


If a client tries to authenticate via mTLS with an expired certificate, the 
connection is closed and the IP address of the connection attempt is logged. 
However, in complex enterprise IT environments it might be very hard or even 
impossible to identify which client tried to connect if only the IP address is 
known (e.g. due to complex virtualization/containerization/NAT). This results 
in significant effort for the Kafka platform teams to identify the developmers 
responsible for such a misconfigured client.

As a possible solution I propose to log the common name used in the client 
certificate in addition to the IP address. Due to security considerations, this 
should only be done if that certificate is just expired and would be valid 
otherwise (e.g. signed by a known, non-expired root/intermediate CA). The way 
Kafka should handle any valid/invalid/expired certificate must be exactly the 
same as before, except for the creation of a log message in case it is expired.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (KAFKA-15235) No test coverage reports for Java due to settings for Jacoco being incompatible with Gradle 8.x

2023-07-22 Thread Eike Thaden (Jira) 
Eike Thaden created KAFKA-15235:
---

 Summary: No test coverage reports for Java due to settings for 
Jacoco being incompatible with Gradle 8.x
 Key: KAFKA-15235
 URL: https://issues.apache.org/jira/browse/KAFKA-15235
 Project: Kafka
  Issue Type: Bug
  Components: unit tests
Affects Versions: 3.6.0
Reporter: Eike Thaden


On current dev branch, gradle 8.x fails while trying to generate test coverage 
reports as stated in the README, e.g. by running "./gradlew 
clients:reportCoverage -PenableTestCoverage=true -Dorg.gradle.parallel=false". 
The error message states:

"Could not set unknown property 'enabled' for Report html of type 
org.gradle.api.reporting.internal.TaskGeneratedSingleDirectoryReport"

In "build.gradle", the library "jacoco" which is used to generate test coverage 
reports for the Java code is configured in two different places with these 
settings:

jacocoTestReport {
    dependsOn tasks.test
    sourceSets sourceSets.main
    reports {
        html.enabled = true
        xml.enabled = true
        csv.enabled = false
    }
}

With the latest version of jacoco, shipped with gradle 8.x, these config 
options are not compatible anymore. A correct configuration might look like 
like this:

jacocoTestReport {
    dependsOn tasks.test
    sourceSets sourceSets.main
    reports {
        html {
  required = true
    }
        xml {
  required = true
    }
        csv {
  required = false
    }
    }
}

However, even with these settings being accepted by Gradle, I was unable to 
generate any test coverage report. This might be due to some OOM issues, but I 
tried a lots of settings including increasing the maximum heap for the JVM 
gradle tasks without getting this to work.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)