Chris Egerton created KAFKA-9570: ------------------------------------ Summary: SSL cannot be configured for Connect in standalone mode Key: KAFKA-9570 URL: https://issues.apache.org/jira/browse/KAFKA-9570 Project: Kafka Issue Type: Bug Components: KafkaConnect Affects Versions: 2.3.1, 2.4.0, 2.2.2, 2.2.1, 2.3.0, 2.1.1, 2.2.0, 2.1.0, 2.0.1, 2.0.0, 2.0.2, 2.1.2, 2.2.3, 2.5.0, 2.3.2, 2.4.1 Reporter: Chris Egerton Assignee: Chris Egerton
When Connect is brought up in standalone, if the worker config contains _any_ properties that begin with the {{listeners.https.}} prefix, SSL will not be enabled on the worker. This is because the relevant SSL configs are only defined in the [distributed worker config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/distributed/DistributedConfig.java#L260] instead of the [superclass worker config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerConfig.java]. This, in conjunction with [a call to|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L42] [AbstractConfig::valuesWithPrefixAllOrNothing|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java], causes all configs not defined in the {{WorkerConfig}} used by the worker to be silently dropped when the worker configures its REST server if there is at least one config present with the {{listeners.https.}} prefix. Unfortunately, the workaround of specifying all SSL configs without the {{listeners.https.}} prefix will also fail if any passwords need to be specified. This is because the password values in the {{Map}} returned from {{AbstractConfig::valuesWithPrefixAllOrNothing}} aren't parsed as passwords, but the [framework expects them to be|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L87]. However, if no keystore, truststore, or key passwords need to be configured, then it should be possible to work around the issue by specifying all of those configurations without a prefix (as long as they don't conflict with any other configs in that namespace). -- This message was sent by Atlassian Jira (v8.3.4#803005)