All the security configs can be dynamically configured for new listeners. In the initial implementation, only some configs will be dynamically updatable for existing listeners (e.g. SSL keystores). Support for updating other security configs dynamically for existing listeners will be added later
https://cwiki.apache.org/confluence/plugins/servlet/mobile?contentId=74687608#content/view/74687608 Maybe not supported yet? בתאריך יום ו׳, 4 ביוני 2021, 10:49, מאת Ran Lupovich <ranlupov...@gmail.com >: > Thanks for checking... is there a way for you to check if this behavior is > for "already connected clients" and what check only what happens to "new > connections" > > בתאריך יום ו׳, 4 ביוני 2021, 10:47, מאת Anjali Sharma < > sharma.anjali.2...@gmail.com>: > >> Neither listener specific nor ssl.client.auth is working dynamically >> >> On Fri, Jun 4, 2021, 13:04 Ran Lupovich <ranlupov...@gmail.com> wrote: >> >> > And not* to specific listener >> > >> > בתאריך יום ו׳, 4 ביוני 2021, 10:30, מאת Ran Lupovich < >> > ranlupov...@gmail.com >> > >: >> > >> > > According to documentation it is dynamic and should work, though it is >> > > "general" ssl.auth of the entire broker setting and to specific >> listener >> > as >> > > you are trying out , but the logic says it should work the same... >> > besides >> > > that I do not have anything smart to suggest, the only understanding >> we >> > > need is if specfic listener config is dynamic changeable and when it >> take >> > > place? New connections? Do all your client fully discconect and >> reconnect >> > > to that listener? >> > > >> > > בתאריך יום ו׳, 4 ביוני 2021, 10:25, מאת Anjali Sharma < >> > > sharma.anjali.2...@gmail.com>: >> > > >> > >> Yes restarting the Kafka solves the problem but as it is dynamic >> there >> > is >> > >> no need to restart the Kafka right? >> > >> >> > >> On Fri, Jun 4, 2021, 12:13 Ran Lupovich <ranlupov...@gmail.com> >> wrote: >> > >> >> > >> > Restarting the broker solves the problem? Do your clients fully >> > >> disconnect >> > >> > and reconnect? >> > >> > >> > >> > בתאריך יום ו׳, 4 ביוני 2021, 09:24, מאת Anjali Sharma < >> > >> > sharma.anjali.2...@gmail.com>: >> > >> > >> > >> > > Hi Ran, >> > >> > > >> > >> > > Thank you so much for the help, but had already gone through the >> > >> > > documentation, but despite doing the same thing it is not >> working , >> > we >> > >> > are >> > >> > > not getting any client certificate request as such , is there >> > anything >> > >> > that >> > >> > > I am missing in the executing the command or we need to restart >> the >> > >> > brokers >> > >> > > or anything else we need to do? >> > >> > > >> > >> > > >> > >> > > Thanks & Regards >> > >> > > Anjali >> > >> > > >> > >> > > On Fri, Jun 4, 2021 at 11:17 AM Ran Lupovich < >> ranlupov...@gmail.com >> > > >> > >> > > wrote: >> > >> > > >> > >> > > > Adding this information that supports your assumptions that it >> > >> should >> > >> > be >> > >> > > > dynamically supportedNotice the update mode - >> > >> > > > >> > >> > > > Dynamic Update Mode option in Broker Configurations >> > >> > > > < >> > >> > > > >> > >> > > >> > >> > >> > >> >> > >> https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#cp-config-brokers >> > >> > > > > >> > >> > > > for >> > >> > > > the update mode of each broker configuration. >> > >> > > > >> > >> > > > - read-only: Requires a broker restart for update. >> > >> > > > - per-broker: May be updated dynamically for each broker. >> > >> > > > - cluster-wide: May be updated dynamically as a cluster-wide >> > >> > default. >> > >> > > > May also be updated as a per-broker value for testing >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > ssl.client.auth >> > >> > > > < >> > >> > > > >> > >> > > >> > >> > >> > >> >> > >> https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#brokerconfigs_ssl.client.auth >> > >> > > > > >> > >> > > > >> > >> > > > Configures kafka broker to request client authentication. The >> > >> following >> > >> > > > settings are common: >> > >> > > > >> > >> > > > - ssl.client.auth=required If set to required client >> > >> authentication >> > >> > is >> > >> > > > required. >> > >> > > > - ssl.client.auth=requested This means client >> authentication is >> > >> > > > optional. unlike required, if this option is set client can >> > >> choose >> > >> > not >> > >> > > > to >> > >> > > > provide authentication information about itself >> > >> > > > - ssl.client.auth=none This means client authentication is >> not >> > >> > needed. >> > >> > > > >> > >> > > > Type: string >> > >> > > > Default: none >> > >> > > > Valid Values: [required, requested, none] >> > >> > > > Importance: medium >> > >> > > > Update Mode: per-broker >> > >> > > > >> > >> > > > בתאריך יום ו׳, 4 ביוני 2021, 08:30, מאת Anjali Sharma < >> > >> > > > sharma.anjali.2...@gmail.com>: >> > >> > > > >> > >> > > > > Dear All, >> > >> > > > > >> > >> > > > > When trying to configure mtls without restarting the brokers >> it >> > is >> > >> > not >> > >> > > > > working. >> > >> > > > > For mutualTLS "ssl.client.auth" should be set to "required". >> So, >> > >> if >> > >> > we >> > >> > > > are >> > >> > > > > trying to do the dynamic update using the below command >> > >> > > > > >> > >> > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server >> > >> > localhost:28104 >> > >> > > > > --entity-type brokers --entity-name 117373 **--alter >> > --add-config >> > >> > > > > listener.name.app.ssl.client.auth=required* >> > >> > > > > *Completed updating config for broker 117373.* >> > >> > > > > >> > >> > > > > >> > >> > > > > >> > >> > > > > >> > >> > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server >> > >> > localhost:28104 >> > >> > > > > --entity-type brokers --entity-name 117373 --describeDynamic >> > >> configs >> > >> > > for >> > >> > > > > broker 117373 are: listener.name.app.ssl.client.auth=required >> > >> > > > > sensitive=false >> > >> > > > > >> > >> > > > >> > >> > > >> > >> > >> > >> >> > >> synonyms={DYNAMIC_BROKER_CONFIG:listener.name.app.ssl.client.auth=required, >> > >> > > > > STATIC_BROKER_CONFIG:ssl.client.auth=none, >> > >> > > > > DEFAULT_CONFIG:ssl.client.auth=none}* >> > >> > > > > Dynamic command execution is success but in captured >> > tcpdump(pcap) >> > >> > > > > "Certificate Request" is not sent from Server below enter >> image >> > >> > > > description >> > >> > > > > here. >> > >> > > > > >> > >> > > > > >> > >> > > > > But if we alter manually and restart Kafka we can see >> > "Certificate >> > >> > > > > Request" from Server in tcpdump. >> > >> > > > > >> > >> > > > > Please help in resolving the dynamic update of altering >> > >> > > > > "ssl.client.auth=Required" >> > >> > > > > >> > >> > > > > >> > >> > > > > Pcap image is attached >> > >> > > > > >> > >> > > > > >> > >> > > > >> > >> > > >> > >> > >> > >> >> > > >> > >> >
