[
https://issues.apache.org/jira/browse/KAFKA-9570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Randall Hauch resolved KAFKA-9570.
----------------------------------
Fix Version/s: 2.5.1
2.4.2
2.6.0
Reviewer: Randall Hauch
Resolution: Fixed
Merged to `trunk` and backported to the `2.6`, `2.5` and `2.4` branches.
> SSL cannot be configured for Connect in standalone mode
> -------------------------------------------------------
>
> Key: KAFKA-9570
> URL: https://issues.apache.org/jira/browse/KAFKA-9570
> Project: Kafka
> Issue Type: Bug
> Components: KafkaConnect
> Affects Versions: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.1.1, 2.0.2, 2.3.0, 2.1.2,
> 2.2.1, 2.2.2, 2.4.0, 2.3.1, 2.2.3, 2.5.0, 2.3.2, 2.4.1
> Reporter: Chris Egerton
> Assignee: Chris Egerton
> Priority: Major
> Fix For: 2.6.0, 2.4.2, 2.5.1
>
>
> When Connect is brought up in standalone, if the worker config contains _any_
> properties that begin with the {{listeners.https.}} prefix, SSL will not be
> enabled on the worker.
> This is because the relevant SSL configs are only defined in the [distributed
> worker
> config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/distributed/DistributedConfig.java#L260]
> instead of the [superclass worker
> config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerConfig.java].
> This, in conjunction with [a call
> to|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L42]
>
> [AbstractConfig::valuesWithPrefixAllOrNothing|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java],
> causes all configs not defined in the {{WorkerConfig}} used by the worker to
> be silently dropped when the worker configures its REST server if there is at
> least one config present with the {{listeners.https.}} prefix.
> Unfortunately, the workaround of specifying all SSL configs without the
> {{listeners.https.}} prefix will also fail if any passwords need to be
> specified. This is because the password values in the {{Map}} returned from
> {{AbstractConfig::valuesWithPrefixAllOrNothing}} aren't parsed as passwords,
> but the [framework expects them to
> be|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L87].
> However, if no keystore, truststore, or key passwords need to be configured,
> then it should be possible to work around the issue by specifying all of
> those configurations without a prefix (as long as they don't conflict with
> any other configs in that namespace).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
