[
https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414227#comment-17414227
]
Elliot West edited comment on KAFKA-13293 at 9/13/21, 2:16 PM:
---------------------------------------------------------------
[~rsivaram] on point 2, would that actually work for clients though? I ask
because it seems as though the \{{DefaultSslEngineFactory}} [already does
this|https://github.com/apache/kafka/blob/99b9b3e84f4e98c3f07714e1de6a139a004cbc5b/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L102-L113]
for JKS?
was (Author: teabot):
[~rsivaram] on point 2, would that actually work for clients though? I ask
because it seems as though the \{{DefaultSslEngineFactory}} [already does
this|https://github.com/apache/kafka/blob/99b9b3e84f4e98c3f07714e1de6a139a004cbc5b/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L102-L113].
> Support client reload of PEM certificates
> -----------------------------------------
>
> Key: KAFKA-13293
> URL: https://issues.apache.org/jira/browse/KAFKA-13293
> Project: Kafka
> Issue Type: Improvement
> Components: clients, security
> Affects Versions: 2.7.0, 2.8.0, 2.7.1
> Reporter: Elliot West
> Priority: Major
>
> Since Kafka 2.7.0, clients are able to authenticate using PEM certificates as
> client configuration properties in addition to JKS file based key stores
> (KAFKA-10338). With PEM, certificate chains are passed into clients as simple
> string based key-value properties, alongside existing client configuration.
> This offers a number of benefits: it provides a JVM agnostic security
> mechanism from the perspective of clients, removes the client's dependency on
> the local filesystem, and allows the the encapsulation of the entire client
> configuration into a single payload.
> However, the current client PEM implement has a feature regression when
> compared with the JKS implementation. With the JKS approach, clients would
> automatically reload certificates when the key stores were modified on disk.
> This enables a seamless approach for the replacement of certificates when
> they are due to expire; no further configuration or explicit interference
> with the client lifecycle is needed for the client to migrate to renewed
> certificates.
> Such a capability does not currently exist for PEM. One supplies key chains
> when instantiating clients only - there is no mechanism available to either
> directly reconfigure the client, or for the client to observe changes to the
> original properties set reference used in construction. Additionally, no
> work-arounds are documented that might given users alternative strategies for
> dealing with expiring certificates. Given that expiration and renewal of
> certificates is an industry standard practice, it could be argued that the
> current PEM client implementation is not fit for purpose.
> In summary, a mechanism should be provided such that clients can
> automatically detect, load, and use updated PEM key chains from some non-file
> based source (object ref, method invocation, listener, etc.)
> Finally, It is suggested that in the short-term Kafka documentation be
> updated to describe any viable mechanism for updating client PEM certs
> (perhaps closing existing client and then recreating?).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
