[
https://issues.apache.org/jira/browse/KAFKA-13703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adam Long updated KAFKA-13703:
------------------------------
Description:
I am developing a Kafka client that uses OAUTHBEARER and SSL to connect. I'm
attempting to test against a server using a key from a custom CA. I added the
trust-chain for the server to a Truststore JKS file, and referenced it in the
configuration. However, I continually get PKIX errors. After some code
tracing, I believe the OAUTHBEARER client code ignores defined truststores.
Here is an example based on my configuration:
{code:java}
application.id=my-kafka-client
client.id=my-kafka-client
group.id=my-kafka-client
# OAuth/SSL listener
bootstrap.servers=<MY_SERVER>:9096
security.protocol=SASL_SSL
# OAuth Configuration
sasl.mechanism=OAUTHBEARER
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.login.connect.timeout.ms=15000
sasl.oauthbearer.token.endpoint.url=https://<MY_SERVER>/auth/realms/<MY_REALM>/protocol/openid-connect/token
ssl.truststore.location=<MY_PATH>\kafka.truststore.jks
#ssl.truststore.password=changeit
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
required \
clientId="my-kafka-client" \
clientSecret="my-kafka-client-secret";
{code}
Note - my Truststore does not have password (I tried setting it to see if that
would solve the problem initially).
I'm using the following example test code:
{code:java}
package example;
import java.io.IOException;
import java.net.URISyntaxException;
import java.util.Properties;
import org.apache.kafka.clients.consumer.ConsumerConfig;
import org.apache.kafka.clients.consumer.KafkaConsumer;
import org.apache.kafka.clients.producer.ProducerConfig;
import org.apache.kafka.common.serialization.StringDeserializer;
import org.apache.kafka.common.serialization.StringSerializer;
public class Main {
public static void main(final String[] args) throws IOException,
URISyntaxException {
Properties config = new Properties();
config.load(Main.class.getClassLoader().getResourceAsStream("client.conf"));
config.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG,
StringSerializer.class);
config.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG,
StringSerializer.class);
config.put(ConsumerConfig.KEY_DESERIALIZER_CLASS_CONFIG,
StringDeserializer.class);
config.put(ConsumerConfig.VALUE_DESERIALIZER_CLASS_CONFIG,
StringDeserializer.class);
final KafkaConsumer<String, String> consumer = new
KafkaConsumer<>(config);
}
}
{code}
The issue seems to be in the
{{org.apache.kafka.common.security.oauthbearer.secured}} package - in
particular the {{AccessTokenRetrieverFactory.create()}} method, as it creates
an sslContext but does not include the configured truststore from the Kafka
configuration.
As such, it appears that unless you alter the JVM-default truststore, you
cannot connect to a server running a custom trust-chain.
was:
I am developing a Kafka client that uses OAUTHBEARER and SSL to connect. I'm
attempting to test against a server using a key from a custom CA. I added the
trust-chain for the server to a Truststore JKS file, and referenced it in the
configuration. However, I continually get PKIX errors. After some code
tracing, I believe the OAUTHBEARER client code ignores defined truststores.
Here is an example based on my configuration:
{code:java}
application.id=my-kafka-client
client.id=my-kafka-client
group.id=my-kafka-client
# OAuth/SSL listener
bootstrap.servers=<MY_SERVER>:9096
security.protocol=SASL_SSL
# OAuth Configuration
sasl.mechanism=OAUTHBEARER
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.login.connect.timeout.ms=15000
sasl.oauthbearer.token.endpoint.url=https://<MY_SERVER>/auth/realms/<MY_REALM>/protocol/openid-connect/token
ssl.truststore.location=<MY_PATH>\kafka.truststore.jks
#ssl.truststore.password=changeit
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
required \
clientId="my-kafka-client" \
clientSecret="my-kafka-client-secret";
{code}
Note - my Truststore does not have password (I tried setting it to see if that
would solve the problem initially).
I'm using the following example test code:
{code:java}
package example;
import java.io.IOException;
import java.net.URISyntaxException;
import java.util.Properties;
import org.apache.kafka.clients.consumer.ConsumerConfig;
import org.apache.kafka.clients.consumer.KafkaConsumer;
import org.apache.kafka.clients.producer.ProducerConfig;
import org.apache.kafka.common.serialization.StringDeserializer;
import org.apache.kafka.common.serialization.StringSerializer;
public class Main {
public static void main(final String[] args) throws IOException,
URISyntaxException {
Properties config = new Properties();
config.load(Main.class.getClassLoader().getResourceAsStream("client.conf"));
//Consumer
config.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG,
StringSerializer.class);
config.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG,
StringSerializer.class);
config.put(ConsumerConfig.KEY_DESERIALIZER_CLASS_CONFIG,
StringDeserializer.class);
config.put(ConsumerConfig.VALUE_DESERIALIZER_CLASS_CONFIG,
StringDeserializer.class);
final KafkaConsumer<String, String> consumer = new
KafkaConsumer<>(config);
}
}
{code}
The issue seems to be in the
{{org.apache.kafka.common.security.oauthbearer.secured}} package - in
particular the {{AccessTokenRetrieverFactory.create()}} method, as it creates
an sslContext but does not include the configured truststore from the Kafka
configuration.
As such, it appears that unless you alter the JVM-default truststore, you
cannot connect to a server running a custom trust-chain.
> OAUTHBEARER client will not use defined truststore
> --------------------------------------------------
>
> Key: KAFKA-13703
> URL: https://issues.apache.org/jira/browse/KAFKA-13703
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.1.0
> Reporter: Adam Long
> Priority: Major
>
> I am developing a Kafka client that uses OAUTHBEARER and SSL to connect. I'm
> attempting to test against a server using a key from a custom CA. I added
> the trust-chain for the server to a Truststore JKS file, and referenced it in
> the configuration. However, I continually get PKIX errors. After some code
> tracing, I believe the OAUTHBEARER client code ignores defined truststores.
> Here is an example based on my configuration:
> {code:java}
> application.id=my-kafka-client
> client.id=my-kafka-client
> group.id=my-kafka-client
> # OAuth/SSL listener
> bootstrap.servers=<MY_SERVER>:9096
> security.protocol=SASL_SSL
> # OAuth Configuration
> sasl.mechanism=OAUTHBEARER
> sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
> sasl.login.connect.timeout.ms=15000
> sasl.oauthbearer.token.endpoint.url=https://<MY_SERVER>/auth/realms/<MY_REALM>/protocol/openid-connect/token
> ssl.truststore.location=<MY_PATH>\kafka.truststore.jks
> #ssl.truststore.password=changeit
> sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
> required \
> clientId="my-kafka-client" \
> clientSecret="my-kafka-client-secret";
> {code}
> Note - my Truststore does not have password (I tried setting it to see if
> that would solve the problem initially).
> I'm using the following example test code:
> {code:java}
> package example;
> import java.io.IOException;
> import java.net.URISyntaxException;
> import java.util.Properties;
> import org.apache.kafka.clients.consumer.ConsumerConfig;
> import org.apache.kafka.clients.consumer.KafkaConsumer;
> import org.apache.kafka.clients.producer.ProducerConfig;
> import org.apache.kafka.common.serialization.StringDeserializer;
> import org.apache.kafka.common.serialization.StringSerializer;
> public class Main {
> public static void main(final String[] args) throws IOException,
> URISyntaxException {
> Properties config = new Properties();
>
> config.load(Main.class.getClassLoader().getResourceAsStream("client.conf"));
> config.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG,
> StringSerializer.class);
> config.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG,
> StringSerializer.class);
> config.put(ConsumerConfig.KEY_DESERIALIZER_CLASS_CONFIG,
> StringDeserializer.class);
> config.put(ConsumerConfig.VALUE_DESERIALIZER_CLASS_CONFIG,
> StringDeserializer.class);
>
> final KafkaConsumer<String, String> consumer = new
> KafkaConsumer<>(config);
> }
> }
> {code}
> The issue seems to be in the
> {{org.apache.kafka.common.security.oauthbearer.secured}} package - in
> particular the {{AccessTokenRetrieverFactory.create()}} method, as it creates
> an sslContext but does not include the configured truststore from the Kafka
> configuration.
> As such, it appears that unless you alter the JVM-default truststore, you
> cannot connect to a server running a custom trust-chain.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
