[
https://issues.apache.org/jira/browse/KAFKA-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16458982#comment-16458982
]
ASF GitHub Bot commented on KAFKA-6810:
---
hachikuji closed pull request #4904: KAFKA-6810: Enable dynamic update of SSL
truststores
URL: https://github.com/apache/kafka/pull/4904
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
b/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
index fd4d39e51c7..9a3215f7a50 100644
--- a/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
+++ b/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
@@ -138,8 +138,12 @@ public static void addClientSslSupport(ConfigDef config) {
.define(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG,
ConfigDef.Type.STRING, null, ConfigDef.Importance.LOW,
SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_DOC);
}
-public static final Set RECONFIGURABLE_CONFIGS =
Utils.mkSet(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG,
+public static final Set RECONFIGURABLE_CONFIGS = Utils.mkSet(
+SslConfigs.SSL_KEYSTORE_TYPE_CONFIG,
SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG,
SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG,
-SslConfigs.SSL_KEY_PASSWORD_CONFIG);
+SslConfigs.SSL_KEY_PASSWORD_CONFIG,
+SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG,
+SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG,
+SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG);
}
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
index bebd691cc83..6989349fdbc 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
@@ -132,7 +132,7 @@ else if (clientAuthConfig.equals("requested"))
(String)
configs.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG),
(Password)
configs.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
try {
-this.sslContext = createSSLContext(keystore);
+this.sslContext = createSSLContext(keystore, truststore);
} catch (Exception e) {
throw new KafkaException(e);
}
@@ -147,8 +147,12 @@ else if (clientAuthConfig.equals("requested"))
public void validateReconfiguration(Map configs) {
try {
SecurityStore newKeystore = maybeCreateNewKeystore(configs);
-if (newKeystore != null)
-createSSLContext(newKeystore);
+SecurityStore newTruststore = maybeCreateNewTruststore(configs);
+if (newKeystore != null || newTruststore != null) {
+SecurityStore keystore = newKeystore != null ? newKeystore :
this.keystore;
+SecurityStore truststore = newTruststore != null ?
newTruststore : this.truststore;
+createSSLContext(keystore, truststore);
+}
} catch (Exception e) {
throw new ConfigException("Validation of dynamic config update
failed", e);
}
@@ -157,12 +161,16 @@ public void validateReconfiguration(Map
configs) {
@Override
public void reconfigure(Map configs) throws KafkaException {
SecurityStore newKeystore = maybeCreateNewKeystore(configs);
-if (newKeystore != null) {
+SecurityStore newTruststore = maybeCreateNewTruststore(configs);
+if (newKeystore != null || newTruststore != null) {
try {
-this.sslContext = createSSLContext(newKeystore);
-this.keystore = newKeystore;
+SecurityStore keystore = newKeystore != null ? newKeystore :
this.keystore;
+SecurityStore truststore = newTruststore != null ?
newTruststore : this.truststore;
+this.sslContext = createSSLContext(keystore, truststore);
+this.keystore = keystore;
+this.truststore = truststore;
} catch (Exception e) {
-throw new ConfigException("Reconfiguration of SSL keystore
failed", e);
+throw new ConfigException("Reconfiguration of SSL
keystore/truststore failed", e);
}
}
}
@@ -182,8 +190,21 @@ private SecurityStore maybeCreateNewKeystore(Map configs) {
return null;
}
+private SecurityStore maybeCreateNewTruststore(Map configs) {
+boolean truststoreChanged =
Objects.equals(configs.get(SslConfigs.SSL_TRUSTSTO