[jira] [Commented] (KAFKA-6810) Enable dynamic reconfiguration of SSL truststores

2018-08-03 Thread Rajini Sivaram (JIRA) 


[ 
https://issues.apache.org/jira/browse/KAFKA-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16567938#comment-16567938
 ] 

Rajini Sivaram commented on KAFKA-6810:
---

[~h...@pinterest.com] We currently support dynamic refresh of keystores and 
trustores only on brokers.

> Enable dynamic reconfiguration of SSL truststores
> -
>
> Key: KAFKA-6810
> URL: https://issues.apache.org/jira/browse/KAFKA-6810
> Project: Kafka
>  Issue Type: Task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Major
> Fix For: 2.0.0
>
>
> We currently allow broker's SSL keystores to be dynamically reconfigured to 
> support short-lived keystores (KIP-226). It will be useful to allow 
> truststores to be reconfigured as well to allow new certificates to be added 
> and also to remove certifcates.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (KAFKA-6810) Enable dynamic reconfiguration of SSL truststores

2018-08-03 Thread Henry Cai (JIRA) 


[ 
https://issues.apache.org/jira/browse/KAFKA-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16567901#comment-16567901
 ] 

Henry Cai commented on KAFKA-6810:
--

[~rsivaram] Is this change only applying on broker side?  If I want consumer 
client also dynamically refresh when keystore/truststore changed, is that 
supported?

> Enable dynamic reconfiguration of SSL truststores
> -
>
> Key: KAFKA-6810
> URL: https://issues.apache.org/jira/browse/KAFKA-6810
> Project: Kafka
>  Issue Type: Task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Major
> Fix For: 2.0.0
>
>
> We currently allow broker's SSL keystores to be dynamically reconfigured to 
> support short-lived keystores (KIP-226). It will be useful to allow 
> truststores to be reconfigured as well to allow new certificates to be added 
> and also to remove certifcates.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (KAFKA-6810) Enable dynamic reconfiguration of SSL truststores

2018-04-30 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16458982#comment-16458982
 ] 

ASF GitHub Bot commented on KAFKA-6810:
---

hachikuji closed pull request #4904: KAFKA-6810: Enable dynamic update of SSL 
truststores
URL: https://github.com/apache/kafka/pull/4904
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git 
a/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java 
b/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
index fd4d39e51c7..9a3215f7a50 100644
--- a/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
+++ b/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
@@ -138,8 +138,12 @@ public static void addClientSslSupport(ConfigDef config) {
 .define(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.LOW, 
SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_DOC);
 }
 
-public static final Set RECONFIGURABLE_CONFIGS = 
Utils.mkSet(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG,
+public static final Set RECONFIGURABLE_CONFIGS = Utils.mkSet(
+SslConfigs.SSL_KEYSTORE_TYPE_CONFIG,
 SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG,
 SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG,
-SslConfigs.SSL_KEY_PASSWORD_CONFIG);
+SslConfigs.SSL_KEY_PASSWORD_CONFIG,
+SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG,
+SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG,
+SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG);
 }
diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java 
b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
index bebd691cc83..6989349fdbc 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
@@ -132,7 +132,7 @@ else if (clientAuthConfig.equals("requested"))
  (String) 
configs.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG),
  (Password) 
configs.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
 try {
-this.sslContext = createSSLContext(keystore);
+this.sslContext = createSSLContext(keystore, truststore);
 } catch (Exception e) {
 throw new KafkaException(e);
 }
@@ -147,8 +147,12 @@ else if (clientAuthConfig.equals("requested"))
 public void validateReconfiguration(Map configs) {
 try {
 SecurityStore newKeystore = maybeCreateNewKeystore(configs);
-if (newKeystore != null)
-createSSLContext(newKeystore);
+SecurityStore newTruststore = maybeCreateNewTruststore(configs);
+if (newKeystore != null || newTruststore != null) {
+SecurityStore keystore = newKeystore != null ? newKeystore : 
this.keystore;
+SecurityStore truststore = newTruststore != null ? 
newTruststore : this.truststore;
+createSSLContext(keystore, truststore);
+}
 } catch (Exception e) {
 throw new ConfigException("Validation of dynamic config update 
failed", e);
 }
@@ -157,12 +161,16 @@ public void validateReconfiguration(Map 
configs) {
 @Override
 public void reconfigure(Map configs) throws KafkaException {
 SecurityStore newKeystore = maybeCreateNewKeystore(configs);
-if (newKeystore != null) {
+SecurityStore newTruststore = maybeCreateNewTruststore(configs);
+if (newKeystore != null || newTruststore != null) {
 try {
-this.sslContext = createSSLContext(newKeystore);
-this.keystore = newKeystore;
+SecurityStore keystore = newKeystore != null ? newKeystore : 
this.keystore;
+SecurityStore truststore = newTruststore != null ? 
newTruststore : this.truststore;
+this.sslContext = createSSLContext(keystore, truststore);
+this.keystore = keystore;
+this.truststore = truststore;
 } catch (Exception e) {
-throw new ConfigException("Reconfiguration of SSL keystore 
failed", e);
+throw new ConfigException("Reconfiguration of SSL 
keystore/truststore failed", e);
 }
 }
 }
@@ -182,8 +190,21 @@ private SecurityStore maybeCreateNewKeystore(Map configs) {
 return null;
 }
 
+private SecurityStore maybeCreateNewTruststore(Map configs) {
+boolean truststoreChanged = 
Objects.equals(configs.get(SslConfigs.SSL_TRUSTSTO

[jira] [Commented] (KAFKA-6810) Enable dynamic reconfiguration of SSL truststores

2018-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-6810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16446266#comment-16446266
 ] 

ASF GitHub Bot commented on KAFKA-6810:
---

rajinisivaram opened a new pull request #4904: KAFKA-6810: Enable dynamic 
update of SSL truststores
URL: https://github.com/apache/kafka/pull/4904
 
 
   Enable broker's SSL truststores to be dynamically updated using 
ConfigCommand in the same way as keystores are updated.
   
   ### Committer Checklist (excluded from commit message)
   - [ ] Verify design and implementation 
   - [ ] Verify test coverage and CI build status
   - [ ] Verify documentation (including upgrade notes)
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Enable dynamic reconfiguration of SSL truststores
> -
>
> Key: KAFKA-6810
> URL: https://issues.apache.org/jira/browse/KAFKA-6810
> Project: Kafka
>  Issue Type: Task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Major
> Fix For: 2.0.0
>
>
> We currently allow broker's SSL keystores to be dynamically reconfigured to 
> support short-lived keystores (KIP-226). It will be useful to allow 
> truststores to be reconfigured as well to allow new certificates to be added 
> and also to remove certifcates.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)