[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17032915#comment-17032915 ] ASF GitHub Bot commented on KAFKA-8843: --- omkreddy commented on pull request #8003: KAFKA-8843: KIP-515: Zookeeper TLS support URL: https://github.com/apache/kafka/pull/8003 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Assignee: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17024606#comment-17024606 ] Gérald Quintana commented on KAFKA-8843: I am probably dreaming, but it would be great to have _zookeeper-client.properties_ config file on par with producer/consumer.properties config files, containing both TLS and JAAS authentication settings: {code:java} zookeeper.client.secure=true zookeeper.sasl.jaas.config=org.apache.zookeeper.server.auth.DigestLoginModule required username="kafka" password="kafkapass"; zookeeper.ssl.truststore.location=/etc/kafka/truststore.jks zookeeper.ssl.truststore.password=truststorepass {code} As a result, the command line argument could be named _-zk-config-file_ instead of _-zk-tls-config-file_ > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Assignee: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17023299#comment-17023299 ] ASF GitHub Bot commented on KAFKA-8843: --- rondagostino commented on pull request #8003: KAFKA-8843: KIP-515: Zookeeper TLS support URL: https://github.com/apache/kafka/pull/8003 Signed-off-by: Ron Dagostino *More detailed description of your change, if necessary. The PR title and PR message become the squashed commit message, so use a separate comment to ping reviewers.* *Summary of testing strategy (including rationale) for the feature or bug fix. Unit and/or integration tests are expected for any behaviour change and system tests should be considered for larger changes.* ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Assignee: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16976893#comment-16976893 ] Kelly Schoenhofen commented on KAFKA-8843: -- Question, does ZK 3.5.6 allow for SSL (TLS, but let's say SSL to keep in line with the documentation) from Kafka? Not SASL_SSL, just plain SSL. Is that what this Jira is for? I have quorum TLS working in ZK 3.5.6, I added a tls-secured listener, but as of yet I can't quite get Kafka to connect to it: {{[2019-11-18 15:03:11,545] INFO Opening socket connection to server xxx/x.x.x.x:2182. Will not attempt to authenticate using SASL (unknown error) (org.apache.zookeeper.ClientCnxn)}} is the closest I have come, but I didn't want do to SASL_SSL, I just want to secure the traffic between Kafka and ZooKeeper using TLS 1.2 and a specific class of cipher, like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and enforce the CN name on each side to match each other's cert & trusted cert stores (like how ZooKeeper Quorum TLS works). > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Assignee: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16918787#comment-16918787 ] Pere Urbon-Bayes commented on KAFKA-8843: - working on writing the related KIP right now. > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Assignee: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16917897#comment-16917897 ] Pere Urbon-Bayes commented on KAFKA-8843: - If possible I would love to work on this with the support of the community. > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.2#803003)