[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17032915#comment-17032915 ] ASF GitHub Bot commented on KAFKA-8843: --- omkreddy commented on pull request #8003: KAFKA-8843: KIP-515: Zookeeper TLS support URL: https://github.com/apache/kafka/pull/8003 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Assignee: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[
https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17024606#comment-17024606
]
Gérald Quintana commented on KAFKA-8843:
I am probably dreaming, but it would be great to have
_zookeeper-client.properties_ config file on par with
producer/consumer.properties config files, containing both TLS and JAAS
authentication settings:
{code:java}
zookeeper.client.secure=true
zookeeper.sasl.jaas.config=org.apache.zookeeper.server.auth.DigestLoginModule
required username="kafka" password="kafkapass";
zookeeper.ssl.truststore.location=/etc/kafka/truststore.jks
zookeeper.ssl.truststore.password=truststorepass
{code}
As a result, the command line argument could be named _-zk-config-file_ instead
of _-zk-tls-config-file_
> Zookeeper migration tool support for TLS
>
>
> Key: KAFKA-8843
> URL: https://issues.apache.org/jira/browse/KAFKA-8843
> Project: Kafka
> Issue Type: Bug
>Reporter: Pere Urbon-Bayes
>Assignee: Pere Urbon-Bayes
>Priority: Minor
>
> Currently zookeeper-migration tool works based on SASL authentication. What
> means only digest and kerberos authentication is supported.
>
> With the introduction of ZK 3.5, TLS is added, including a new X509
> authentication provider.
>
> To support this great future and utilise the TLS principals, the
> zookeeper-migration-tool script should support the X509 authentication as
> well.
>
> In my newbie view, this should mean adding a new parameter to allow other
> ways of authentication around
> [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65.
>
> |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65]
>
> If I understand the process correct, this will require a KIP, right?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17023299#comment-17023299 ] ASF GitHub Bot commented on KAFKA-8843: --- rondagostino commented on pull request #8003: KAFKA-8843: KIP-515: Zookeeper TLS support URL: https://github.com/apache/kafka/pull/8003 Signed-off-by: Ron Dagostino *More detailed description of your change, if necessary. The PR title and PR message become the squashed commit message, so use a separate comment to ping reviewers.* *Summary of testing strategy (including rationale) for the feature or bug fix. Unit and/or integration tests are expected for any behaviour change and system tests should be considered for larger changes.* ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Assignee: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[
https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16976893#comment-16976893
]
Kelly Schoenhofen commented on KAFKA-8843:
--
Question, does ZK 3.5.6 allow for SSL (TLS, but let's say SSL to keep in line
with the documentation) from Kafka? Not SASL_SSL, just plain SSL. Is that what
this Jira is for? I have quorum TLS working in ZK 3.5.6, I added a tls-secured
listener, but as of yet I can't quite get Kafka to connect to it:
{{[2019-11-18 15:03:11,545] INFO Opening socket connection to server
xxx/x.x.x.x:2182. Will not attempt to authenticate using SASL (unknown error)
(org.apache.zookeeper.ClientCnxn)}}
is the closest I have come, but I didn't want do to SASL_SSL, I just want to
secure the traffic between Kafka and ZooKeeper using TLS 1.2 and a specific
class of cipher, like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and enforce the CN
name on each side to match each other's cert & trusted cert stores (like how
ZooKeeper Quorum TLS works).
> Zookeeper migration tool support for TLS
>
>
> Key: KAFKA-8843
> URL: https://issues.apache.org/jira/browse/KAFKA-8843
> Project: Kafka
> Issue Type: Bug
>Reporter: Pere Urbon-Bayes
>Assignee: Pere Urbon-Bayes
>Priority: Minor
>
> Currently zookeeper-migration tool works based on SASL authentication. What
> means only digest and kerberos authentication is supported.
>
> With the introduction of ZK 3.5, TLS is added, including a new X509
> authentication provider.
>
> To support this great future and utilise the TLS principals, the
> zookeeper-migration-tool script should support the X509 authentication as
> well.
>
> In my newbie view, this should mean adding a new parameter to allow other
> ways of authentication around
> [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65.
>
> |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65]
>
> If I understand the process correct, this will require a KIP, right?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16918787#comment-16918787 ] Pere Urbon-Bayes commented on KAFKA-8843: - working on writing the related KIP right now. > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Assignee: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS
[ https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16917897#comment-16917897 ] Pere Urbon-Bayes commented on KAFKA-8843: - If possible I would love to work on this with the support of the community. > Zookeeper migration tool support for TLS > > > Key: KAFKA-8843 > URL: https://issues.apache.org/jira/browse/KAFKA-8843 > Project: Kafka > Issue Type: Bug >Reporter: Pere Urbon-Bayes >Priority: Minor > > Currently zookeeper-migration tool works based on SASL authentication. What > means only digest and kerberos authentication is supported. > > With the introduction of ZK 3.5, TLS is added, including a new X509 > authentication provider. > > To support this great future and utilise the TLS principals, the > zookeeper-migration-tool script should support the X509 authentication as > well. > > In my newbie view, this should mean adding a new parameter to allow other > ways of authentication around > [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65. > > |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65] > > If I understand the process correct, this will require a KIP, right? > -- This message was sent by Atlassian Jira (v8.3.2#803003)
