[
https://issues.apache.org/jira/browse/KAFKA-9570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039477#comment-17039477
]
ASF GitHub Bot commented on KAFKA-9570:
---------------------------------------
C0urante commented on pull request #8135: KAFKA-9570: Define SSL configs in all
worker config classes, not just distributed
URL: https://github.com/apache/kafka/pull/8135
[Jira](https://issues.apache.org/jira/browse/KAFKA-9570)
All SSL-related configs are currently defined only in the
`DistributedConfig` class, even though they are applicable for standalone mode
as well (since standalone mode also supports the Connect REST API). Because of
how these configs are parsed by the framework, it's currently impossible to
configure Connect in standalone mode to use SSL for the REST API with a
password-protected keystore, key, or truststore, and even if no password
protection is required, SSL configs will not be picked up correctly by the
worker if any of the worker configs start with the `listeners.https.` prefix.
These changes define the relevant SSL-related configs in the parent
`WorkerConfig` class, which should fix how they are picked up in standalone
mode.
A new unit test is added to verify that the `StandaloneConfig` picks up
these configs correctly.
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSL cannot be configured for Connect in standalone mode
> -------------------------------------------------------
>
> Key: KAFKA-9570
> URL: https://issues.apache.org/jira/browse/KAFKA-9570
> Project: Kafka
> Issue Type: Bug
> Components: KafkaConnect
> Affects Versions: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.1.1, 2.0.2, 2.3.0, 2.1.2,
> 2.2.1, 2.2.2, 2.4.0, 2.3.1, 2.2.3, 2.5.0, 2.3.2, 2.4.1
> Reporter: Chris Egerton
> Assignee: Chris Egerton
> Priority: Major
>
> When Connect is brought up in standalone, if the worker config contains _any_
> properties that begin with the {{listeners.https.}} prefix, SSL will not be
> enabled on the worker.
> This is because the relevant SSL configs are only defined in the [distributed
> worker
> config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/distributed/DistributedConfig.java#L260]
> instead of the [superclass worker
> config|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/WorkerConfig.java].
> This, in conjunction with [a call
> to|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L42]
>
> [AbstractConfig::valuesWithPrefixAllOrNothing|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/clients/src/main/java/org/apache/kafka/common/config/AbstractConfig.java],
> causes all configs not defined in the {{WorkerConfig}} used by the worker to
> be silently dropped when the worker configures its REST server if there is at
> least one config present with the {{listeners.https.}} prefix.
> Unfortunately, the workaround of specifying all SSL configs without the
> {{listeners.https.}} prefix will also fail if any passwords need to be
> specified. This is because the password values in the {{Map}} returned from
> {{AbstractConfig::valuesWithPrefixAllOrNothing}} aren't parsed as passwords,
> but the [framework expects them to
> be|https://github.com/apache/kafka/blob/ebcdcd9fa94efbff80e52b02c85d4a61c09f850b/connect/runtime/src/main/java/org/apache/kafka/connect/runtime/rest/util/SSLUtils.java#L87].
> However, if no keystore, truststore, or key passwords need to be configured,
> then it should be possible to work around the issue by specifying all of
> those configurations without a prefix (as long as they don't conflict with
> any other configs in that namespace).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
