Details
Description
The problem applies to the situation when we create a Kafka client based on prepopulated config. If we have only partial control on the input we can attempt to reset some values.
KIP-651 added a new cool feature to use PEM coding of certificates as an alternative to file stores. I have observed a problem in Confluent Replicator. We have shifted the common configuration to the worker level and assumed the connectors define only what is specific for them. The security setup is mTLS, i.e. we need both client cert and trusted chain. Our default configuration has both in #PKCS12 files, but we had to reverse the replication direction and redefine the destination coordinates. For these we have certificates, but having KIP-651 we could specify them as connector params as opposed to the worker deployment change.
It came out that we cannot override ssl.keystore.location, ssl.keystore.password, etc. simply with empty values, because the code in the DefaultSslEngineFactory checks if the entry is null. We can only override it to empty string.
DefaultSslEngineFactory should treat the unexpected configuration entries as absent when they are null, but also when the given entry is an empty string.
For a workaround I have created a hacky patch that fixes the behaviour:
https://github.com/piotrsmolinski/kafka-ssl-fix
Attachments
Issue Links
- links to