Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-4525

Kafka should not require SSL trust store password

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.9.0.0
    • Fix Version/s: 0.11.0.0
    • Component/s: security
    • Labels:
      None

      Description

      When configuring SSL for Kafka; If the truststore password is not set, Kafka fails to start with:

      org.apache.kafka.common.KafkaException: SSL trust store is specified, but trust store password is not specified.
      
      	at org.apache.kafka.common.security.ssl.SslFactory.createTruststore(SslFactory.java:195)
      	at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:115)
      

      The truststore password is not required for read operations. When reading the truststore the password is used as an integrity check but not required.

      The risk of not providing a password is that someone could add a certificate into the store which you do not want to trust. The store should be protected first by the OS permissions. The password is an additional protection.

      Though this risk of trusting the OS permissions is one many may not want to take, its not a decision that Kafka should enforce or require.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                granthenke Grant Henke
                Reporter:
                granthenke Grant Henke
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: