Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-4636

Per listener security setting overrides (KIP-103)

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 0.11.0.0
    • None

    Description

      This is a follow-up to KAFKA-4565 where most of KIP-103 was implemented. I quote the missing bit from the KIP:

      "Finally, we make it possible to provide different security (SSL and SASL) settings for each listener name by adding a normalised prefix (the listener name is lowercased) to the config name. For example, if we wanted to set a different keystore for the CLIENT listener, we would set a config with name listener.name.client.ssl.keystore.location. If the config for the listener name is not set, we will fallback to the generic config (i.e. ssl.keystore.location) for compatibility and convenience. For the SASL case, some configs are provided via a JAAS file, which consists of one or more entries. The broker currently looks for an entry named KafkaServer. We will extend this so that the broker first looks for an entry with a lowercased listener name followed by a dot as a prefix to the existing name. For the CLIENT listener example, the broker would first look for client.KafkaServer with a fallback to KafkaServer, if necessary."

      KIP link for details:
      https://cwiki.apache.org/confluence/display/KAFKA/KIP-103%3A+Separation+of+Internal+and+External+traffic

      Attachments

        Issue Links

          Activity

            People

              ijuma Ismael Juma
              ijuma Ismael Juma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: