Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-4636

Per listener security setting overrides (KIP-103)


    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s:
    • Component/s: None
    • Labels:


      This is a follow-up to KAFKA-4565 where most of KIP-103 was implemented. I quote the missing bit from the KIP:

      "Finally, we make it possible to provide different security (SSL and SASL) settings for each listener name by adding a normalised prefix (the listener name is lowercased) to the config name. For example, if we wanted to set a different keystore for the CLIENT listener, we would set a config with name listener.name.client.ssl.keystore.location. If the config for the listener name is not set, we will fallback to the generic config (i.e. ssl.keystore.location) for compatibility and convenience. For the SASL case, some configs are provided via a JAAS file, which consists of one or more entries. The broker currently looks for an entry named KafkaServer. We will extend this so that the broker first looks for an entry with a lowercased listener name followed by a dot as a prefix to the existing name. For the CLIENT listener example, the broker would first look for client.KafkaServer with a fallback to KafkaServer, if necessary."

      KIP link for details:


          Issue Links



              • Assignee:
                ijuma Ismael Juma
                ijuma Ismael Juma
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: