Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-4636

Per listener security setting overrides (KIP-103)

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.11.0.0
    • Component/s: None
    • Labels:

      Description

      This is a follow-up to KAFKA-4565 where most of KIP-103 was implemented. I quote the missing bit from the KIP:

      "Finally, we make it possible to provide different security (SSL and SASL) settings for each listener name by adding a normalised prefix (the listener name is lowercased) to the config name. For example, if we wanted to set a different keystore for the CLIENT listener, we would set a config with name listener.name.client.ssl.keystore.location. If the config for the listener name is not set, we will fallback to the generic config (i.e. ssl.keystore.location) for compatibility and convenience. For the SASL case, some configs are provided via a JAAS file, which consists of one or more entries. The broker currently looks for an entry named KafkaServer. We will extend this so that the broker first looks for an entry with a lowercased listener name followed by a dot as a prefix to the existing name. For the CLIENT listener example, the broker would first look for client.KafkaServer with a fallback to KafkaServer, if necessary."

      KIP link for details:
      https://cwiki.apache.org/confluence/display/KAFKA/KIP-103%3A+Separation+of+Internal+and+External+traffic

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ijuma Ismael Juma
                Reporter:
                ijuma Ismael Juma
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: