On 2019/07/29 19:22:02, Sandeep Mopuri <mpr...@gmail.com> wrote:
> Hi all, after some good discussion
> <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about the
> KIP
> <https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config>,
> I'm starting the voting.
>
> This KIP proposes adding new security configuration to accept custom
> security providers that can provide algorithms for SSL or SASL.
>
> --
> Thanks,
> M.Sai Sandeep
>
Hello,
How do we handle a scenario that some providers require more information for
installing providers?
For instance, Bouncy Castle(BC) provider requires input parameter "fips:BCFIPS"
for enabling FIPS mode.
Example:
Static Configuration in java.security file:
security.provider.1=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
fips:BCFIPS
Dynamic Installation
Security.addProvider(new BouncyCastleJsseProvider(“fips:BCFIPS”))
So I suggested we might consider providing more info for the new config
property, example like:
security.provider.info=classname of provider/name of provider/initial
parameters,
Example for BC case:
security.provider.info=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider/BC/fips:BCFIPS,sun.security.provider.Sun/SUN,
Basically info for each provider will consist of three pieces information: name
of class, name of provider(for unit testing purpose),initial parameter for
instantiating class.
Still use comma "," for separating each provider info.
Jeff Huang,
