Hello, Kafka team.
I ran system tests that use SSL for the TLSv1.3.
You can find the results of the tests in the Jira ticket [1], [2], [3], [4].
I also, need a changes [5] in `security_config.py` to execute system tests with
TLSv1.3(more info in PR description).
Please, take a look.
Test environment:
• openjdk11
• trunk + changes from my PR [5].
Full system tests results have volume 15gb.
Should I share full logs with you?
What else should be done before we can enable TLSv1.3 by default?
[1]
https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
[2]
https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
[3]
https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
[4]
https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
[5]
https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <nizhikov....@gmail.com> написал(а):
>
> Hello, Rajini.
>
> Thanks for the feedback.
>
> I’ve searched tests by the «ssl» keyword and found the following tests:
>
> ./test/kafkatest/services/kafka_log4j_appender.py
> ./test/kafkatest/services/listener_security_config.py
> ./test/kafkatest/services/security/security_config.py
> ./test/kafkatest/tests/core/security_test.py
>
> Is this all tests that need to be run with the TLSv1.3 to ensure we can
> enable it by default?
>
>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <rajinisiva...@gmail.com>
>> написал(а):
>>
>> Hi Nikolay,
>>
>> Not sure of the total space required. But you can run a collection of tests
>> at a time instead of running them all together. That way, you could just run
>> all the tests that enable SSL. Details of running a subset of tests are in
>> the README in tests.
>>
>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <nizhi...@apache.org> wrote:
>> Hello, Rajini.
>>
>> I’m tried to run all system tests but failed for now.
>> It happens, that system tests generates a lot of logs.
>> I had a 250GB of the free space but it all was occupied by the log from half
>> of the system tests.
>>
>> Do you have any idea what is summary disc space I need to run all system
>> tests?
>>
>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <rajinisiva...@gmail.com>
>>> написал(а):
>>>
>>> Hi Nikolay,
>>>
>>> There a couple of things you could do:
>>>
>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, but
>>> it will be good to run all of them. You can do this locally using docker
>>> with JDK 11 by updating the files in tests/docker. You will need to update
>>> tests/kafkatest/services/security/security_config.py to enable only
>>> TLSv1.3. Instructions for running system tests using docker are in
>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
>>> 2) For integration tests, we run a small number of tests using TLSv1.3 if
>>> the tests are run using JDK 11 and above. We need to do this for system
>>> tests as well. There is an open JIRA:
>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign this
>>> to yourself if you have time to do this.
>>>
>>> Regards,
>>>
>>> Rajini
>>>
>>>
>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhi...@apache.org> wrote:
>>>
>>>> Hello, Rajini.
>>>>
>>>> Can you, please, clarify, what should be done?
>>>> I can try to do tests by myself.
>>>>
>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisiva...@gmail.com>
>>>> написал(а):
>>>>>
>>>>> Hi Brajesh.
>>>>>
>>>>> No one is working on this yet, but will follow up with the Confluent
>>>> tools
>>>>> team to see when this can be done.
>>>>>
>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kbrajesh...@gmail.com>
>>>> wrote:
>>>>>
>>>>>> Hello Rajini,
>>>>>>
>>>>>> What is the plan to run system tests using JDK 11? Is someone working on
>>>>>> this?
>>>>>>
>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <rajinisiva...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Nikolay,
>>>>>>>
>>>>>>> We can leave the KIP open and restart the discussion once system tests
>>>>>> are
>>>>>>> running.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Rajini
>>>>>>>
>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhi...@apache.org>
>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello, Rajini.
>>>>>>>>
>>>>>>>> Thanks, for the feedback.
>>>>>>>>
>>>>>>>> Should I mark this KIP as declined?
>>>>>>>> Or just wait for the system tests results?
>>>>>>>>
>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisiva...@gmail.com>
>>>>>>>> написал(а):
>>>>>>>>>
>>>>>>>>> Hi Nikolay,
>>>>>>>>>
>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and
>>>>>> hence
>>>>>>>> we
>>>>>>>>> don't yet have full system test results with TLS 1.3 which requires
>>>>>> JDK
>>>>>>>> 11.
>>>>>>>>> We should wait until that is done before enabling TLS1.3 by default.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> Rajini
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <nizhi...@apache.org>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hello, Team.
>>>>>>>>>>
>>>>>>>>>> Any feedback on this KIP?
>>>>>>>>>> Do we need this in Kafka?
>>>>>>>>>>
>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhi...@apache.org>
>>>>>>>>>> написал(а):
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I'd like to start a discussion of KIP.
>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by
>>>>>>> default.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>>>>>>>
>>>>>>>>>>> Your comments and suggestions are welcome.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Brajesh Kumar
>>>>>>
>>>>
>>>>
>>
>
