Piotr Smolinski created KAFKA-13607:
---------------------------------------
Summary: Cannot use PEM certificate coding when parent defined
file-based
Key: KAFKA-13607
URL: https://issues.apache.org/jira/browse/KAFKA-13607
Project: Kafka
Issue Type: Bug
Components: clients, config, KafkaConnect
Affects Versions: 3.0.0, 2.7.1
Reporter: Piotr Smolinski
The problem applies to the situation when we create a Kafka client based on
prepopulated config. If we have only partial control on the input we can
attempt to reset some values.
KIP-651 added a new cool feature to use PEM coding of certificates as an
alternative to file stores. I have observed a problem in Confluent Replicator.
We have shifted the common configuration to the worker level and assumed the
connectors define only what is specific for them. The security setup is mTLS,
i.e. we need both client cert and trusted chain. Our default configuration has
both in #PKCS12 files, but we had to reverse the replication direction and
redefine the destination coordinates. For these we have certificates, but
having KIP-651 we could specify them as connector params as opposed to the
worker deployment change.
It came out that we cannot override **ssl.keystore.location**,
**ssl.keystore.password**, etc. simply with empty values, because the code in
the **DefaultSslEngineFactory** checks if the entry is null. We can only
override it to empty string.
**DefaultSslEngineFactory** should treat the unexpected configuration entries
as absent when they are **null**, but also when the given entry is an empty
string.
For a workaround I have created a hacky patch that fixes the behaviour:
https://github.com/piotrsmolinski/kafka-ssl-fix
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
