[jira] [Commented] (KAFKA-1477) add authentication layer and initial JKS x509 implementation for brokers, producers and consumer for network communication

Mon, 11 Aug 2014 17:18:53 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-1477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14093536#comment-14093536
 ] 

Albert Strasheim commented on KAFKA-1477:
-----------------------------------------

CloudFlare is also very interested in this work. We are most interested in 
encryption and mutual authentication over TLS. I think it would be useful to be 
have a single broker support both an unencrypted and an encrypted port 
(producer on local network sends unencrypted, consumers on remote network 
consume encrypted).

We're mainly using this to move log events between data centers.

We've managed to kludge this together on top of an existing Kafka setup by 
using stunnel/haproxy 1.5 to do the encryption part along the lines described 
here:

https://mail-archives.apache.org/mod_mbox/kafka-users/201405.mbox/%3CCABgmubZT3=n780lxmvounzz6shgvpd_t8bn-wfoge5kxysv...@mail.gmail.com%3E

but this will only work with a single broker and carefully matching the 
hostname/port in stunnel with the MetadataResponse, since setting 
advertised.host.name= and advertised.port= to the haproxy host and port causes 
the controller to try to use it that host/port for metadata, which doesn't work 
(as one would expect).

To be able to support multiple brokers (we only need maybe 1, 2 or 3 in this 
setup), we will probably tweak our consumer code to remap the advertised 
host/port and connect over TLS directly (without stunnel).

> add authentication layer and initial JKS x509 implementation for brokers, 
> producers and consumer for network communication
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-1477
>                 URL: https://issues.apache.org/jira/browse/KAFKA-1477
>             Project: Kafka
>          Issue Type: New Feature
>            Reporter: Joe Stein
>            Assignee: Ivan Lyutov
>             Fix For: 0.8.2
>
>         Attachments: KAFKA-1477-binary.patch, KAFKA-1477.patch, 
> KAFKA-1477_2014-06-02_16:59:40.patch, KAFKA-1477_2014-06-02_17:24:26.patch, 
> KAFKA-1477_2014-06-03_13:46:17.patch
>
>




--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to