Hi Jaikiran, I agree that this is a valid configuration and the log level seems too high given that. The original motivation is explained in the PR:
https://github.com/apache/kafka/pull/155/files#diff-fce430ae21a0c98d82da6d4aa551f824L603 That is, help people figure out if client authentication was not setup correctly, but it seems like a better way to do that is to set `ssl.client.auth=required`. So I'd, personally, be fine with reducing the log level to info or debug. Ismael On Sun, Sep 4, 2016 at 3:01 PM, Jaikiran Pai <jai.forums2...@gmail.com> wrote: > We just started enabling SSL for our Kafka brokers and (Java) clients and > among some of the issues we are running into, one of them is the flooding > of the server/broker Kafka logs where we are seeing these messages: > > [2016-09-02 08:07:13,773] WARN SSL peer is not authenticated, returning > ANONYMOUS instead (org.apache.kafka.common.network.SslTransportLayer) > [2016-09-02 08:07:15,710] WARN SSL peer is not authenticated, returning > ANONYMOUS instead (org.apache.kafka.common.network.SslTransportLayer) > [2016-09-02 08:07:15,711] WARN SSL peer is not authenticated, returning > ANONYMOUS instead (org.apache.kafka.common.network.SslTransportLayer) > [2016-09-02 08:07:15,711] WARN SSL peer is not authenticated, returning > ANONYMOUS instead (org.apache.kafka.common.network.SslTransportLayer) > [2016-09-02 08:07:15,712] WARN SSL peer is not authenticated, returning > ANONYMOUS instead (org.apache.kafka.common.network.SslTransportLayer) > .... > > They just keep going on and on. In our SSL setup, we have the broker > configured with the keystore and the Java clients have been configured with > a proper truststore and all works fine except for these messages flooding > the logs. We don't have any ACLs setup nor have we enabled client auth > check. > > Looking at the code which generates this WARN message > https://github.com/apache/kafka/blob/trunk/clients/src/main/ > java/org/apache/kafka/common/network/SslTransportLayer.java#L638 and the > fact that the setup we have (where we just enable server/broker cert > validation) is, IMO, a valid scenario and not some exceptional/incorrect > setup issue, I think this log message is something that can be removed from > the code (or at least logged at a very lower level given the frequency at > which this gets logged) > > Any thoughts on this? > > It's a pretty straightforward change and if this change is something that > sounds right, I can go ahead and submit a PR. > > P.S: This is both on 0.9.0.1 and latest 0.10.0.1. > > -Jaikiran > >
