[jira] [Commented] (KAFKA-4525) Kafka should not require SSL trust store password

Mon, 12 Dec 2016 12:28:22 -0800 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15743052#comment-15743052
 ] 

ASF GitHub Bot commented on KAFKA-4525:
---------------------------------------

GitHub user granthenke opened a pull request:

    https://github.com/apache/kafka/pull/2246

    KAFKA-4525: Kafka should not require SSL trust store password

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/granthenke/kafka truststore-password

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/2246.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2246
    
----
commit 47186bb1c87aa96bddcbb7b3a3841fe5d02b6792
Author: Grant Henke <ghe...@cloudera.com>
Date:   2016-12-12T20:21:10Z

    KAFKA-4525: Kafka should not require SSL trust store password

----


> Kafka should not require SSL trust store password
> -------------------------------------------------
>
>                 Key: KAFKA-4525
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4525
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.9.0.0
>            Reporter: Grant Henke
>            Assignee: Grant Henke
>
> When configuring SSL for Kafka; If the truststore password is not set, Kafka 
> fails to start with:
> {noformat}
> org.apache.kafka.common.KafkaException: SSL trust store is specified, but 
> trust store password is not specified.
>       at 
> org.apache.kafka.common.security.ssl.SslFactory.createTruststore(SslFactory.java:195)
>       at 
> org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:115)
> {noformat}
> The truststore password is not required for read operations. When reading the 
> truststore the password is used as an integrity check but not required. 
> The risk of not providing a password is that someone could add a certificate 
> into the store which you do not want to trust. The store should be protected 
> first by the OS permissions. The password is an additional protection.
> Though this risk of trusting the OS permissions is one many may not want to 
> take, its not a decision that Kafka should enforce or require. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to