[jira] [Resolved] (KAFKA-14816) Connect loading SSL configs when contacting non-HTTPS URLs

Mon, 20 Mar 2023 09:41:58 -0700 


     [ 
https://issues.apache.org/jira/browse/KAFKA-14816?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris Egerton resolved KAFKA-14816.
-----------------------------------
      Reviewer: Justine Olshan
    Resolution: Fixed

> Connect loading SSL configs when contacting non-HTTPS URLs
> ----------------------------------------------------------
>
>                 Key: KAFKA-14816
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14816
>             Project: Kafka
>          Issue Type: Bug
>          Components: KafkaConnect
>    Affects Versions: 3.4.0
>            Reporter: Ian McDonald
>            Assignee: Chris Egerton
>            Priority: Blocker
>             Fix For: 3.5.0, 3.4.1
>
>
> Due to changes made here: [https://github.com/apache/kafka/pull/12828]
> Connect now unconditionally loads SSL configs from the worker into rest 
> clients it uses for cross-worker communication and uses them even when 
> issuing requests to HTTP (i.e., non-HTTPS) URLs. Previously, it would only 
> attempt to load (and validate) SSL properties when issuing requests to HTTPS 
> URLs. This can cause issues when a Connect cluster has stopped securing its 
> REST API with SSL but its worker configs still contain the old (and 
> now-invalid) SSL properties. When this happens, REST requests that hit a 
> follower worker but need to be forwarded to the leader will fail, and 
> connectors that perform dynamic reconfigurations via 
> [ConnectorContext::requestTaskReconfiguration|https://kafka.apache.org/34/javadoc/org/apache/kafka/connect/connector/ConnectorContext.html#requestTaskReconfiguration()]
>  will fail to trigger that reconfiguration if they are not running on the 
> leader.
> In our testing environments - older versions without the linked changes pass 
> with the following configuration, and newer versions with the changes fail:
> {{ssl.keystore.location = /mnt/security/test.keystore.jks}}
> {{ssl.keystore.password = [hidden]}}
> {{ssl.keystore.type = JKS}}
> {{ssl.protocol = TLSv1.2}}
> It's important to note that the file {{/mnt/security/test.keystore.jks}} 
> isn't generated for our non-SSL tests, however these configs are still 
> included in our worker config file.
> This leads to a 500 response when hitting the create connector REST endpoint 
> with the following error:
> bq. { "error_code":500,   "message":"Failed to start RestClient:   
> /mnt/security/test.keystore.jks is not a valid keystore" }



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to