[jira] [Commented] (KAFKA-8843) Zookeeper migration tool support for TLS

Mon, 18 Nov 2019 13:23:57 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976893#comment-16976893
 ] 

Kelly Schoenhofen commented on KAFKA-8843:
------------------------------------------

Question, does ZK 3.5.6 allow for SSL (TLS, but let's say SSL to keep in line 
with the documentation) from Kafka? Not SASL_SSL, just plain SSL. Is that what 
this Jira is for? I have quorum TLS working in ZK 3.5.6, I added a tls-secured 
listener, but as of yet I can't quite get Kafka to connect to it:

{{[2019-11-18 15:03:11,545] INFO Opening socket connection to server 
xxx/x.x.x.x:2182. Will not attempt to authenticate using SASL (unknown error) 
(org.apache.zookeeper.ClientCnxn)}}

is the closest I have come, but I didn't want do to SASL_SSL, I just want to 
secure the traffic between Kafka and ZooKeeper using TLS 1.2 and a specific 
class of cipher, like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and enforce the CN 
name on each side to match each other's cert & trusted cert stores (like how 
ZooKeeper Quorum TLS works). 

> Zookeeper migration tool support for TLS
> ----------------------------------------
>
>                 Key: KAFKA-8843
>                 URL: https://issues.apache.org/jira/browse/KAFKA-8843
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Pere Urbon-Bayes
>            Assignee: Pere Urbon-Bayes
>            Priority: Minor
>
> Currently zookeeper-migration tool works based on SASL authentication. What 
> means only digest and kerberos authentication is supported.
>  
> With the introduction of ZK 3.5, TLS is added, including a new X509 
> authentication provider. 
>  
> To support this great future and utilise the TLS principals, the 
> zookeeper-migration-tool script should support the X509 authentication as 
> well.
>  
> In my newbie view, this should mean adding a new parameter to allow other 
> ways of authentication around 
> [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65.
>  
> |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65]
>  
> If I understand the process correct, this will require a KIP, right?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to