Richard Wise created KAFKA-9269:
-----------------------------------
Summary: Warn if security.protocol does not match security
configuration
Key: KAFKA-9269
URL: https://issues.apache.org/jira/browse/KAFKA-9269
Project: Kafka
Issue Type: Improvement
Components: clients
Affects Versions: 2.0.1
Reporter: Richard Wise
I find it non-intuitive to have to set the security.protocol to "SSL" when I
have already configured all the SSL security parameters (e.g. keystore location
etc...).
Example (using Springboot autoconfig, but also applicable using .properties
files or setting the properties programmatically):
{code:java}
kafka:
consumer:
bootstrap-servers: <server>
key-serializer: org.apache.kafka.common.serialization.StringSerializer
value-serializer: org.apache.kafka.common.serialization.StringSerializer
ssl:
truststore-location: <trust store location>
truststore-password: <password>
properties:
security.protocol: SSL{code}
If I forget to set the security.protocol, it defaults to "PLAINTEXT" and
therefore fails SSL handshake. This indicates that there is an issue with my
SSL configuration (locations or passwords) so I enable SSL debugging, only to
see no logs. Finally I realise that it is not even trying to use SSL.
One solution would be to warn if any security settings are configured that are
unused given the security protocol configured (so in this example, it would
warn me that my ssl.truststore properties will be ignored).
Another solution is to automatically infer the security protocol to use based
on the settings provided, given that it seems as though you can infer the
security protocol to use (plaintext, ssl, sasl or sasl+ssl) based on the
settings defined.
I believe that making this change will improve the usability of security in
Kafka clients and avoid confusion when trying to debug security issues.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
