[jira] [Comment Edited] (KAFKA-8843) Zookeeper migration tool support for TLS

Mon, 27 Jan 2020 11:40:13 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-8843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17024606#comment-17024606
 ] 

Gérald Quintana edited comment on KAFKA-8843 at 1/27/20 7:39 PM:
-----------------------------------------------------------------

I am probably dreaming, but it would be great to have 
_zookeeper-client.properties_ config file on par with 
producer/consumer.properties config files, containing both TLS and optionnaly 
JAAS authentication settings:
{code:java}
zookeeper.client.secure=true
zookeeper.sasl.jaas.config=org.apache.zookeeper.server.auth.DigestLoginModule 
required username="kafka" password="kafkapass";
zookeeper.ssl.truststore.location=/etc/kafka/truststore.jks
zookeeper.ssl.truststore.password=truststorepass
{code}
As a result, the command line argument could be named _-zk-config-file_ instead 
of _-zk-tls-config-file_


was (Author: gquintana):
I am probably dreaming, but it would be great to have 
_zookeeper-client.properties_ config file on par with 
producer/consumer.properties config files, containing both TLS and JAAS 
authentication settings:

 
{code:java}
zookeeper.client.secure=true
zookeeper.sasl.jaas.config=org.apache.zookeeper.server.auth.DigestLoginModule 
required username="kafka" password="kafkapass";
zookeeper.ssl.truststore.location=/etc/kafka/truststore.jks
zookeeper.ssl.truststore.password=truststorepass
{code}
As a result, the command line argument could be named _-zk-config-file_ instead 
of _-zk-tls-config-file_

> Zookeeper migration tool support for TLS
> ----------------------------------------
>
>                 Key: KAFKA-8843
>                 URL: https://issues.apache.org/jira/browse/KAFKA-8843
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Pere Urbon-Bayes
>            Assignee: Pere Urbon-Bayes
>            Priority: Minor
>
> Currently zookeeper-migration tool works based on SASL authentication. What 
> means only digest and kerberos authentication is supported.
>  
> With the introduction of ZK 3.5, TLS is added, including a new X509 
> authentication provider. 
>  
> To support this great future and utilise the TLS principals, the 
> zookeeper-migration-tool script should support the X509 authentication as 
> well.
>  
> In my newbie view, this should mean adding a new parameter to allow other 
> ways of authentication around 
> [https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65.
>  
> |https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ZkSecurityMigrator.scala#L65]
>  
> If I understand the process correct, this will require a KIP, right?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to