cadonna commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r640479762
##########
File path: docs/security.html
##########
@@ -208,25 +208,25 @@ <h5>Host Name Verification</h5>
Then create a database and serial number file, these will be used
to keep track of which certificates were signed with this CA. Both of
these are simply text files that reside in the same directory as
your CA keys.
- <pre class="line-numbers"><code class="language-bash">echo 01 >
serial.txt
+ <pre class="line-numbers"><code class="language-bash">> echo 01
> serial.txt
touch index.txt</code></pre>
Review comment:
If we decide to keep the `>`, then it is missing here.
##########
File path: docs/security.html
##########
@@ -384,16 +384,16 @@ <h5>SSL key and certificates in PEM format</h5>
ssl.key.password=test1234</code></pre>
Other configuration settings that may also be needed depending on
our requirements and the broker configuration:
- <ol>
- <li>ssl.provider (Optional). The name of the security
provider used for SSL connections. Default value is the default security
provider of the JVM.</li>
- <li>ssl.cipher.suites (Optional). A cipher suite is a
named combination of authentication, encryption, MAC and key exchange algorithm
used to negotiate the security settings for a network connection using TLS or
SSL network protocol.</li>
- <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should
list at least one of the protocols configured on the broker side</li>
- <li>ssl.truststore.type=JKS</li>
- <li>ssl.keystore.type=JKS</li>
- </ol>
- <br>
+ <ol>
+ <li>ssl.provider (Optional). The name of the security provider
used for SSL connections. Default value is the default security provider of the
JVM.</li>
+ <li>ssl.cipher.suites (Optional). A cipher suite is a named
combination of authentication, encryption, MAC and key exchange algorithm used
to negotiate the security settings for a network connection using TLS or SSL
network protocol.</li>
+ <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should
list at least one of the protocols configured on the broker side</li>
+ <li>ssl.truststore.type=JKS</li>
+ <li>ssl.keystore.type=JKS</li>
+ </ol>
+ <br>
Examples using console-producer and console-consumer:
- <pre class="line-numbers"><code
class="language-bash">kafka-console-producer.sh --bootstrap-server
localhost:9093 --topic test --producer.config client-ssl.properties
+ <pre class="line-numbers"><code class="language-bash">>
kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test
--producer.config client-ssl.properties
kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test
--consumer.config client-ssl.properties</code></pre>
Review comment:
If we decide to keep the `>`, then it is missing here.
##########
File path: docs/security.html
##########
@@ -47,7 +47,7 @@ <h3 class="anchor-heading"><a id="security_ssl"
class="anchor-link"></a><a href=
The tool supports two different keystore formats, the Java
specific jks format which has been deprecated by now, as well as PKCS12.
PKCS12 is the default format as of Java version 9, to ensure this
format is being used regardless of the Java version in use all following
commands explicitly specify the PKCS12 format.
- <pre class="line-numbers"><code class="language-bash">keytool
-keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg
RSA -storetype pkcs12</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> keytool
-keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg
RSA -storetype pkcs12</code></pre>
Review comment:
Now I saw that it has been already used further down. I fine with
keeping it to distingiush better between configs and commands. However, I found
some places where `>` is still missing (see further down).
##########
File path: docs/security.html
##########
@@ -47,7 +47,7 @@ <h3 class="anchor-heading"><a id="security_ssl"
class="anchor-link"></a><a href=
The tool supports two different keystore formats, the Java
specific jks format which has been deprecated by now, as well as PKCS12.
PKCS12 is the default format as of Java version 9, to ensure this
format is being used regardless of the Java version in use all following
commands explicitly specify the PKCS12 format.
- <pre class="line-numbers"><code class="language-bash">keytool
-keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg
RSA -storetype pkcs12</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> keytool
-keystore {keystorefile} -alias localhost -validity {validity} -genkey -keyalg
RSA -storetype pkcs12</code></pre>
Review comment:
I am wondering if it is a good idea to add `>` in front of the commands.
It is something additional users need to remove when they copy & paste the
commands.
##########
File path: docs/security.html
##########
@@ -428,12 +428,12 @@ <h3 class="anchor-heading"><a id="security_sasl"
class="anchor-link"></a><a href
<tt>zookeeper.sasl.client.username</tt> to the appropriate name
(<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
- <p>Brokers may also configure JAAS using the broker configuration
property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix
including the SASL mechanism,
- i.e.
<code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>.
Only one
- login module may be specified in the config value. If multiple
mechanisms are configured on a
- listener, configs must be provided for each mechanism using the
listener and mechanism prefix.
- For example,
+ <p>Brokers may also configure JAAS using the broker
configuration property <code>sasl.jaas.config</code>.
+ The property name must be prefixed with the listener
prefix including the SASL mechanism,
+ i.e.
<code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>.
Only one
+ login module may be specified in the config value. If
multiple mechanisms are configured on a
+ listener, configs must be provided for each mechanism
using the listener and mechanism prefix.
+ For example,
Review comment:
Why the indentation here? It should be on the same level as the previous
paragraph, right?
##########
File path: docs/security.html
##########
@@ -237,10 +237,10 @@ <h5>Host Name Verification</h5>
</li>
<li><h4 class="anchor-heading"><a id="security_ssl_signing"
class="anchor-link"></a><a href="#security_ssl_signing">Signing the
certificate</a></h4>
Then sign it with the CA:
- <pre class="line-numbers"><code class="language-bash">openssl ca
-config openssl-ca.cnf -policy signing_policy -extensions signing_req -out
{server certificate} -infiles {certificate signing request}</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> openssl
ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out
{server certificate} -infiles {certificate signing request}</code></pre>
Finally, you need to import both the certificate of the CA and the
signed certificate into the keystore:
- <pre class="line-numbers"><code class="language-bash">keytool
-keystore {keystore} -alias CARoot -import -file {CA certificate}
+ <pre class="line-numbers"><code class="language-bash">> keytool
-keystore {keystore} -alias CARoot -import -file {CA certificate}
keytool -keystore {keystore} -alias localhost -import -file
cert-signed</code></pre>
Review comment:
If we decide to keep the `>`, then it is missing here.
##########
File path: docs/security.html
##########
@@ -443,134 +443,133 @@ <h3 class="anchor-heading"><a id="security_sasl"
class="anchor-link"></a><a href
user_admin="admin-secret" \
user_alice="alice-secret";</code></pre>
- If JAAS configuration is defined at different levels, the order of
precedence used is:
- <ul>
- <li>Broker configuration property
<code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code></li>
- <li><code>{listenerName}.KafkaServer</code> section of static
JAAS configuration</code></li>
- <li><code>KafkaServer</code> section of static JAAS
configuration</code></li>
- </ul>
- Note that ZooKeeper JAAS config may only be configured using
static JAAS configuration.
-
- <p>See <a href="#security_sasl_kerberos_brokerconfig">GSSAPI
(Kerberos)</a>,
- <a href="#security_sasl_plain_brokerconfig">PLAIN</a>,
- <a href="#security_sasl_scram_brokerconfig">SCRAM</a> or
- <a href="#security_sasl_oauthbearer_brokerconfig">OAUTHBEARER</a>
for example broker configurations.</p></li>
-
- </li>
- <li><h5><a id="security_jaas_client"
- href="#security_jaas_client">JAAS configuration for Kafka
clients</a></h5>
-
- <p>Clients may configure JAAS using the client configuration
property
- <a href="#security_client_dynamicjaas">sasl.jaas.config</a>
- or using the <a href="#security_client_staticjaas">static JAAS
config file</a>
- similar to brokers.</p>
-
- <ol>
- <li><h6><a id="security_client_dynamicjaas"
- href="#security_client_dynamicjaas">JAAS configuration using
client configuration property</a></h6>
- <p>Clients may specify JAAS configuration as a producer or
consumer property without
- creating a physical configuration file. This mode also enables
different producers
- and consumers within the same JVM to use different credentials
by specifying
- different properties for each client. If both static JAAS
configuration system property
- <code>java.security.auth.login.config</code> and client
property <code>sasl.jaas.config</code>
- are specified, the client property will be used.</p>
-
- <p>See <a href="#security_sasl_kerberos_clientconfig">GSSAPI
(Kerberos)</a>,
- <a href="#security_sasl_plain_clientconfig">PLAIN</a>,
- <a href="#security_sasl_scram_clientconfig">SCRAM</a> or
- <a
href="#security_sasl_oauthbearer_clientconfig">OAUTHBEARER</a> for example
configurations.</p></li>
-
- <li><h6 class="anchor-heading"><a
id="security_client_staticjaas" class="anchor-link"></a><a
href="#security_client_staticjaas">JAAS configuration using static config
file</a></h6>
- To configure SASL authentication on the clients using static
JAAS config file:
- <ol>
- <li>Add a JAAS config file with a client login section named
<tt>KafkaClient</tt>. Configure
- a login module in <tt>KafkaClient</tt> for the selected
mechanism as described in the examples
- for setting up <a
href="#security_sasl_kerberos_clientconfig">GSSAPI (Kerberos)</a>,
- <a href="#security_sasl_plain_clientconfig">PLAIN</a>,
- <a href="#security_sasl_scram_clientconfig">SCRAM</a> or
- <a
href="#security_sasl_oauthbearer_clientconfig">OAUTHBEARER</a>.
- For example, <a
href="#security_sasl_gssapi_clientconfig">GSSAPI</a>
- credentials may be configured as:
- <pre class="line-numbers"><code
class="language-text">KafkaClient {
+ If JAAS configuration is defined at different levels, the
order of precedence used is:
Review comment:
Also this indentation do not seem to align to the previous section
header `JAAS configuration for Kafka brokers`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
