cadonna commented on a change in pull request #10770:
URL: https://github.com/apache/kafka/pull/10770#discussion_r642904792
##########
File path: docs/security.html
##########
@@ -384,56 +384,56 @@ <h5>SSL key and certificates in PEM format</h5>
ssl.key.password=test1234</code></pre>
Other configuration settings that may also be needed depending on
our requirements and the broker configuration:
- <ol>
- <li>ssl.provider (Optional). The name of the security
provider used for SSL connections. Default value is the default security
provider of the JVM.</li>
- <li>ssl.cipher.suites (Optional). A cipher suite is a
named combination of authentication, encryption, MAC and key exchange algorithm
used to negotiate the security settings for a network connection using TLS or
SSL network protocol.</li>
- <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should
list at least one of the protocols configured on the broker side</li>
- <li>ssl.truststore.type=JKS</li>
- <li>ssl.keystore.type=JKS</li>
- </ol>
- <br>
+ <ol>
+ <li>ssl.provider (Optional). The name of the security provider
used for SSL connections. Default value is the default security provider of the
JVM.</li>
+ <li>ssl.cipher.suites (Optional). A cipher suite is a named
combination of authentication, encryption, MAC and key exchange algorithm used
to negotiate the security settings for a network connection using TLS or SSL
network protocol.</li>
+ <li>ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. It should
list at least one of the protocols configured on the broker side</li>
+ <li>ssl.truststore.type=JKS</li>
+ <li>ssl.keystore.type=JKS</li>
+ </ol>
+ <br>
Examples using console-producer and console-consumer:
- <pre class="line-numbers"><code
class="language-bash">kafka-console-producer.sh --bootstrap-server
localhost:9093 --topic test --producer.config client-ssl.properties
-kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test
--consumer.config client-ssl.properties</code></pre>
+ <pre class="line-numbers"><code class="language-bash">>
kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test
--producer.config client-ssl.properties
+> kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test
--consumer.config client-ssl.properties</code></pre>
</li>
</ol>
<h3 class="anchor-heading"><a id="security_sasl"
class="anchor-link"></a><a href="#security_sasl">7.3 Authentication using
SASL</a></h3>
<ol>
- <li><h4 class="anchor-heading"><a id="security_sasl_jaasconfig"
class="anchor-link"></a><a href="#security_sasl_jaasconfig">JAAS
configuration</a></h4>
- <p>Kafka uses the Java Authentication and Authorization Service
- (<a
href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html";>JAAS</a>)
- for SASL configuration.</p>
- <ol>
- <li><h5><a id="security_jaas_broker"
- href="#security_jaas_broker">JAAS configuration for Kafka
brokers</a></h5>
-
- <p><tt>KafkaServer</tt> is the section name in the JAAS file used
by each
- KafkaServer/Broker. This section provides SASL configuration
options
- for the broker including any SASL client connections made by the
broker
- for inter-broker communication. If multiple listeners are
configured to use
- SASL, the section name may be prefixed with the listener name in
lower-case
- followed by a period, e.g. <tt>sasl_ssl.KafkaServer</tt>.</p>
-
- <p><tt>Client</tt> section is used to authenticate a SASL
connection with
- zookeeper. It also allows the brokers to set SASL ACL on zookeeper
- nodes which locks these nodes down so that only the brokers can
- modify it. It is necessary to have the same principal name across
all
- brokers. If you want to use a section name other than Client, set
the
- system property <tt>zookeeper.sasl.clientconfig</tt> to the
appropriate
- name (<i>e.g.</i>,
<tt>-Dzookeeper.sasl.clientconfig=ZkClient</tt>).</p>
-
- <p>ZooKeeper uses "zookeeper" as the service name by default. If
you
- want to change this, set the system property
- <tt>zookeeper.sasl.client.username</tt> to the appropriate name
- (<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
-
- <p>Brokers may also configure JAAS using the broker configuration
property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix
including the SASL mechanism,
- i.e.
<code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>.
Only one
- login module may be specified in the config value. If multiple
mechanisms are configured on a
- listener, configs must be provided for each mechanism using the
listener and mechanism prefix.
- For example,
+ <li><h4 class="anchor-heading"><a id="security_sasl_jaasconfig"
class="anchor-link"></a><a href="#security_sasl_jaasconfig">JAAS
configuration</a></h4>
+ <p>Kafka uses the Java Authentication and Authorization Service
+ (<a
href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html";>JAAS</a>)
+ for SASL configuration.</p>
+ <ol>
+ <li><h5><a id="security_jaas_broker"
+ href="#security_jaas_broker">JAAS configuration for Kafka
brokers</a></h5>
+
+ <p><tt>KafkaServer</tt> is the section name in the JAAS
file used by each
+ KafkaServer/Broker. This section provides SASL
configuration options
+ for the broker including any SASL client connections made
by the broker
+ for inter-broker communication. If multiple listeners are
configured to use
+ SASL, the section name may be prefixed with the listener
name in lower-case
+ followed by a period, e.g.
<tt>sasl_ssl.KafkaServer</tt>.</p>
+
+ <p><tt>Client</tt> section is used to authenticate a SASL
connection with
+ zookeeper. It also allows the brokers to set SASL ACL on
zookeeper
+ nodes which locks these nodes down so that only the
brokers can
+ modify it. It is necessary to have the same principal name
across all
+ brokers. If you want to use a section name other than
Client, set the
+ system property <tt>zookeeper.sasl.clientconfig</tt> to
the appropriate
+ name (<i>e.g.</i>,
<tt>-Dzookeeper.sasl.clientconfig=ZkClient</tt>).</p>
+
+ <p>ZooKeeper uses "zookeeper" as the service name by
default. If you
+ want to change this, set the system property
+ <tt>zookeeper.sasl.client.username</tt> to the appropriate
name
+ (<i>e.g.</i>,
<tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
+
+ <p>Brokers may also configure JAAS using the broker
configuration property <code>sasl.jaas.config</code>.
Review comment:
I could not find the `</p>` for this `<p>`.
##########
File path: docs/security.html
##########
@@ -76,7 +76,7 @@ <h5>Host Name Verification</h5>
Server host name verification may be disabled by setting
<code>ssl.endpoint.identification.algorithm</code> to an empty string.<br>
For dynamically configured broker listeners, hostname verification
may be disabled using <code>kafka-configs.sh</code>:<br>
- <pre class="line-numbers"><code
class="language-text">bin/kafka-configs.sh --bootstrap-server localhost:9093
--entity-type brokers --entity-name 0 --alter --add-config
"listener.name.internal.ssl.endpoint.identification.algorithm="</code></pre>
+ <pre class="line-numbers"><code class="language-text">>
bin/kafka-configs.sh --bootstrap-server localhost:9093 --entity-type brokers
--entity-name 0 --alter --add-config
"listener.name.internal.ssl.endpoint.identification.algorithm="</code></pre>
Review comment:
I think this should be `class="language-bash"` instead of
`class="language-text"`.
##########
File path: docs/security.html
##########
@@ -99,7 +99,7 @@ <h5>Host Name Verification</h5>
To add a SAN field append the following argument <code> -ext
SAN=DNS:{FQDN},IP:{IPADDRESS} </code> to the keytool command:
Review comment:
```suggestion
To add a SAN field append the following argument <code> -ext
SAN=DNS:{FQDN},IP:{IPADDRESS}</code> to the keytool command:
```
##########
File path: docs/security.html
##########
@@ -428,12 +428,12 @@ <h3 class="anchor-heading"><a id="security_sasl"
class="anchor-link"></a><a href
<tt>zookeeper.sasl.client.username</tt> to the appropriate name
(<i>e.g.</i>, <tt>-Dzookeeper.sasl.client.username=zk</tt>).</p>
- <p>Brokers may also configure JAAS using the broker configuration
property <code>sasl.jaas.config</code>.
- The property name must be prefixed with the listener prefix
including the SASL mechanism,
- i.e.
<code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>.
Only one
- login module may be specified in the config value. If multiple
mechanisms are configured on a
- listener, configs must be provided for each mechanism using the
listener and mechanism prefix.
- For example,
+ <p>Brokers may also configure JAAS using the broker
configuration property <code>sasl.jaas.config</code>.
+ The property name must be prefixed with the listener
prefix including the SASL mechanism,
+ i.e.
<code>listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config</code>.
Only one
+ login module may be specified in the config value. If
multiple mechanisms are configured on a
+ listener, configs must be provided for each mechanism
using the listener and mechanism prefix.
+ For example,
Review comment:
I think we misunderstood each other. The line that starts with `The
property name ...` should be aligned with `<p>Brokers may also ...`. I am also
fine, if you do not fix that. I think it is understandable and I see that the
indentation is not really consistent in this file.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
