[
https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414263#comment-17414263
]
Rajini Sivaram commented on KAFKA-13293:
----------------------------------------
[~teabot] Sorry, I should have said `recreates SSLContext` rather than
`SslEngineFactory`. I haven't tried it out, but I think you can implement a
custom factory that has a mutable SSLContext which is updated when required.
Basically we want to make sure `CustomSslEngineFactory` always has a valid
`SSLContext` that is used by SslEngineFactory#createClientSslEngine() to create
a new SSLEngine whenever a new connection is established, but we can swap out
the SSLContext with a new one if we can detect a change. As you said, we cannot
rely on `SslEngineFactory#shouldBeRebuilt()` since that is invoked only for
brokers when ALTER_CONFIGS is processed.
> Support client reload of PEM certificates
> -----------------------------------------
>
> Key: KAFKA-13293
> URL: https://issues.apache.org/jira/browse/KAFKA-13293
> Project: Kafka
> Issue Type: Improvement
> Components: clients, security
> Affects Versions: 2.7.0, 2.8.0, 2.7.1
> Reporter: Elliot West
> Priority: Major
>
> Since Kafka 2.7.0, clients are able to authenticate using PEM certificates as
> client configuration properties in addition to JKS file based key stores
> (KAFKA-10338). With PEM, certificate chains are passed into clients as simple
> string based key-value properties, alongside existing client configuration.
> This offers a number of benefits: it provides a JVM agnostic security
> mechanism from the perspective of clients, removes the client's dependency on
> the local filesystem, and allows the the encapsulation of the entire client
> configuration into a single payload.
> However, the current client PEM implement has a feature regression when
> compared with the JKS implementation. With the JKS approach, clients would
> automatically reload certificates when the key stores were modified on disk.
> This enables a seamless approach for the replacement of certificates when
> they are due to expire; no further configuration or explicit interference
> with the client lifecycle is needed for the client to migrate to renewed
> certificates.
> Such a capability does not currently exist for PEM. One supplies key chains
> when instantiating clients only - there is no mechanism available to either
> directly reconfigure the client, or for the client to observe changes to the
> original properties set reference used in construction. Additionally, no
> work-arounds are documented that might given users alternative strategies for
> dealing with expiring certificates. Given that expiration and renewal of
> certificates is an industry standard practice, it could be argued that the
> current PEM client implementation is not fit for purpose.
> In summary, a mechanism should be provided such that clients can
> automatically detect, load, and use updated PEM key chains from some non-file
> based source (object ref, method invocation, listener, etc.)
> Finally, It is suggested that in the short-term Kafka documentation be
> updated to describe any viable mechanism for updating client PEM certs
> (perhaps closing existing client and then recreating?).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
