C0urante opened a new pull request #11894: URL: https://github.com/apache/kafka/pull/11894
[Jira](https://issues.apache.org/jira/browse/KAFKA-13613) Some JVMs don't come with the `HmacSHA256` algorithm out of the box, but do come with other key generation and/or MAC algorithms. However, it's impossible at the moment to run Connect on such a JVM, because the defaults for the `inter.worker.*.algorithm` properties are validated during worker startup, and that validation includes a check to make sure that the algorithm in question is provided by the worker's JVM. To address this, automatic validation using the `ConfigDef::Validator` interface is disabled and all KIP-507 [1] related config validation is moved into the `DistributedConfig` constructor, which allows validation to take place only for the algorithms that the worker is actually configured to use. Any of these algorithms may still be the default, but if not, the default will never be validated. In addition, a bug in the logic for ensuring that a worker's signature algorithm is included in its list of verification algorithms is fixed. The existing logic checks to see if its **key generation** algorithm is included in the list of verification algorithms, which does not adhere to KIP-507 [1] (see docstring for the `inter.worker.verification.algorithms` property), and serves no practical purpose. [1] - https://cwiki.apache.org/confluence/display/KAFKA/KIP-507%3A+Securing+Internal+Connect+REST+Endpoints#KIP507:SecuringInternalConnectRESTEndpoints-ProposedChanges ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
