Is it possible to enable client SSL when PLAINTEXT brokers exist in the
cluster?
Suppose you have 9 brokers in a cluster. 8 are configured with both SSL and
PLAINTEXT endpoints. One broker is configured with only a PLAINTEXT
endpoint, and this broker does NOT OWN any partitions. I supply a list of 3
brokers for the producer config that are all SSL enabled. In this setup,
the producers fail to fetch metadata for a topic, even though the producer
is only connecting to one of the SSL brokers.
Ssl enabled producer client log output:
>
> 2018-04-02 19:03:08.125 DEBUG o.a.kafka.clients.NetworkClient - Initialize
> connection to node -2 for sending metadata request
> 2018-04-02 19:03:08.125 DEBUG o.a.kafka.clients.NetworkClient - Initiating
> connection to node -2 at REDACTED.SSL.BROKER.COM:REDACTED-PORT.
> 2018-04-02 19:03:08.131 DEBUG o.a.kafka.clients.NetworkClient - Completed
> connection to node -2
> 2018-04-02 19:03:08.253 DEBUG o.a.kafka.clients.NetworkClient - Sending
> metadata request {topics=[my-topic]} to node -2
> 2018-04-02 19:03:08.267 WARN o.a.kafka.clients.NetworkClient - Error
> while fetching metadata with correlation id 0 : {my-topic=UNKNOWN}
> 2018-04-02 19:03:08.267 TRACE o.a.kafka.clients.NetworkClient - Ignoring
> empty metadata response with correlation id 0.
Once I shutdown the plaintext broker, all is fine again.
Brokers are on 0.10.1 and clients are 0.9
Is this intended behavior? Does the entire cluster always have to have SSL
enabled? Why is the metadata request failing if the plaintext broker does
not own any partitions at all, and the client is not connecting to that
broker?
Thanks,
Alex
