Thanks for the help, can we please confirm once whether we can dynamically
update this or not?

On Fri, Jun 4, 2021, 14:05 Ran Lupovich <ranlupov...@gmail.com> wrote:

> What do you mean if you can?
> It is supported option.
> You can set it up - but seems to do it dynamically update is not yet
> implemented - but I'll have to look into the kafka code - not going to that
> at the moment.
> בתאריך יום ו׳, 4 ביוני 2021, 11:27, מאת Anjali Sharma ‏<
> sharma.anjali.2...@gmail.com>:
>
> > But according to the documentation provided by you we can configure
> > SSL.client.auth right??
> >
> > Config options:
> >
> > Listener Configs
> >
> > listeners
> > advertised.listeners
> > listener.security.protocol.map
> > Common security config
> >
> > principal.builder.class
> > SSL Configs
> >
> > ssl.protocol
> > ssl.provider
> > ssl.cipher.suites
> > ssl.enabled.protocols
> > ssl.truststore.type
> > ssl.truststore.location
> > ssl.truststore.password
> > ssl.keymanager.algorithm
> > ssl.trustmanager.algorithm
> > ssl.endpoint.identification.algorithm
> > ssl.secure.random.implementation
> > *ssl.client.auth*
> >
> > On Fri, Jun 4, 2021, 13:45 Ran Lupovich <ranlupov...@gmail.com> wrote:
> >
> > > All the security configs can be dynamically configured for new
> listeners.
> > > In the initial implementation, only some configs will be dynamically
> > > updatable for existing listeners (e.g. SSL keystores). Support for
> > updating
> > > other security configs dynamically for existing listeners will be added
> > > later
> > >
> > >
> > >
> >
> https://cwiki.apache.org/confluence/plugins/servlet/mobile?contentId=74687608#content/view/74687608
> > >
> > >
> > > Maybe not supported yet?
> > >
> > >
> > >
> > > בתאריך יום ו׳, 4 ביוני 2021, 10:49, מאת Ran Lupovich ‏<
> > > ranlupov...@gmail.com
> > > >:
> > >
> > > > Thanks for checking... is there a way for you to check if this
> behavior
> > > is
> > > > for "already connected clients" and what check only what happens to
> > "new
> > > > connections"
> > > >
> > > > בתאריך יום ו׳, 4 ביוני 2021, 10:47, מאת Anjali Sharma ‏<
> > > > sharma.anjali.2...@gmail.com>:
> > > >
> > > >> Neither listener specific nor ssl.client.auth is working dynamically
> > > >>
> > > >> On Fri, Jun 4, 2021, 13:04 Ran Lupovich <ranlupov...@gmail.com>
> > wrote:
> > > >>
> > > >> > And not* to specific listener
> > > >> >
> > > >> > בתאריך יום ו׳, 4 ביוני 2021, 10:30, מאת Ran Lupovich ‏<
> > > >> > ranlupov...@gmail.com
> > > >> > >:
> > > >> >
> > > >> > > According to documentation it is dynamic and should work, though
> > it
> > > is
> > > >> > > "general" ssl.auth of the entire broker setting and to specific
> > > >> listener
> > > >> > as
> > > >> > > you are trying out , but the logic says it should work the
> same...
> > > >> > besides
> > > >> > > that I do not have anything smart to suggest, the only
> > understanding
> > > >> we
> > > >> > > need is if specfic listener config is dynamic changeable and
> when
> > it
> > > >> take
> > > >> > > place? New connections? Do all your client fully discconect and
> > > >> reconnect
> > > >> > > to that listener?
> > > >> > >
> > > >> > > בתאריך יום ו׳, 4 ביוני 2021, 10:25, מאת Anjali Sharma ‏<
> > > >> > > sharma.anjali.2...@gmail.com>:
> > > >> > >
> > > >> > >> Yes restarting the Kafka solves the problem but as it is
> dynamic
> > > >> there
> > > >> > is
> > > >> > >> no need to restart the Kafka right?
> > > >> > >>
> > > >> > >> On Fri, Jun 4, 2021, 12:13 Ran Lupovich <ranlupov...@gmail.com
> >
> > > >> wrote:
> > > >> > >>
> > > >> > >> > Restarting the broker solves the problem? Do your clients
> fully
> > > >> > >> disconnect
> > > >> > >> > and reconnect?
> > > >> > >> >
> > > >> > >> > בתאריך יום ו׳, 4 ביוני 2021, 09:24, מאת Anjali Sharma ‏<
> > > >> > >> > sharma.anjali.2...@gmail.com>:
> > > >> > >> >
> > > >> > >> > > Hi Ran,
> > > >> > >> > >
> > > >> > >> > > Thank you so much for the help, but had already gone
> through
> > > the
> > > >> > >> > > documentation, but despite doing the same thing it is not
> > > >> working ,
> > > >> > we
> > > >> > >> > are
> > > >> > >> > > not getting any client certificate request as such , is
> there
> > > >> > anything
> > > >> > >> > that
> > > >> > >> > > I am missing in the executing the command or we need to
> > restart
> > > >> the
> > > >> > >> > brokers
> > > >> > >> > > or anything else we need to do?
> > > >> > >> > >
> > > >> > >> > >
> > > >> > >> > > Thanks & Regards
> > > >> > >> > > Anjali
> > > >> > >> > >
> > > >> > >> > > On Fri, Jun 4, 2021 at 11:17 AM Ran Lupovich <
> > > >> ranlupov...@gmail.com
> > > >> > >
> > > >> > >> > > wrote:
> > > >> > >> > >
> > > >> > >> > > > Adding this information that supports your assumptions
> that
> > > it
> > > >> > >> should
> > > >> > >> > be
> > > >> > >> > > > dynamically supportedNotice the update mode -
> > > >> > >> > > >
> > > >> > >> > > > Dynamic Update Mode option in Broker Configurations
> > > >> > >> > > > <
> > > >> > >> > > >
> > > >> > >> > >
> > > >> > >> >
> > > >> > >>
> > > >> >
> > > >>
> > >
> >
> https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#cp-config-brokers
> > > >> > >> > > > >
> > > >> > >> > > > for
> > > >> > >> > > > the update mode of each broker configuration.
> > > >> > >> > > >
> > > >> > >> > > >    - read-only: Requires a broker restart for update.
> > > >> > >> > > >    - per-broker: May be updated dynamically for each
> > broker.
> > > >> > >> > > >    - cluster-wide: May be updated dynamically as a
> > > cluster-wide
> > > >> > >> > default.
> > > >> > >> > > >    May also be updated as a per-broker value for testing
> > > >> > >> > > >
> > > >> > >> > > >
> > > >> > >> > > >
> > > >> > >> > > > ssl.client.auth
> > > >> > >> > > > <
> > > >> > >> > > >
> > > >> > >> > >
> > > >> > >> >
> > > >> > >>
> > > >> >
> > > >>
> > >
> >
> https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#brokerconfigs_ssl.client.auth
> > > >> > >> > > > >
> > > >> > >> > > >
> > > >> > >> > > > Configures kafka broker to request client authentication.
> > The
> > > >> > >> following
> > > >> > >> > > > settings are common:
> > > >> > >> > > >
> > > >> > >> > > >    - ssl.client.auth=required If set to required client
> > > >> > >> authentication
> > > >> > >> > is
> > > >> > >> > > >    required.
> > > >> > >> > > >    - ssl.client.auth=requested This means client
> > > >> authentication is
> > > >> > >> > > >    optional. unlike required, if this option is set
> client
> > > can
> > > >> > >> choose
> > > >> > >> > not
> > > >> > >> > > > to
> > > >> > >> > > >    provide authentication information about itself
> > > >> > >> > > >    - ssl.client.auth=none This means client
> authentication
> > is
> > > >> not
> > > >> > >> > needed.
> > > >> > >> > > >
> > > >> > >> > > > Type: string
> > > >> > >> > > > Default: none
> > > >> > >> > > > Valid Values: [required, requested, none]
> > > >> > >> > > > Importance: medium
> > > >> > >> > > > Update Mode: per-broker
> > > >> > >> > > >
> > > >> > >> > > > בתאריך יום ו׳, 4 ביוני 2021, 08:30, מאת Anjali Sharma ‏<
> > > >> > >> > > > sharma.anjali.2...@gmail.com>:
> > > >> > >> > > >
> > > >> > >> > > > > Dear All,
> > > >> > >> > > > >
> > > >> > >> > > > > When trying to configure mtls without restarting the
> > > brokers
> > > >> it
> > > >> > is
> > > >> > >> > not
> > > >> > >> > > > > working.
> > > >> > >> > > > > For mutualTLS "ssl.client.auth" should be set to
> > > "required".
> > > >> So,
> > > >> > >> if
> > > >> > >> > we
> > > >> > >> > > > are
> > > >> > >> > > > > trying to do the dynamic update using the below command
> > > >> > >> > > > >
> > > >> > >> > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server
> > > >> > >> > localhost:28104
> > > >> > >> > > > > --entity-type brokers --entity-name 117373 **--alter
> > > >> > --add-config
> > > >> > >> > > > > listener.name.app.ssl.client.auth=required*
> > > >> > >> > > > > *Completed updating config for broker 117373.*
> > > >> > >> > > > >
> > > >> > >> > > > >
> > > >> > >> > > > >
> > > >> > >> > > > >
> > > >> > >> > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server
> > > >> > >> > localhost:28104
> > > >> > >> > > > > --entity-type brokers --entity-name 117373
> > > --describeDynamic
> > > >> > >> configs
> > > >> > >> > > for
> > > >> > >> > > > > broker 117373 are:
> > > listener.name.app.ssl.client.auth=required
> > > >> > >> > > > > sensitive=false
> > > >> > >> > > > >
> > > >> > >> > > >
> > > >> > >> > >
> > > >> > >> >
> > > >> > >>
> > > >> >
> > > >>
> > >
> >
> synonyms={DYNAMIC_BROKER_CONFIG:listener.name.app.ssl.client.auth=required,
> > > >> > >> > > > > STATIC_BROKER_CONFIG:ssl.client.auth=none,
> > > >> > >> > > > > DEFAULT_CONFIG:ssl.client.auth=none}*
> > > >> > >> > > > > Dynamic command execution is success but in captured
> > > >> > tcpdump(pcap)
> > > >> > >> > > > > "Certificate Request" is not sent from Server below
> enter
> > > >> image
> > > >> > >> > > > description
> > > >> > >> > > > > here.
> > > >> > >> > > > >
> > > >> > >> > > > >
> > > >> > >> > > > > But if we alter manually and restart Kafka we can see
> > > >> > "Certificate
> > > >> > >> > > > > Request" from Server in tcpdump.
> > > >> > >> > > > >
> > > >> > >> > > > > Please help in resolving the dynamic update of altering
> > > >> > >> > > > > "ssl.client.auth=Required"
> > > >> > >> > > > >
> > > >> > >> > > > >
> > > >> > >> > > > > Pcap image is attached
> > > >> > >> > > > >
> > > >> > >> > > > >
> > > >> > >> > > >
> > > >> > >> > >
> > > >> > >> >
> > > >> > >>
> > > >> > >
> > > >> >
> > > >>
> > > >
> > >
> >
>

Reply via email to