Thanks for the help, can we please confirm once whether we can dynamically update this or not?
On Fri, Jun 4, 2021, 14:05 Ran Lupovich <ranlupov...@gmail.com> wrote: > What do you mean if you can? > It is supported option. > You can set it up - but seems to do it dynamically update is not yet > implemented - but I'll have to look into the kafka code - not going to that > at the moment. > בתאריך יום ו׳, 4 ביוני 2021, 11:27, מאת Anjali Sharma < > sharma.anjali.2...@gmail.com>: > > > But according to the documentation provided by you we can configure > > SSL.client.auth right?? > > > > Config options: > > > > Listener Configs > > > > listeners > > advertised.listeners > > listener.security.protocol.map > > Common security config > > > > principal.builder.class > > SSL Configs > > > > ssl.protocol > > ssl.provider > > ssl.cipher.suites > > ssl.enabled.protocols > > ssl.truststore.type > > ssl.truststore.location > > ssl.truststore.password > > ssl.keymanager.algorithm > > ssl.trustmanager.algorithm > > ssl.endpoint.identification.algorithm > > ssl.secure.random.implementation > > *ssl.client.auth* > > > > On Fri, Jun 4, 2021, 13:45 Ran Lupovich <ranlupov...@gmail.com> wrote: > > > > > All the security configs can be dynamically configured for new > listeners. > > > In the initial implementation, only some configs will be dynamically > > > updatable for existing listeners (e.g. SSL keystores). Support for > > updating > > > other security configs dynamically for existing listeners will be added > > > later > > > > > > > > > > > > https://cwiki.apache.org/confluence/plugins/servlet/mobile?contentId=74687608#content/view/74687608 > > > > > > > > > Maybe not supported yet? > > > > > > > > > > > > בתאריך יום ו׳, 4 ביוני 2021, 10:49, מאת Ran Lupovich < > > > ranlupov...@gmail.com > > > >: > > > > > > > Thanks for checking... is there a way for you to check if this > behavior > > > is > > > > for "already connected clients" and what check only what happens to > > "new > > > > connections" > > > > > > > > בתאריך יום ו׳, 4 ביוני 2021, 10:47, מאת Anjali Sharma < > > > > sharma.anjali.2...@gmail.com>: > > > > > > > >> Neither listener specific nor ssl.client.auth is working dynamically > > > >> > > > >> On Fri, Jun 4, 2021, 13:04 Ran Lupovich <ranlupov...@gmail.com> > > wrote: > > > >> > > > >> > And not* to specific listener > > > >> > > > > >> > בתאריך יום ו׳, 4 ביוני 2021, 10:30, מאת Ran Lupovich < > > > >> > ranlupov...@gmail.com > > > >> > >: > > > >> > > > > >> > > According to documentation it is dynamic and should work, though > > it > > > is > > > >> > > "general" ssl.auth of the entire broker setting and to specific > > > >> listener > > > >> > as > > > >> > > you are trying out , but the logic says it should work the > same... > > > >> > besides > > > >> > > that I do not have anything smart to suggest, the only > > understanding > > > >> we > > > >> > > need is if specfic listener config is dynamic changeable and > when > > it > > > >> take > > > >> > > place? New connections? Do all your client fully discconect and > > > >> reconnect > > > >> > > to that listener? > > > >> > > > > > >> > > בתאריך יום ו׳, 4 ביוני 2021, 10:25, מאת Anjali Sharma < > > > >> > > sharma.anjali.2...@gmail.com>: > > > >> > > > > > >> > >> Yes restarting the Kafka solves the problem but as it is > dynamic > > > >> there > > > >> > is > > > >> > >> no need to restart the Kafka right? > > > >> > >> > > > >> > >> On Fri, Jun 4, 2021, 12:13 Ran Lupovich <ranlupov...@gmail.com > > > > > >> wrote: > > > >> > >> > > > >> > >> > Restarting the broker solves the problem? Do your clients > fully > > > >> > >> disconnect > > > >> > >> > and reconnect? > > > >> > >> > > > > >> > >> > בתאריך יום ו׳, 4 ביוני 2021, 09:24, מאת Anjali Sharma < > > > >> > >> > sharma.anjali.2...@gmail.com>: > > > >> > >> > > > > >> > >> > > Hi Ran, > > > >> > >> > > > > > >> > >> > > Thank you so much for the help, but had already gone > through > > > the > > > >> > >> > > documentation, but despite doing the same thing it is not > > > >> working , > > > >> > we > > > >> > >> > are > > > >> > >> > > not getting any client certificate request as such , is > there > > > >> > anything > > > >> > >> > that > > > >> > >> > > I am missing in the executing the command or we need to > > restart > > > >> the > > > >> > >> > brokers > > > >> > >> > > or anything else we need to do? > > > >> > >> > > > > > >> > >> > > > > > >> > >> > > Thanks & Regards > > > >> > >> > > Anjali > > > >> > >> > > > > > >> > >> > > On Fri, Jun 4, 2021 at 11:17 AM Ran Lupovich < > > > >> ranlupov...@gmail.com > > > >> > > > > > >> > >> > > wrote: > > > >> > >> > > > > > >> > >> > > > Adding this information that supports your assumptions > that > > > it > > > >> > >> should > > > >> > >> > be > > > >> > >> > > > dynamically supportedNotice the update mode - > > > >> > >> > > > > > > >> > >> > > > Dynamic Update Mode option in Broker Configurations > > > >> > >> > > > < > > > >> > >> > > > > > > >> > >> > > > > > >> > >> > > > > >> > >> > > > >> > > > > >> > > > > > > https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#cp-config-brokers > > > >> > >> > > > > > > > >> > >> > > > for > > > >> > >> > > > the update mode of each broker configuration. > > > >> > >> > > > > > > >> > >> > > > - read-only: Requires a broker restart for update. > > > >> > >> > > > - per-broker: May be updated dynamically for each > > broker. > > > >> > >> > > > - cluster-wide: May be updated dynamically as a > > > cluster-wide > > > >> > >> > default. > > > >> > >> > > > May also be updated as a per-broker value for testing > > > >> > >> > > > > > > >> > >> > > > > > > >> > >> > > > > > > >> > >> > > > ssl.client.auth > > > >> > >> > > > < > > > >> > >> > > > > > > >> > >> > > > > > >> > >> > > > > >> > >> > > > >> > > > > >> > > > > > > https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#brokerconfigs_ssl.client.auth > > > >> > >> > > > > > > > >> > >> > > > > > > >> > >> > > > Configures kafka broker to request client authentication. > > The > > > >> > >> following > > > >> > >> > > > settings are common: > > > >> > >> > > > > > > >> > >> > > > - ssl.client.auth=required If set to required client > > > >> > >> authentication > > > >> > >> > is > > > >> > >> > > > required. > > > >> > >> > > > - ssl.client.auth=requested This means client > > > >> authentication is > > > >> > >> > > > optional. unlike required, if this option is set > client > > > can > > > >> > >> choose > > > >> > >> > not > > > >> > >> > > > to > > > >> > >> > > > provide authentication information about itself > > > >> > >> > > > - ssl.client.auth=none This means client > authentication > > is > > > >> not > > > >> > >> > needed. > > > >> > >> > > > > > > >> > >> > > > Type: string > > > >> > >> > > > Default: none > > > >> > >> > > > Valid Values: [required, requested, none] > > > >> > >> > > > Importance: medium > > > >> > >> > > > Update Mode: per-broker > > > >> > >> > > > > > > >> > >> > > > בתאריך יום ו׳, 4 ביוני 2021, 08:30, מאת Anjali Sharma < > > > >> > >> > > > sharma.anjali.2...@gmail.com>: > > > >> > >> > > > > > > >> > >> > > > > Dear All, > > > >> > >> > > > > > > > >> > >> > > > > When trying to configure mtls without restarting the > > > brokers > > > >> it > > > >> > is > > > >> > >> > not > > > >> > >> > > > > working. > > > >> > >> > > > > For mutualTLS "ssl.client.auth" should be set to > > > "required". > > > >> So, > > > >> > >> if > > > >> > >> > we > > > >> > >> > > > are > > > >> > >> > > > > trying to do the dynamic update using the below command > > > >> > >> > > > > > > > >> > >> > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server > > > >> > >> > localhost:28104 > > > >> > >> > > > > --entity-type brokers --entity-name 117373 **--alter > > > >> > --add-config > > > >> > >> > > > > listener.name.app.ssl.client.auth=required* > > > >> > >> > > > > *Completed updating config for broker 117373.* > > > >> > >> > > > > > > > >> > >> > > > > > > > >> > >> > > > > > > > >> > >> > > > > > > > >> > >> > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server > > > >> > >> > localhost:28104 > > > >> > >> > > > > --entity-type brokers --entity-name 117373 > > > --describeDynamic > > > >> > >> configs > > > >> > >> > > for > > > >> > >> > > > > broker 117373 are: > > > listener.name.app.ssl.client.auth=required > > > >> > >> > > > > sensitive=false > > > >> > >> > > > > > > > >> > >> > > > > > > >> > >> > > > > > >> > >> > > > > >> > >> > > > >> > > > > >> > > > > > > synonyms={DYNAMIC_BROKER_CONFIG:listener.name.app.ssl.client.auth=required, > > > >> > >> > > > > STATIC_BROKER_CONFIG:ssl.client.auth=none, > > > >> > >> > > > > DEFAULT_CONFIG:ssl.client.auth=none}* > > > >> > >> > > > > Dynamic command execution is success but in captured > > > >> > tcpdump(pcap) > > > >> > >> > > > > "Certificate Request" is not sent from Server below > enter > > > >> image > > > >> > >> > > > description > > > >> > >> > > > > here. > > > >> > >> > > > > > > > >> > >> > > > > > > > >> > >> > > > > But if we alter manually and restart Kafka we can see > > > >> > "Certificate > > > >> > >> > > > > Request" from Server in tcpdump. > > > >> > >> > > > > > > > >> > >> > > > > Please help in resolving the dynamic update of altering > > > >> > >> > > > > "ssl.client.auth=Required" > > > >> > >> > > > > > > > >> > >> > > > > > > > >> > >> > > > > Pcap image is attached > > > >> > >> > > > > > > > >> > >> > > > > > > > >> > >> > > > > > > >> > >> > > > > > >> > >> > > > > >> > >> > > > >> > > > > > >> > > > > >> > > > > > > > > > >
