-
Type:
New Feature
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 9.10, 10.2
-
Component/s: Core
-
Release Notes Summary:New properties are added to configure Kafka SSL and SASL authentication.
-
Backlog priority:800
-
Impact type:Configuration Change
-
Sprint:nxcore 10.10.1
-
Story Points:3
Nuxeo supports authentication for all backing services from the nuxeo.conf file except for Kafka.
Adding support to SASL and SSL can be done by adding Kafka properties to consumer and producer configuration.
SSL configuration should be as close as possible to other Nuxeo services.
The properties exposed to nuxeo.conf should be:
# SASL kafka.sasl.enabled=false kafka.security.protocol=SASL_PLAINTEXT kafka.sasl.mechanism=SCRAM-SHA-256 kafka.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="kafkaclient1" password="kafkaclient1-secret"; # SSL kafka.ssl=false kafka.truststore.type=JKS kafka.truststore.path= kafka.truststore.password= kafka.keystore.type=JKS kafka.keystore.path= kafka.keystore.password=
These properties are turned into Kafka consumer and producer properties, for SASL:
<property name="security.protocol">${kafka.security.protocol}</property>
<property name="sasl.mechanism">${kafka.sasl.mechanism}</property>
<property name="sasl.jaas.config">${kafka.sasl.jaas.config}</property>
and for SSL:
<property name="security.protocol">SSL</property>
<property name="ssl.truststore.type">${kafka.truststore.type}</property>
<property name="ssl.truststore.location">${kafka.truststore.path}</property>
<property name="ssl.truststore.password">${kafka.truststore.password}</property>
<property name="ssl.keystore.type">${kafka.keystore.type}</property>
<property name="ssl.keystore.location">${kafka.keystore.path}</property>
<property name="ssl.keystore.password">${kafka.keystore.password}</property>
