Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-27904

Fix Kafka SASL with SSL to not require a keystore

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF18, 11.1, 2021.0
    • Component/s: Streams
    • Release Notes Summary:
      Kafka SASL with SSL does not require a keystore.
    • Tags:
    • Backlog priority:
      600
    • Upgrade notes:
      Hide

      The SSL keystore is not mandatory for all Kafka setups. Kafka can work with several security configurations independently.

      The best way to infer the need for an SSL keystore is to check if its path is set up in the configuration

      Show
      The SSL keystore is not mandatory for all Kafka setups. Kafka can work with several security configurations independently. The best way to infer the need for an SSL keystore is to check if its path is set up in the configuration
    • Sprint:
      nxplatform 11.1.21
    • Story Points:
      2

      Description

      When both kafka.ssl and kafka.sasl.enabled are true, a keystore should not be required and maybe should also not be configured. Currently, a keystore is always configured when kafka.ssl is true regardless of whether SASL is enabled (see https://github.com/nuxeo/nuxeo/blob/29612a2c7247864d94ee206eda6998a2a748f61f/nuxeo-distribution/nuxeo-nxr-server/src/main/resources/templates/common-base/nxserver/config/kafka-config.xml.nxftl#L22). A proposed patch is attached.

      Our sample kafka nuxeo.conf properties are included below:

      kafka.enabled=true
kafka.boostrap.servers=my-strimzi-kafka-boostrap:9093
kafka.ssl=true
kafka.sasl.enabled=true
kafka.security.protocol=SASL_SSL
kafka.sasl.mechanism=SCRAM-SHA-512
kafka.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=nuxeo password=**************;
kafka.truststore.type=JKS
kafka.truststore.path=/opt/nuxeo/bindings/kafka/truststore.jks
kafka.truststore.password=**************

        Attachments

          Issue Links

          is related to

          Task - A task that needs to be done. NXP-27100 Enable to configure Kafka in SASL without TLS

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days, 2 hours
                  3d 2h