Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-27904

Fix Kafka SASL with SSL to not require a keystore

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF18, 11.1
    • Component/s: Streams
    • Release Notes Summary:
      Kafka SASL with SSL does not require a keystore.
    • Backlog priority:
      600
    • Upgrade notes:
      Hide

      The SSL keystore is not mandatory for all Kafka setups. Kafka can work with several security configurations independently.

      The best way to infer the need for an SSL keystore is to check if its path is set up in the configuration

      Show
      The SSL keystore is not mandatory for all Kafka setups. Kafka can work with several security configurations independently. The best way to infer the need for an SSL keystore is to check if its path is set up in the configuration
    • Sprint:
      nxplatform 11.1.21
    • Story Points:
      2

      Description

      When both kafka.ssl and kafka.sasl.enabled are true, a keystore should not be required and maybe should also not be configured. Currently, a keystore is always configured when kafka.ssl is true regardless of whether SASL is enabled (see https://github.com/nuxeo/nuxeo/blob/29612a2c7247864d94ee206eda6998a2a748f61f/nuxeo-distribution/nuxeo-nxr-server/src/main/resources/templates/common-base/nxserver/config/kafka-config.xml.nxftl#L22). A proposed patch is attached.

      Our sample kafka nuxeo.conf properties are included below:

      kafka.enabled=true
      kafka.boostrap.servers=my-strimzi-kafka-boostrap:9093
      kafka.ssl=true
      kafka.sasl.enabled=true
      kafka.security.protocol=SASL_SSL
      kafka.sasl.mechanism=SCRAM-SHA-512
      kafka.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=nuxeo password=**************;
      kafka.truststore.type=JKS
      kafka.truststore.path=/opt/nuxeo/bindings/kafka/truststore.jks
      kafka.truststore.password=**************
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days, 2 hours
                  3d 2h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.