Versions Compared

Old Version 3

changes.mady.by.user MAULIN VASAVADA

Saved on

compared with

New Version 4

changes.mady.by.user MAULIN VASAVADA

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagejava
titleKeyStoreLoader
package org.apache.kafka.common.security.ssl;

import java.security.KeyStore;

public interface KeyStoreLoader {
	public KeyStore load();
	public String getPassword();
	public String getKeyPassword();
	public boolean modified();
}

...

Code Block
languagejava
titleTrustStoreLoader
package org.apache.kafka.common.security.ssl;

import java.security.KeyStore;

public interface TrustStoreLoader {
	public KeyStore load();
	public boolean modified();
}


NOTE: Notice that we are not specifying the key/trust store passwords in the KeyStoreLoader/TrustStoreLoader load() method. This is because we do not want to mandate the passwords to come from the caller class. This implementation leaves it open to the Loader implementation to read required configuration or use other mechanism for fetching the password. Typically if you have a Key Manager solution you might be using some sort of 'auth-token' in order to access the Key Manager's API and might not require key/trust store password (you will still need password for unlocking the keys though).

Proposed Changes

Kafka Client library and Kafka Broker both uses SslEngineBuilder class to load KeyStore and TrustStore from the file based configurations.

  1. As documented in public interfaces section, we will introduce two interfaces to allow pluggable implementation to provide key/trust stores loading
  2. We will make changes to the SslEngineBuilder#createSSLContext() method to allow optional invoke the key/trust store loading from new ssl configurations we introduce.
    1. Pseudocode changes in the SslEngineBuilder#createSSLContext() looks like below


      Code Block
      if ( keystore != null ) {
 // load keystore in existing way
} else if ( 'ssl.keystore.loader' specified ) {
 // load keystore by invoking the pluggable implementation class for the config
}
...
...
...
if ( truststore != null ) {
 // load truststore in existing way
} else if ( 'ssl.truststore.loader' specified ) {
 // load truststore by invoking the pluggable implementation class for the config
}


  3. We will make changes to the SslEngineBuilder#shouldBeRebuilt() method appropriately

...