Table of Contents |
---|
Status
Current state: Draft DISCUSS
Discussion thread:
JIRA:
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
Kafka adoption is growing day-by-day and it is used by all sizes of organizations serving varied technical and business domains like banking, entertainment, food/transportation logistics, financial technology to name a few. These organizations depending upon their size and domain may have more internal and external InfoSec/AppSec/Compliance standards they have to meet while using Kafka. SSL/TLS communication is very critical part of those standards. While Kafka supports SSL communication sometimes it becomes challenging to use out-of-the-box solution provided by Kafka for SSL/TLS given the organization's needs.
...
This KIP proposes the work on top of what has been done already for SSL configuration like KIP-226 - Dynamic Broker Configuration and KIP-492: Add java security providers in Kafka Security config.
Public Interfaces
New
...
configuration
ssl.engine.factory.class - This configuration will take class of the below interface's type and will be used to create javax.net.ssl.SSLEngine object.
Interface for SSLEngineFactory
Below is the interface suggested for this.
In the interface we provide a way to customize SSLContext and SSLEngine both because SSLContext ideally has all the data points to be customized (see JSSE reference diagram) but for Kafka SSLEngine needs to be further configured based on Client or Server Mode as it is done currently.
Code Block |
---|
package org.apache.kafka.common.security.ssl; import org.apache.kafka.common.network.Mode; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import java.util.Map; import java.util.Set; public interface SslEngineFactory { /** * Creates SSLContext by providing required key material and {@code java.security.SecureRandom} * * @return The SSLContext. */ SSLContext createSSLContext(); /** * Creates a new SSLEngine object. * * @param mode Whether to use client or server mode. * @param peerHost The peer host to use. This is used in client mode if endpoint validation is enabled. * @param peerPort The peer port to use. This is a hint and not used for validation. * @param endpointIdentification Endpoint identification algorithm for client mode. * @return The new SSLEngine. */ SSLEngine createcreateSSLEngine(Mode mode, String peerHost, int peerPort, String endpointIdentification); /** * Returns the currently used configurations by this engine. * @return */ Map<String, Object> currentConfigs(); /** * Returns the reconfigurable configs used by this engine. * @return */ Set<String> reconfigurableConfigs(); /** * Returns true if this engine needs to be rebuilt. * * @param nextConfigs The configuration we want to use. * @return True only if this builder should be rebuilt. */ boolean shouldBeRebuilt(Map<String, Object> nextConfigs); } |
...
Not applicable since old code behavior will be kept with default implementation of DefaultSslEngineFactory.
Rejected Alternatives
TBDAs mentioned in the motivation there are/were several attempts to make various ssl configurations pluggable over time focusing on specific aspect of the SSL configuration. However, this KIP proposes to allow customization at SSLContext/SSLEgnine level hence there are no alternatives applicable in our opinion.