...
The rest.advertised.host.name
and rest.advertised.port
options will continue to be used as today to specify the connection address which should be used by other workers. In addition a new option rest.advertised.security.protocol
will define whether other workers should connect using HTTP or HTTPS protocols. In case HTTPS is selected, the connecting worker will use the SSL configuration from the ssl.*
options.
This proposal doesn't include any authorization / ACL features. Only encryption and authentication. Authorization / ACLs should be subject of separate KIP in order to keep the scope of this KIP under control. It also doesn't add any other authentication options than SSL/TLS client authentication.
Public Interfaces
Configuration of SSL / TLS for the Kafka Connect REST interface will tries to follow the configuration for other SSL / TLS enabled server interfaces. It will be done through the properties configuration file for the distributed Kafka Connect workers. It will add following
Following new options will be added:
Parameter | Default value | Note |
---|---|---|
listeners | null | List of REST listeners in the format protocol://host:port,protocol2://host2:port2 where the protocol is one of HTTP and HTTPS. |
rest.advertised.security.protocol | HTTP | Configures the protocol used for communication between workers. Should be either HTTP or HTTPS . Default is HTTP to ensure backwards compatibility. |
ssl.client.auth | none | Valid values are none , requested and required . It will controls whether:
This is the only authentication option suggested as part of this KIP. |
listeners.https.ssl.* | The listeners.https. prefix can be used with any SSL configuration option mentioned below to override the default SSL configuration which is shared with the connections to Kafka broker. |
Following existing options will be affected by this KIP:
Parameter | Default value | Note |
---|---|---|
rest.host.name | null | When listeners option is defined, this field will be ignored. |
rest.port | 8083 | When listeners option is defined, this field will be ignored. |
Following existing options will be reused by this KIP without any changes:
Parameter | Default value | Note | ||||
---|---|---|---|---|---|---|
rest.advertised.host.name | null | |||||
rest. | securityadvertised. | protocolport | null | This field will be | SSLreused without any changes. | |
ssl.keystore.location | null | |||||
ssl.keystore.password | null | |||||
ssl.keystore.type | JKS | |||||
ssl.key.password | null | |||||
ssl.truststore.location | null | |||||
ssl.truststore.password | null | |||||
ssl.truststore.type | JKS | |||||
ssl.enabled.protocols | TLSv1.2,TLSv1.1,TLSv1 | |||||
ssl.provider | null | |||||
ssl.protocol | TLS | |||||
ssl.cipher.suites | null | |||||
ssl.keymanager.algorithm | SunX509 | |||||
ssl.secure.random.implementation | null | |||||
ssl.trustmanager.algorithm | PKIX | |||||
ssl.client.auth | none | Other valid values are "required" and "requested". |
The rest.security.protocol
option will support only PLAINTEXT
and SSL
values. PLAINTEXT
will be the default value and will keep all SSL/TLS functionality disabled to keep the backwards compatibility.
The rest.ssl.client.auth
option would support values of required
, requested
and none
(none
being the default). It will control whether:
- the connecting client is required to do SSL/TLS client authentication (
required
) - it can decide to skip the SSL/TLS client authentication (
requested
) - the SSL/TLS authentication will be completely disabled (
none
)
This is the only authentication option suggested as part of this KIP.
...
Migration Plan and Compatibility
...