THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Status
Current state: Under Discussion Approved
Discussion thread: TBD https://lists.apache.org/thread.html/ra490809bd850159fe4f9c4668c2ecf84cf9f4a28d50a4a461d212e72%40%3Cdev.kafka.apache.org%3E
JIRA: https://issues.apache.org/jira/browse/KAFKA-10345
...
ssl.keystore.location
ssl.truststore.location
A broker side metrics will be added to track times of security store reloads for success and failure as:
...
Additionally, two dynamic broker config called `ssl.keystore.location.refresh.interval.ms` and `ssl.truststore.location.refresh.interval.ms` will be added to control the time based guarantee for an automatic reloading in case of a missed file-watch. To disable periodical reloading, users could set those configs to max long.
| Code Block | ||||
|---|---|---|---|---|
| ||||
public static final String SSL_KEYSTORE_LOCATION_REFRESH_INTERVAL_MS_CONFIG = "ssl.keystore.location.refresh.interval.ms"; public static final String SSL_KEYSTORE_LOCATION_REFRESH_INTERVAL_MS_DOC = "The refresh interval for in-place ssl keystore updates. In general, " + "the update should trigger immediately when user modifies the security file path through file watch service, while " + "this configuration is defining a time based guarantee of store reloading in worst case"; public static final String SSL_TRUSTSTORE_LOCATION_REFRESH_INTERVAL_MS_CONFIG = "ssl.truststore.location.refresh.interval.ms"; public static final String SSL_TRUSTSTORE_LOCATION_REFRESH_INTERVAL_MS_DOC = "The refresh interval for in-place ssl truststore updates. In general, " + "the update should trigger immediately when user modifies the security file path through file watch service, while " + "this configuration is defining a time based guarantee of store reloading in worst case"; |
The default value values will be set to 5 minutes and could be changed through AlterConfig API.
...
The broker will also periodically check whether security files have been modified since last checking time and decide to reload or not, so that when the file watch does not work for unknown reason, user could wait until the time based reloading mechanism kicks in. If the time based reloading is not working either, user could still try to change the store path in an explicit AlterConfig call in the worst case.
This mechanism will be applied only to the brokers. Client side security store reloading mechanism is not affected.
Compatibility, Deprecation, and Migration Plan
The feature support for same name store reloading will be working in the new brokers automatically. We would try to communicate the deprecation of the old AlterConfig based path in the broker WARN log to let user read the metric instead to evaluate whether the security store is reloaded successfully.
Right now we don't plan to support disabling the auto reloading feature, since it will become the only option to do in-place security store update in the future.
We are also changing the audit log/authorization model for dynamic in-place updates of SSL stores. At the moment, only a user with powerful Cluster:Alter permissions can dynamically
update SSL stores on brokers. The KIP removes this restriction and relies purely on file system permissions for file-based stores.
Rejected Alternatives
We have proposed to use a new RPC which gets sent to the target broker directly. The solution involves a couple of compatibility related concerns, such as the following matrix suggests:
...