...
This KIP proposes enabling SSL support in the Jetty HTTP server. Jetty already supports SSL / TLS. So the main work in this KIP will be around enabling and configuring SSL / TLS. This proposal expects that the user will either choose HTTP or HTTPS. It doesn't provide support for using both in parallel. See "Rejected Alternatives" for more details.
Users will be able to configure REST listeners using a new configuration option listeners
. It will allow to configure the protocol (which will be either HTTP or HTTPS), host and port. Users will be allowed to configure either HTTP listener or HTTPS listener or both. For example: listeners=http://myhost:8080,https://myhost:8443
or listeners=https://myhost:8443
When the listeners
parameter is configured, the existing options rest.host.name
and rest.port
will be ignored.
The HTTPS listener (when configured in listeners
) will by default use the SSL configuration from the ssl.*
options. In case the user needs to use different SSL configuration for connecting to Kafka brokers and for the REST interface, the default settings can be overridden by using the prefix listeners.https.
- for example:listeners.https.ssl.keystore.location=/my/path/keystore.jks
This proposal doesn't include any authorization / ACL features. Only encryption and authentication. Authorization / ACLs should be subject of separate KIP in order to keep the scope of this KIP under control.
...
Parameter | Default value | Note |
---|---|---|
listeners | null | |
| ||
rest.ssl.keystore.location | null | |
rest.ssl.keystore.password | null | |
rest.ssl.keystore.type | JKS | |
rest.ssl.key.password | null | |
rest.ssl.truststore.location | null | |
rest.ssl.truststore.password | null | |
rest.ssl.truststore.type | JKS | |
rest.ssl.enabled.protocols | TLSv1.2,TLSv1.1,TLSv1 | |
rest.ssl.provider | null | |
rest.ssl.protocol | TLS | |
rest.ssl.cipher.suites | null | |
rest.ssl.keymanager.algorithm | SunX509 | |
rest.ssl.secure.random.implementation | null | |
rest.ssl.trustmanager.algorithm | PKIX | |
rest.ssl.client.auth | none | Other valid values are "required" and "requested". |
...