Versions Compared

Old Version 14

changes.mady.by.user Jakub Scholz

Saved on

compared with

New Version 15

changes.mady.by.user Jakub Scholz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The rest.advertised.host.name and rest.advertised.port options will continue to be used as today to specify the connection address which should be used by other workers. In addition a new option rest.advertised.security.protocol will define whether other workers should connect using HTTP or HTTPS protocols. In case HTTPS is selected, the connecting worker will use the SSL configuration from the the existing ssl.* options. Even in case when rest.advertised.host.name and rest.advertised.port options are not specified this field will be used to define which protocol should be advertised to other workers in combination with the appropriatte hostname and port from the listener field.

This proposal doesn't include any authorization / ACL features. Only encryption and authentication. Authorization / ACLs should be subject of separate KIP in order to keep the scope of this KIP under control. It also doesn't add any other authentication options than SSL/TLS client authentication.

...

Configuration of SSL / TLS for the Kafka Connect REST interface tries to follow the configuration for other SSL / TLS enabled server interfaces. It will be done through the properties configuration file for the distributed Kafka Connect workers.

Following new options will be added:

ParameterDefault valueNote
listenersnullList of REST listeners in the format protocol://host:port,protocol2://host2:port2 where the protocol is one of HTTP and HTTPS.
rest.advertised.security.protocolHTTP 

Configures the protocol used for communication between workers.

Should be

Valid values are either HTTP or HTTPS.

Default is HTTP to ensure backwards compatibility

When the listeners configuration is not defined or when it contains HTTP listener, the default value for this field will be HTTP. When the listeners option is configured and contains only HTTPS listener, the default value will be HTTPS.

ssl.client.authnoneValid values are none, requested and required. It will controls whether:
  • the connecting client is required to do SSL/TLS client authentication (required
  • it can decide to skip the SSL/TLS client authentication (requested
  • the SSL/TLS authentication will be completely disabled (none)

This is the only authentication option suggested as part of this KIP.

listeners.https.ssl.* The listeners.https. prefix can be used with any SSL configuration option mentioned below to override the default SSL configuration which is shared with the connections to Kafka broker.

...

This KIP is a new implementation and doesn't have any backwards compatibility issues or special requirements on migration from older versions. Existing Kafka Connect installation would work in the same way as before this change. Without the SSL configuration, the REST interface will continue to be configured as today - i.e. without SSL / TLS.

Rejected Alternatives

  • The first version of this KIP suggested only single REST listener - either HTTP or HTTPS. This was changed based on the feedback from the discussion

 Technically it would be possible to define multiple "listeners". For example one with HTTP and one with HTTPS. However, given the functionality provided over the REST interface I see only limited value in it. And therefore I rejected it. If you see some value / use case in this, please raise it in the discussion.