You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Status

Current state: Under Discussion

Discussion thread: KAFKA-8669

JIRA: KAFKA-8669

Motivation

Currently kafka supports ssl.keymanager.algorithm and ssl.trustmanager.algorithm parameters as part of secure config. These parameters can be configured to load the key manager and trust managers which provide keys and certificates for ssl handshakes with the clients/server. The algorithms configured by these parameters need to be registered by Java security provider classes. These provider classes are configured as JVM properties through java.security file. A sample file given below

$ cat /usr/lib/jvm/jdk-8-oracle-x64/jre/lib/security/java.security
...
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
...


Custom keymanager and trustmanager algorithms can be used to supply the kafka brokers with keys and certificates, these algorithms can be used to replace the traditional, non-scalable static keystore and truststore jks files.

To take advantage of these custom algorithms, we want to support java security provider parameter in security config. This param can be used by kafka brokers or kafka clients(when connecting to the kafka brokers). The security providers can also be used for configuring security algorithms in SASL based communication.

Public Interfaces

The following line will be added to the kafka server.properties thus registering the provider class at the time of kafka broker start up 

security.provider.class=com.security.ProviderClass

Proposed Changes

We add new config parameter in KafkaConfig named “security.provider.class”. The value of “security.provider” is expected to be a string representing the provider’s full classname. This provider class will be added to the JVM properties through Security.addProvider api. Security class can be used to programmatically add the provider classes to the JVM.

Security.addProvider(configuredProvider)

Compatibility, Deprecation, and Migration Plan

None

Rejected Alternatives

There are few other ways of adding a custom provider

  1. Add a new security provider class in the java.security file

A new configuration like the one below can be added to the java.security file

security.provider.10=com.security.CustomProvider


       2. Pass the security policies as system level arguments

java -Djava.security.policy=/some/path/my.policy

Asking all the clients to do this is harder to achieve similar to the alternative 1

Existing Properties

There already exists a property “ssl.providers”, however there is a problem with using this parameter. The expected value of this property is the name of the algorithm and the provider class registering the algorithm needs to be added as part of static java.security file or system level variables as per the SslContext implementation. Therefore, this param can’t be used for registering a security provider.



  • No labels