You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Status

Current state: Draft

Discussion thread:

JIRA: Unable to render Jira issues macro, execution error.

Motivation

Add ability to use custom SSL factory to configure Kafka Connect RestServer.
Currently Kafka Connect provides only one basic mechanism based on file key stores to configure SSL for REST server.
Kafka Connect is used by all sizes of organizations serving varied technical and business domains. SSL/TLS communication is a very critical part of organizations' standards. SSL config customization is the most part of functionality for any applications.

Public Interfaces


Use SSLConfig.SSL_ENGINE_FACTORY_CLASS_CONFIG ("ssl.engine.factory.class") property to with prefixes:

  • "listeners.https."
  • "admin.listeners.https."

to define SSL engine factory for RestServer listeners. By default DefaultSslEngineFactory is used.

Proposed Changes

There is a public Kafka interface to define custom SSL engine since 2.6.0 version (SslEngineFactory). This interface can be used to configure SSL for Kafka connect RestServer.

Add private adapter class to use SslEngineFactory for Jetty. Implementation of the main functionality:

SslContextFactoryImpl
 class SslContextFactoryImpl extends SslContextFactory.Server {
    private final SslEngineFactory sslEngineFactory;

    SslContextFactoryImpl(SslEngineFactory sslEngineFactory) {
        this.sslEngineFactory = sslEngineFactory;
    }

    @Override public SSLEngine newSSLEngine() {
        return sslEngineFactory.createServerSslEngine(null, -1);
    }

    @Override public SSLEngine newSSLEngine(String host, int port) {
         return sslEngineFactory.createServerSslEngine(host, port);
    }
}

Private code to drop / modify:

  • Drop current SSL utilities org.apache.kafka.connect.runtime.rest.util.SSLUtils with unit tests;

  • simple refactoring SslFactory#instantiateSslEngineFactory to extract public static utility method to use inside RestServer.

Compatibility, Deprecation, and Migration Plan

There is no impact on existing behavior, and  the existing behavior is not deprecated. All exists SSL properties are supported.

Test Plan

Add integration tests to check:

  • Default SSL behavior and compatibility;
  • Custom SSL engine factory to configure RestServer listeners.

Rejected Alternatives

Use native type for Jetty server in public API

E.g. extends org.eclipse.jetty.util.ssl.SslContextFactory.  

Disadvantages:

  • external dependency in public API (e.g. server implementation may be changed for Kafka Connect);
  • new type in public interface;
  • new default implementation (because new type must implement Configurable) which is minimally different from DefaultSslEngineFactory.


  • No labels