Status
Current state: Under Discussion
Discussion thread: here
JIRA: Not yet
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Kafka Connect has a REST interface for managing and monitoring connectors. Currently this REST interface is using only plain HTTP without any encryption and authentication. This is not ideal because:
- The interface might be used to transfer sensitive information (e.g. passwords in Kafka Connect connector configurations)
- Anyone with access to the interface can add connectors (which can forward sensitive messages from Kafka brokers somewhere else)
Extending the REST interface with support for SSL / TLS encryption and SSL / TLS client authentication could address these issues.
Proposed Change
This KIP proposes enabling SSL support in the Jetty HTTP server. Jetty already supports SSL / TLS. So the main work in this KIP will be around enabling and configuring SSL / TLS.
Public Interfaces
Configuration of SSL / TLS for the Kafka Connect REST interface will follow the configuration for other SSL / TLS enabled server interfaces. It will be done through the properties configuration file for the distributed Kafka Connect workers. It will add following new options:
- rest.security.protocol
- rest.ssl.keystore.location
- rest.ssl.keystore.password
- rest.ssl.keystore.type
- rest.ssl.key.password
- rest.ssl.truststore.location
- rest.ssl.truststore.password
- rest.ssl.truststore.type
- rest.ssl.enabled.protocols
- rest.ssl.provider
- rest.ssl.protocol
- rest.ssl.cipher.suites
- rest.ssl.keymanager.algorithm
- rest.ssl.secure.random.implementation
- rest.ssl.trustmanager.algorithm
- rest.ssl.clientAuth
The rest.security.protocol
option will support only PLAINTEXT
and SSL
values. PLAINTEXT
will be the default value and will keep all SSL/TLS functionality disabled to keep the backwards compatibility.
Migration Plan and Compatibility
This KIP is a new implementation and doesn't have any backwards compatibility issues or special requirements on migration from older versions. Existing Kafka Connect installation would work in the same way as before this change. Without the SSL configuration, the REST interface will continue to be configured as today - i.e. without SSL / TLS.
Rejected Alternatives
n/a