SSL without truststore and truststore password

[Vladutu]

I would want to connect to kafka cluster with SSL_SASL enabled but without providing any truststore/keystore. Can you update to have the truststore optional?

[davidetan]

I have the same issue.
Is there any additional information I can provide?

[Crim]

I have the same issue.
Is there any additional information I can provide?

Hi!
If possible an example configuration for a Kafka broker with the setup so I can replicate and test it locally would be super helpful.

Thanks!

[davidetan]

Unfortuntaley I have no access to the Kafka Broker Configuration.
I am currently using Confluent Cloud that offers a Kafka SaaS.

This is a command that I usually use to contact kafka:

./bin/kafka-topics.sh --command-config properties.txt --bootstrap-server hostname:port

And this is the content of the properties.txt file:

ssl.endpoint.identification.algorithm=HTTPS
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="MY-USERNAME" password="MY-PASSWORD";
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
request.timeout.ms=20000

If you want and you can provide a Docker image I can test, I can try to test if the fix works.

I am also open to other solutions, if you have other ideas.

Thanks for the quick reply!

[Vladutu]

When i first posted this question I also got the code to see if I can do something to make it work and I managed to do it, but being more than 1 year ago i don't remember exactly. I know that i disabled the check for truststore in the UI and in the backend I set the filename and password to null. This is how the config looks in the UI:

Here are the config elements used in my application that read/writes from kafka. They are for spring but I think they are 1-to-1 to the actual kafka properties

SPRING_KAFKA_BOOTSTRAPSERVERS: "server:9092"
SPRING_KAFKA_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
SPRING_KAFKA_PROPERTIES_SASL_MECHANISM: PLAIN
SPRING_KAFKA_JAAS_ENABLED: "true"
SPRING_KAFKA_JAAS_CONTROL: required
SPRING_KAFKA_JAAS_LOGIN_MODULE: "org.apache.kafka.common.security.plain.PlainLoginModule"
SPRING_KAFKA_JAAS_OPTIONS_USERNAME: user
SPRING_KAFKA_JAAS_OPTIONS_PASSWORD: password
SPRING_KAFKA_PRODUCER_COMPRESSIONTYPE: lz4

[Crim]

Off on vacation for the weekend, but I'll try to take a look in the next week.

Thanks!

[davidetan]

I have played a little with the code and to make it work it was enough to comment out the four last line of codes in here:

kafka-webview/kafka-webview-ui/src/main/java/org/sourcelab/kafka/webview/ui/manager/kafka/config/ClusterConfig.java

Lines 173 to 179 in fb860ca

	if (cluster.isSslEnabled()) {
	builder
	.withUseSsl(cluster.isSslEnabled())
	.withKeyStoreFile(cluster.getKeyStoreFile())
	.withKeyStorePassword(secretManager.decrypt(cluster.getKeyStorePassword()))
	.withTrustStoreFile(cluster.getTrustStoreFile())
	.withTrustStorePassword(secretManager.decrypt(cluster.getTrustStorePassword()));

Unfortunately, I can work on it during weekend only and I have all the month weekends busy.
If i find the time and you have not done it yet, I will be more than happy to submit a PR.

[Crim]

Reviewing this now that I'm back at home. To make sure I understand correctly, in this scenario the JVM running kafka-webview is already configured to trust the certificate being served by your kafka cluster correct? And therefore there is no reason to upload a truststore?

I should be able to mock up this locally without much effort. How would you expect the UI to be presented? Something along the lines of:

• Use SSL Authentication? [ Checkbox ]
  • If Checked then show: Do you need to supply a truststore for this server? [ Checkbox ]
    • If Checked then show the TrustStore upload UI as it exists.
    • If NOT checked, no need to display the truststore upload UI. No truststore file will be passed to the underlying kafka client connection.

Does that sound about right?

EDIT -- Also! Always happy to receive PullRequests :)

[Vladutu]

Hi. I am not very knowledgeable about certificates so I can't say for sure. The UI config looks good to me though.

[davidetan]

To make sure I understand correctly, in this scenario the JVM running kafka-webview is already configured to trust the certificate being served by your kafka cluster correct? And therefore there is no reason to upload a truststore?

Exactly. In my scenario internet is reachable and the certificate can be verified using the public certificate of the CA.

I should be able to mock up this locally without much effort. How would you expect the UI to be presented? Something along the lines of:

Use SSL Authentication? [ Checkbox ]
If Checked then show: Do you need to supply a truststore for this server? [ Checkbox ]
If Checked then show the TrustStore upload UI as it exists.
If NOT checked, no need to display the truststore upload UI. No truststore file will be passed to the underlying kafka client connection

I expect exactly this behavior :)

[Crim]

Great, thanks for the confirmation. I started poking around at this a bit today.

[Crim]

I've got this mocked up locally, will push a pull request shortly.

with uploading a truststore (previous behavior)

without requiring a truststore (new behavior)

[Crim]

I'll try to cut a release in the next day or two with this change. There are a couple other minor updates I'd like to sneak into the same release if possible.

[Crim]

release 2.6.0 with this included.