Support keystore with multiple alias entries #17560
Conversation
…to true when the keystore location string is actually a base64 encoded keystore string used in the PCF environments.
…to true when the keystore location string is actually a base64 encoded keystore string used in the PCF environments.
…h multiple alias entries
…h multiple alias entries
…h multiple alias entries
|
Thanks for the PR. This seems like a nice improvement however since it's introducing a new configuration, you need to create a KIP to propose this change. See https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals |
|
This PR is being marked as stale since it has not had any activity in 90 days. If you If you are having difficulty finding a reviewer, please reach out on the [mailing list](https://kafka.apache.org/contact). If this PR is no longer valid or desired, please feel free to close it. If no activity occurs in the next 30 days, it will be automatically closed. |
|
@rahulnirgude Are you still interested in contributing this feature? I see you drafted a KIP (https://cwiki.apache.org/confluence/display/KAFKA/KIP-1117%3A+Support+keystore+with+multiple+alias+entries) but it's not complete and you've not started a discussion on the mailing list. |
Client applications use SSL/TLS to connect with Kafka brokers in order to implement secured communication. The clients initiate SSL communication with Kafka brokers using the SSL Engine constructed from the ssl.* properties pointing to key store and trust store. This PR addresses couple of important enhancements related to how the key store is loaded for secured communication with Kafka brokers.
Problem :
Most of the times, the key store on the client side contains single key. But when the key store contains multiple keys, in order to avoid SSL handshake issues or authorization issues communicating with Kafka brokers, it is required to choose the right key from the key store.
Solution :
The key can be identified via key alias while constructing the SSL engine. This requires client to provide a new property ssl.keystore.alias that points to the key alias within the key store. The key manager implementation is modified to return the named key to be used for building the SSL Engine.
Example configuration:
ssl.keystore.alias=<alias.name>
Ashutosh Gijare and Moreshwar Dayte from Mastercard have contributed to this implementation