KAFKA-8336; Enable dynamic reconfiguration of broker's client-side certs#6721
Merged
rajinisivaram merged 1 commit intoapache:trunkfrom May 15, 2019
Merged
Conversation
rajinisivaram
force-pushed
the
KAFKA-8336-clientcert-update
branch
from
65ab26f to
8c96241
Compare
omkreddy
approved these changes
May 15, 2019
Contributor
omkreddy
left a comment
omkreddy
left a comment
There was a problem hiding this comment.
@rajinisivaram Thanks for the PR. LGTM.
Contributor
Author
|
@omkreddy Thanks for the review, merging to trunk |
pengxiaolong
pushed a commit
to pengxiaolong/kafka
that referenced
this pull request
Jun 14, 2019
…rts (apache#6721) Enable reconfiguration of SSL keystores and truststores in client-side channel builders used by brokers for controller, transaction coordinator and replica fetchers. This enables brokers using TLS mutual authentication for inter-broker listener to use short-lived certs that may be updated before expiry without restarting brokers. Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>
|
@rajinisivaram @omkreddy How would I use this feature? I would like to assign short-lived certificates to the clients. I would like to know if I need to provide additional config at the broker and/or client level to use this feature? |
Contributor
Author
|
@abhishekvm We currently support dynamic updates of certificates only for brokers. This PR was enabling updates of certificates for client-side connections made by brokers (e.g connections made by the controller). For client applications, we don't have dynamic update feature yet. |
|
@rajinisivaram If I understand correctly, do you mean that we can't update the producer/consumer keystores dynamically? |
|
So if I want to add a fresh client I can add the certificate in the trusted client trust store and it woule be accepted? Is this correct? |
showuon
pushed a commit
that referenced
this pull request
Jul 9, 2022
…ler connection (#12381) What: When a certificate is rotated on a broker via dynamic configuration and the previous certificate expires, the broker to controller connection starts failing with SSL Handshake failed. Why: A similar fix was earlier performed in #6721 but when BrokerToControllerChannelManager was introduced in v2.7, we didn't enable dynamic reconfiguration for it's channel. Summary of testing strategy (including rationale) Add a test which fails prior to the fix done in the PR and succeeds afterwards. The bug wasn't caught earlier because there was no test coverage to validate the scenario. Reviewers: Luke Chen <showuon@gmail.com>
showuon
pushed a commit
that referenced
this pull request
Jul 9, 2022
…ler connection (#12381) What: When a certificate is rotated on a broker via dynamic configuration and the previous certificate expires, the broker to controller connection starts failing with SSL Handshake failed. Why: A similar fix was earlier performed in #6721 but when BrokerToControllerChannelManager was introduced in v2.7, we didn't enable dynamic reconfiguration for it's channel. Summary of testing strategy (including rationale) Add a test which fails prior to the fix done in the PR and succeeds afterwards. The bug wasn't caught earlier because there was no test coverage to validate the scenario. Reviewers: Luke Chen <showuon@gmail.com>
showuon
pushed a commit
that referenced
this pull request
Jul 12, 2022
…ler connection (#12381) What: When a certificate is rotated on a broker via dynamic configuration and the previous certificate expires, the broker to controller connection starts failing with SSL Handshake failed. Why: A similar fix was earlier performed in #6721 but when BrokerToControllerChannelManager was introduced in v2.7, we didn't enable dynamic reconfiguration for it's channel. Summary of testing strategy (including rationale) Add a test which fails prior to the fix done in the PR and succeeds afterwards. The bug wasn't caught earlier because there was no test coverage to validate the scenario. Reviewers: Luke Chen <showuon@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enable reconfiguration of SSL keystores and truststores in client-side channel builders used by brokers for controller, transaction coordinator and replica fetchers. This enables brokers using TLS mutual authentication for inter-broker listener to use short-lived certs that may be updated before expiry without restarting brokers.
Committer Checklist (excluded from commit message)