- SSL configs will be updated by reconfiguring
ChannelBuilderand creating a new
SslFactory. If SSL is used for inter-broker communication, inconsistent changes (e.g changing CA) should be made by adding a new listener with the new properties. This is true for SASL as well.
- SASL configuration updates will be supported using the dynamic JAAS configuration option
- Updates to
advertised.listenerswill re-register the new listener in ZK. This update will be not allowed for the listener used in inter-broker communication. In addition to this,
AdminClientwill not allow updates to the listener that was used to make the alter request.
- When changes are made to listeners, additional logic will be required in the controller to broadcast the updated metadata to all brokers.
- All the security configs can be dynamically configured for new listeners. In the initial implementation, only some configs will be dynamically updatable for existing listeners (e.g. SSL keystores). Support for updating other security configs dynamically for existing listeners will be added later.
- Configuration updates will not be allowed for the listener used in inter-broker communication. This KIP will not allow dynamic updates to inter-broker security protocol or listener name. Support for changing inter-broker security configuration without a restart will be done in a follow-on KIP along with additional validation to ensure that all brokers have enabled the new config.