You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Status

Current state: Under Discussion

Discussion thread: tba

JIRA: KAFKA-4029

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Kafka Connect has a REST interface for managing and monitoring connectors. Currently this REST interface is using only plain HTTP without any encryption and authentication. This is not ideal because:

  • The interface might be used to transfer sensitive information (e.g. passwords in Kafka Connect connector configurations)
  • Anyone with access to the interface can add connectors (which can forward sensitive messages from Kafka brokers somewhere else)

Extending the REST interface with support for SSL / TLS encryption and SSL / TLS client authentication could address these issues.

Proposed Change

This KIP proposes enabling SSL support in the Jetty HTTP server. Jetty already supports SSL / TLS. So the main work in this KIP will be around enabling and configuring SSL / TLS. 

This proposal expects that the user will either choose HTTP or HTTPS. It doesn't provide support for using both in parallel. See "Rejected Alternatives" for more details.

Public Interfaces

Configuration of SSL / TLS for the Kafka Connect REST interface will follow the configuration for other SSL / TLS enabled server interfaces. It will be done through the properties configuration file for the distributed Kafka Connect workers. It will add following new options:

  • rest.security.protocol
  • rest.ssl.keystore.location
  • rest.ssl.keystore.password
  • rest.ssl.keystore.type
  • rest.ssl.key.password
  • rest.ssl.truststore.location
  • rest.ssl.truststore.password
  • rest.ssl.truststore.type
  • rest.ssl.enabled.protocols
  • rest.ssl.provider
  • rest.ssl.protocol
  • rest.ssl.cipher.suites
  • rest.ssl.keymanager.algorithm
  • rest.ssl.secure.random.implementation
  • rest.ssl.trustmanager.algorithm
  • rest.ssl.clientAuth

The rest.security.protocol option will support only PLAINTEXT and SSL values. PLAINTEXT will be the default value and will keep all SSL/TLS functionality disabled to keep the backwards compatibility. The other options would follow the semantics of the same options in the Kafka broker.

Migration Plan and Compatibility

This KIP is a new implementation and doesn't have any backwards compatibility issues or special requirements on migration from older versions. Existing Kafka Connect installation would work in the same way as before this change. Without the SSL configuration, the REST interface will continue to be configured as today - i.e. without SSL / TLS.

Rejected Alternatives

Technically it would be possible to define multiple "listeners". For example one with HTTP and one with HTTPS. However, given the functionality provided over the REST interface I see only limited value in it. And therefore I rejected it. If you see some value / use case in this, please raise it in the discussion.

  • No labels