无法为Kafka Connect REST API配置SSL [英] Unable to configure SSL for Kafka Connect REST API
问题描述
我正在尝试为Kafka Connect REST API(2.11-2.1.0)配置SSL.
I'm trying to configure SSL for Kafka Connect REST API (2.11-2.1.0).
问题
我尝试了两种配置(工作器配置):
I tried two configurations (worker config):
- 带有
listeners.https.
前缀
listeners=https://localhost:9000
listeners.https.ssl.keystore.location=/mypath/keystore.jks
listeners.https.ssl.keystore.password=mypassword
listeners.https.ssl.key.password=mypassword
- 且没有
listeners.https.
前缀 - and without
listeners.https.
prefix
listeners=https://localhost:9000
ssl.keystore.location=/mypath/keystore.jks
ssl.keystore.password=mypassword
ssl.key.password=mypassword
两种配置均开始正常运行,并在尝试连接到 https://localhost:9000 时显示以下异常:
Both configurations starts OK, and show following exception when trying to connect to https://localhost:9000 :
javax.net.ssl.SSLHandshakeException: no cipher suites in common
在日志中,我看到SslContextFactory是使用任何密钥库创建的,但是使用了密码:
In log, I see that SslContextFactory was created with any keystore, but with ciphers:
210824 ssl.SslContextFactory:350 DEBUG: Selected Protocols [TLSv1.2, TLSv1.1, TLSv1] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
210824 ssl.SslContextFactory:351 DEBUG: Selected Ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ...]
210824 component.AbstractLifeCycle:177 DEBUG: STARTED @10431ms SslContextFactory@42f8285e[provider=null,keyStore=null,trustStore=null]
我做了什么
据我所知,密钥库中的密码绝对正确,因此我深入研究了源代码,并开始进行调试.
What I did
As I know that password from keystore is absolutely correct, I digged into source code, and started to debug.
最后,我发现既未考虑普通的ssl.*
配置也不考虑前缀的listeners.https.ssl.*
配置,这表明当前无法为Kafka Connect REST API配置SSL.
Finally, I find out that neither plain ssl.*
nor prefixed listeners.https.ssl.*
configurations are not taken into account, and it turns that there is not possibility to configure SSL for Kafka Connect REST API currently.
呼叫顺序为:
- RestServer.createConnector
- SSLUtils.createSslContextFactory
- AbstractConfig.valuesWithPrefixAllOrNothing
最后的方法是麻烦的原因.
Last method is the reason of troubles.
如果具有listeners.https.
属性,则无法返回它们,因为它们在第254行被滤除(因为WorkerConfig不包含带有前缀的属性).
If we have listeners.https.
properties, they cannot be returned, because they filtered out at line 254 (since WorkerConfig contains no properties with the prefix).
否则,如果我们具有未前缀的ssl.
属性,则它们也不会返回,因为values
字段仅包含来自同一WorkerConfig的已知属性(values
是
Otherwise, if we have unprefixed ssl.
properties, they also not returned, because values
field contains only known properties from the same WorkerConfig (values
are result of ConfigDef.parse).
我是否缺少某些东西,是否有人成功为kafka connect rest api配置了SSL?
Am I missing something, and has anyone successfully configured SSL for kafka connect rest api ?
推荐答案
尝试导出KAFKA_OPTS=-Djava.security.auth.login.config=/apps/kafka/conf/kafka/kf_jaas.conf
,其中kf_jaas.conf
包含ZooKeeper客户端身份验证
Try export KAFKA_OPTS=-Djava.security.auth.login.config=/apps/kafka/conf/kafka/kf_jaas.conf
where kf_jaas.conf
contains ZooKeeper client authentication
这篇关于无法为Kafka Connect REST API配置SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!