无法为 Kafka Connect REST API 配置 SSL [英] Unable to configure SSL for Kafka Connect REST API
问题描述
我正在尝试为 Kafka Connect REST API (2.11-2.1.0) 配置 SSL.
I'm trying to configure SSL for Kafka Connect REST API (2.11-2.1.0).
问题
我尝试了两种配置(worker config):
I tried two configurations (worker config):
- 带有
listeners.https.
前缀
listeners=https://localhost:9000
listeners.https.ssl.keystore.location=/mypath/keystore.jks
listeners.https.ssl.keystore.password=mypassword
listeners.https.ssl.key.password=mypassword
- 并且没有
listeners.https.
前缀
listeners=https://localhost:9000
ssl.keystore.location=/mypath/keystore.jks
ssl.keystore.password=mypassword
ssl.key.password=mypassword
两种配置都正常启动,并在尝试连接到 https://localhost:9000 时显示以下异常:
Both configurations starts OK, and show following exception when trying to connect to https://localhost:9000 :
javax.net.ssl.SSLHandshakeException: no cipher suites in common
在日志中,我看到 SslContextFactory 是使用任何密钥库创建的,但使用了密码:
In log, I see that SslContextFactory was created with any keystore, but with ciphers:
210824 ssl.SslContextFactory:350 DEBUG: Selected Protocols [TLSv1.2, TLSv1.1, TLSv1] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
210824 ssl.SslContextFactory:351 DEBUG: Selected Ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ...]
210824 component.AbstractLifeCycle:177 DEBUG: STARTED @10431ms SslContextFactory@42f8285e[provider=null,keyStore=null,trustStore=null]
我做了什么
我知道来自密钥库的密码是绝对正确的,我深入研究了源代码,并开始调试.
What I did
As I know that password from keystore is absolutely correct, I digged into source code, and started to debug.
最后,我发现无论是普通的 ssl.*
还是前缀的 listeners.https.ssl.*
配置都没有考虑在内,结果发现目前无法为 Kafka Connect REST API 配置 SSL.
Finally, I find out that neither plain ssl.*
nor prefixed listeners.https.ssl.*
configurations are not taken into account, and it turns that there is not possibility to configure SSL for Kafka Connect REST API currently.
调用顺序为:
- RestServer.createConnector
- SSLUtils.createSslContextFactory
- AbstractConfig.valuesWithPrefixAllOrNothing
最后一种方法是麻烦的原因.
Last method is the reason of troubles.
如果我们有 listeners.https.
属性,它们将无法返回,因为它们在第 254 行被过滤掉了(因为 WorkerConfig 不包含带有前缀的属性).
If we have listeners.https.
properties, they cannot be returned, because they filtered out at line 254 (since WorkerConfig contains no properties with the prefix).
否则,如果我们有不带前缀的 ssl.
属性,它们也不会返回,因为 values
字段只包含来自同一个 WorkerConfig 的已知属性(values
代码> 是 ConfigDef.parse).
Otherwise, if we have unprefixed ssl.
properties, they also not returned, because values
field contains only known properties from the same WorkerConfig (values
are result of ConfigDef.parse).
我是否遗漏了什么,是否有人为 kafka connect rest api 成功配置了 SSL?
Am I missing something, and has anyone successfully configured SSL for kafka connect rest api ?
推荐答案
Try export KAFKA_OPTS=-Djava.security.auth.login.config=/apps/kafka/conf/kafka/kf_jaas.conf
其中 kf_jaas.conf
包含 ZooKeeper 客户端身份验证
Try export KAFKA_OPTS=-Djava.security.auth.login.config=/apps/kafka/conf/kafka/kf_jaas.conf
where kf_jaas.conf
contains ZooKeeper client authentication
这篇关于无法为 Kafka Connect REST API 配置 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!