问题描述
我正在尝试为Kafka Connect REST API(2.11-2.1.0)配置SSL.
I'm trying to configure SSL for Kafka Connect REST API (2.11-2.1.0).
问题
我尝试了两种配置(工作器配置):
I tried two configurations (worker config):
- 带有
listeners.https.前缀
listeners=https://localhost:9000
listeners.https.ssl.keystore.location=/mypath/keystore.jks
listeners.https.ssl.keystore.password=mypassword
listeners.https.ssl.key.password=mypassword
- 且没有
listeners.https.前缀 - and without
listeners.https.prefix
listeners=https://localhost:9000
ssl.keystore.location=/mypath/keystore.jks
ssl.keystore.password=mypassword
ssl.key.password=mypassword
两种配置均开始正常运行,并在尝试连接到 https://localhost:9000 时显示以下异常:
Both configurations starts OK, and show following exception when trying to connect to https://localhost:9000 :
javax.net.ssl.SSLHandshakeException: no cipher suites in common
在日志中,我看到SslContextFactory是使用任何密钥库创建的,但是使用了密码:
In log, I see that SslContextFactory was created with any keystore, but with ciphers:
210824 ssl.SslContextFactory:350 DEBUG: Selected Protocols [TLSv1.2, TLSv1.1, TLSv1] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
210824 ssl.SslContextFactory:351 DEBUG: Selected Ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ...]
210824 component.AbstractLifeCycle:177 DEBUG: STARTED @10431ms SslContextFactory@42f8285e[provider=null,keyStore=null,trustStore=null]
我做了什么
据我所知,密钥库中的密码绝对正确,因此我深入研究了源代码,并开始进行调试.
What I did
As I know that password from keystore is absolutely correct, I digged into source code, and started to debug.
最后,我发现既未考虑普通的ssl.*配置也不考虑前缀的listeners.https.ssl.*配置,这表明当前无法为Kafka Connect REST API配置SSL.
Finally, I find out that neither plain ssl.* nor prefixed listeners.https.ssl.* configurations are not taken into account, and it turns that there is not possibility to configure SSL for Kafka Connect REST API currently.
呼叫顺序为:
- RestServer.createConnector
- SSLUtils.createSslContextFactory
- AbstractConfig.valuesWithPrefixAllOrNothing
- RestServer.createConnector
- SSLUtils.createSslContextFactory
- AbstractConfig.valuesWithPrefixAllOrNothing
最后的方法是麻烦的原因.
Last method is the reason of troubles.
如果具有listeners.https.属性,则无法返回它们,因为它们在第254行被滤除(因为WorkerConfig不包含带有前缀的属性).
If we have listeners.https. properties, they cannot be returned, because they filtered out at line 254 (since WorkerConfig contains no properties with the prefix).
否则,如果我们具有未前缀的ssl.属性,则它们也不会返回,因为values字段仅包含来自同一WorkerConfig的已知属性(values是 ConfigDef.parse ).
Otherwise, if we have unprefixed ssl. properties, they also not returned, because values field contains only known properties from the same WorkerConfig (values are result of ConfigDef.parse).
我是否缺少某些东西,是否有人成功为kafka connect rest api配置了SSL?
Am I missing something, and has anyone successfully configured SSL for kafka connect rest api ?
推荐答案
尝试导出KAFKA_OPTS=-Djava.security.auth.login.config=/apps/kafka/conf/kafka/kf_jaas.conf,其中kf_jaas.conf包含ZooKeeper客户端身份验证
Try export KAFKA_OPTS=-Djava.security.auth.login.config=/apps/kafka/conf/kafka/kf_jaas.conf where kf_jaas.conf contains ZooKeeper client authentication
这篇关于无法为Kafka Connect REST API配置SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!