kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-4525) Kafka should not require SSL trust store password
Date Mon, 12 Dec 2016 20:27:58 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-4525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15743052#comment-15743052

ASF GitHub Bot commented on KAFKA-4525:

GitHub user granthenke opened a pull request:


    KAFKA-4525: Kafka should not require SSL trust store password


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/granthenke/kafka truststore-password

Alternatively you can review and apply these changes as the patch at:


To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2246
commit 47186bb1c87aa96bddcbb7b3a3841fe5d02b6792
Author: Grant Henke <ghenke@cloudera.com>
Date:   2016-12-12T20:21:10Z

    KAFKA-4525: Kafka should not require SSL trust store password


> Kafka should not require SSL trust store password
> -------------------------------------------------
>                 Key: KAFKA-4525
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4525
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions:
>            Reporter: Grant Henke
>            Assignee: Grant Henke
> When configuring SSL for Kafka; If the truststore password is not set, Kafka fails to
start with:
> {noformat}
> org.apache.kafka.common.KafkaException: SSL trust store is specified, but trust store
password is not specified.
> 	at org.apache.kafka.common.security.ssl.SslFactory.createTruststore(SslFactory.java:195)
> 	at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:115)
> {noformat}
> The truststore password is not required for read operations. When reading the truststore
the password is used as an integrity check but not required. 
> The risk of not providing a password is that someone could add a certificate into the
store which you do not want to trust. The store should be protected first by the OS permissions.
The password is an additional protection.
> Though this risk of trusting the OS permissions is one many may not want to take, its
not a decision that Kafka should enforce or require. 

This message was sent by Atlassian JIRA

View raw message