kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikolay Izhikov <nizhi...@apache.org>
Subject Re: Config command to describe SSL certificate paramters
Date Thu, 03 Dec 2020 09:49:26 GMT
Hello, Igor.

Yes, we can.
But, it requires access 
	a. To the broker server via SSH
	b. To the JKS file itself: One who wants to get params must know JKS password and has read
permission for the file.

It seems to me that this kind of permissions is too high for a simple «know when cert will
expire» task.

My idea is to expose SSL param with AdminCommand so they can be easily obtained
and used in some kind of automation or alerting or third-party UI tool.

What do you think?

> 3 дек. 2020 г., в 12:32, Igor Soarez <i@soarez.me> написал(а):
> Hi Nikolay,
> You can use OpenSSL s_client to check all these things.
> https://www.openssl.org/docs/manmaster/man1/s_client.html
> --
> Igor
> On Wed, Dec 2, 2020, at 5:44 PM, Nikolay Izhikov wrote:
>> Hello.
>> Kafka has an ability to configure SSL connections between brokers and clients.
>> SSL certificates has different params such as
>> 	*	issuer
>> 	*	CN
>> 	*	validity date 
>> and so on.
>> Values of these parameters important during maintenance:
>> 	*	checking correctness of deployment
>> 	*	planning for certification renewal (validity date)
>> AFAIK, Kafka doesn’t have a standard way to expose parameters of 
>> configured SSL certificates.
>> I think we can return those parameters as a result of some Admin command.
>> `./bin/kafka-configs.sh —entity-type ssl-certificates —describe` 
>> What do you think?
>> I can create KIP if this idea is supported by the community.

View raw message