我正在尝试为Kafka Connect REST API(2.11-2.1.0)配置SSL。
问题
我尝试了两种配置(工作器配置):
listeners.https.前缀的listeners=https://localhost:9000
listeners.https.ssl.keystore.location=/mypath/keystore.jks
listeners.https.ssl.keystore.password=mypassword
listeners.https.ssl.key.password=mypassword
listeners.https.前缀listeners=https://localhost:9000
ssl.keystore.location=/mypath/keystore.jks
ssl.keystore.password=mypassword
ssl.key.password=mypassword
两种配置均开始正常运行,并在尝试连接到https://localhost:9000时显示以下异常:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
在日志中,我看到SslContextFactory是使用任何密钥库创建的,但是使用了密码:
210824 ssl.SslContextFactory:350 DEBUG: Selected Protocols [TLSv1.2, TLSv1.1, TLSv1] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
210824 ssl.SslContextFactory:351 DEBUG: Selected Ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ...]
210824 component.AbstractLifeCycle:177 DEBUG: STARTED @10431ms SslContextFactory@42f8285e[provider=null,keyStore=null,trustStore=null]
据我所知,密钥库中的密码绝对正确,因此我深入研究了源代码,并开始进行调试。
最后,我发现既没有考虑纯ssl.*也没有考虑前缀listeners.https.ssl.*的配置,这表明当前无法为Kafka Connect REST API配置SSL。
呼叫顺序为:
最后的方法是麻烦的原因。
如果我们具有listeners.https.属性,则无法返回它们,因为它们在第254行被滤除(因为WorkerConfig不包含带有前缀的属性)。
否则,如果我们具有未前缀的ssl.属性,则它们也不会返回,因为values字段仅包含来自同一WorkerConfig的已知属性(values是ConfigDef.parse的结果)。
我是否缺少某些东西,是否有人成功为kafka connect rest api配置了SSL?
答案 0 :(得分:0)
尝试导出KAFKA_OPTS=-Djava.security.auth.login.config=/apps/kafka/conf/kafka/kf_jaas.conf,其中kf_jaas.conf包含ZooKeeper客户端身份验证
答案 1 :(得分:0)
我还没有测试Connect REST API,但是KafkaTemplate使用ssl发送和接收消息。 根据您的配置,我可能会遇到两个问题:
我从示例尝试了测试应用程序: https://memorynotfound.com/spring-kafka-and-spring-boot-configuration-example/ 和 https://gist.github.com/itzg/e3ebfd7aec220bf0522e23a65b1296c8
在springboot 2.0.4.RELEASE中进行了测试,使用了kafka库
var isUserActive: Bool?
var user: User {
return AppDelegate.shared.user
}
func setUserAccountType() {
if self.isUserActive == nil {
self.userAccountType.text = ""
self.userGoGold.isHidden = true
} else {
if self.isUserActive! {
self.userAccountType.text = "Gold Account"
} else {
self.userAccountType.text = "Standard Account"
self.userGoGold.isHidden = false
}
}
}
override func viewDidLoad() {
super.viewDidLoad()
self.setUserAccountType()
IAPManager.shared.getProducts()
}
override func viewWillAppear(_ pAnimated: Bool) {
super.viewWillAppear(pAnimated)
self.checkForAutoRenewableSubscription()
self.checkForNonRenewableSubscription()
}
func setUpUserAccountStatus(_ pIsActive: Bool) {
DispatchQueue.main.async {
self.isUserActive = pIsActive
self.setUserAccountType()
self.reloadRowForIdentifier(.billing)
self.activityIndicator.hidesWhenStopped = true
self.activityIndicator.stopAnimating()
}
}
func checkForAutoRenewableSubscription() {
self.activityIndicator.startAnimating()
self.user.checkIfSubscriptionIsActive { (pIsActive) in
self.setUpUserAccountStatus(pIsActive)
}
}
func checkForNonRenewableSubscription() {
self.activityIndicator.startAnimating()
self.user.checkifNonRenewableSubscriptionIsActive { (pSubscribed) in
self.setUpUserAccountStatus(pSubscribed)
}
}
这是我的application.properties内容:
<dependency>
<groupId>org.springframework.kafka</groupId>
<artifactId>spring-kafka</artifactId>
</dependency>
kafka服务器配置片段:
spring.application.name=my-stream-app
spring.kafka.bootstrap-servers=localhost:9093
spring.kafka.ssl.truststore-location=kafka.server.truststore.jks
spring.kafka.ssl.truststore-password=123456
spring.kafka.ssl.keystore-location=kafka.server.keystore.jks
spring.kafka.ssl.keystore-password=123456
spring.kafka.ssl.key-password=123456
spring.kafka.properties.security.protocol=SSL
spring.kafka.consumer.group-id=properties test-consumer-group
app.topic.foo=test