KAFKA-8890: Make SSL context/engine configuration extensible (KIP-519) (

apache#8338)
vinclv · Apr 8, 2020 · 9ba49b8 · 9ba49b8
1 parent 833dc77
commit 9ba49b8
Show file tree

Hide file tree

Showing 11 changed files with 493 additions and 191 deletions.
diff --git a/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java b/clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
@@ -110,6 +110,9 @@ public class SslConfigs {
     public static final String SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG = "ssl.secure.random.implementation";
     public static final String SSL_SECURE_RANDOM_IMPLEMENTATION_DOC = "The SecureRandom PRNG implementation to use for SSL cryptography operations. ";
 
+    public static final String SSL_ENGINE_FACTORY_CLASS_CONFIG = "ssl.engine.factory.class";
+    public static final String SSL_ENGINE_FACTORY_CLASS_DOC = "The class of type org.apache.kafka.common.security.auth.SslEngineFactory to provide SSLEngine objects. Default value is org.apache.kafka.common.security.ssl.DefaultSslEngineFactory";
+
     /**
      * @deprecated As of 1.0.0. This field will be removed in a future major release.
      */
@@ -136,7 +139,8 @@ public static void addClientSslSupport(ConfigDef config) {
                 .define(SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG, ConfigDef.Type.STRING, SslConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM, ConfigDef.Importance.LOW, SslConfigs.SSL_KEYMANAGER_ALGORITHM_DOC)
                 .define(SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG, ConfigDef.Type.STRING, SslConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM, ConfigDef.Importance.LOW, SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_DOC)
                 .define(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, ConfigDef.Type.STRING, SslConfigs.DEFAULT_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, ConfigDef.Importance.LOW, SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC)
-                .define(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG, ConfigDef.Type.STRING, null, ConfigDef.Importance.LOW, SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_DOC);
+                .define(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG, ConfigDef.Type.STRING, null, ConfigDef.Importance.LOW, SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_DOC)
+                .define(SslConfigs.SSL_ENGINE_FACTORY_CLASS_CONFIG, ConfigDef.Type.CLASS, null, ConfigDef.Importance.LOW, SslConfigs.SSL_ENGINE_FACTORY_CLASS_DOC);
     }
 
     public static final Set<String> RECONFIGURABLE_CONFIGS = Utils.mkSet(
@@ -157,5 +161,6 @@ public static void addClientSslSupport(ConfigDef config) {
             SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG,
             SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG,
             SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG,
-            SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG);
+            SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG,
+            SslConfigs.SSL_ENGINE_FACTORY_CLASS_CONFIG);
 }
diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/SslEngineFactory.java b/clients/src/main/java/org/apache/kafka/common/security/auth/SslEngineFactory.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.kafka.common.security.auth;
+
+import org.apache.kafka.common.Configurable;
+
+import javax.net.ssl.SSLEngine;
+import java.io.Closeable;
+import java.security.KeyStore;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Plugin interface for allowing creation of SSLEngine object in a custom way.
+ * Example: You want to use custom way to load your key material and trust material needed for SSLContext.
+ * However, keep in mind that this is complementary to the existing Java Security Provider's mechanism and not a competing
+ * solution.
+ */
+public interface SslEngineFactory extends Configurable, Closeable {
+
+    /**
+     * Create a new SSLEngine object to be used by the client.
+     *
+     * @param peerHost               The peer host to use. This is used in client mode if endpoint validation is enabled.
+     * @param peerPort               The peer port to use. This is a hint and not used for validation.
+     * @param endpointIdentification Endpoint identification algorithm for client mode.
+     * @return The new SSLEngine.
+     */
+    SSLEngine createClientSslEngine(String peerHost, int peerPort, String endpointIdentification);
+
+    /**
+     * Create a new SSLEngine object to be used by the server.
+     *
+     * @param peerHost               The peer host to use. This is a hint and not used for validation.
+     * @param peerPort               The peer port to use. This is a hint and not used for validation.
+     * @return The new SSLEngine.
+     */
+    SSLEngine createServerSslEngine(String peerHost, int peerPort);
+
+    /**
+     * Returns true if SSLEngine needs to be rebuilt. This method will be called when reconfiguration is triggered on
+     * {@link org.apache.kafka.common.security.ssl.SslFactory}. Based on the <i>nextConfigs</i>, this method will
+     * decide whether underlying SSLEngine object needs to be rebuilt. If this method returns true, the
+     * {@link org.apache.kafka.common.security.ssl.SslFactory} will re-create instance of this object and run other
+     * checks before deciding to use the new object for the <i>new incoming connection</i> requests.The existing connections
+     * are not impacted by this and will not see any changes done as part of reconfiguration.
+     *
+     * <pre>
+     *     Example: If the implementation depends on the file based key material it can check if the file is updated
+     *     compared to the previous/last-loaded timestamp and return true.
+     * </pre>
+     *
+     * @param nextConfigs       The configuration we want to use.
+     * @return                  True only if the underlying SSLEngine object should be rebuilt.
+     */
+    boolean shouldBeRebuilt(Map<String, Object> nextConfigs);
+
+    /**
+     * Returns the names of configs that may be reconfigured.
+     */
+    Set<String> reconfigurableConfigs();
+
+    /**
+     * Returns keystore.
+     * @return
+     */
+    KeyStore keystore();
+
+    /**
+     * Returns truststore.
+     * @return
+     */
+    KeyStore truststore();
+}