kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Bentley <tbent...@redhat.com>
Subject Re: Using encrypted distributed worker file
Date Mon, 15 Jun 2020 08:44:56 GMT
Hi Ashish,

KIP-297[1] added support for "config providers", which allow a config file
to have an indirect reference to secrets stored elsewhere. While it doesn't
sound like the provided FileConfigProvider would be suitable for your
needs, you could provide your own ConfigProvider to implement a secret
distribution mechanism of your choice. FWIW KIP-421[2] extended config
providers to basically every other config in Kafka.

Hope that helps.

Tom

[1]:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-297%3A+Externalizing+Secrets+for+Connect+Configurations
[2]:
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=100829515

On Fri, Jun 12, 2020 at 6:36 PM ashish sood <ashishsood5@gmail.com> wrote:

> Hi Team,
>
> Any help would be greatly appreciated.
>
> I am looking forward to a way where I can store the passwords in
> encrypted/hashed format on the distributed worker properties file.
>
> Regards
> Ashish Sood
>
> On Tue, Jun 2, 2020 at 12:42 AM ashish sood <ashishsood5@gmail.com> wrote:
>
> > Hi All,
> >
> > I am running a distributed worker that connects to a Kafka infrastructure
> > over TLS and Scram authentication. In addition to this, the RESTAPI
> > interface is also secured with userid/password authentication. Hence my
> > config has a a lot of passwords (keystore,trust store , jaas config etc)
> >
> > Currently, I am storing the distributed worker config file in encrypted
> > mode on server and have configured a script to decrypt the file and start
> > the worker process.Post starting the process the decrypted file is
> deleted.
> >
> > Is there a more cleaner way of doing this? A better way of running
> > distributed worker while ensuring the distributed worker config file does
> > not expose the sensitive passwords
> >
> > Regards
> > Ashish Sood
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message