Kafka Streams SASL and SSL config

[alesj]

Fix #4961

[gunnarmorling]

@alesj, a few comments inline. Apart from those: the docs (props table in the guide) should be updated, too. Plus, ideally the existing integration test would at least cover one simple SSL set-up, so to make sure things work in general and future regressions are avoided.

[gunnarmorling]

Why is this a string, shouldn't it be rather a double (some for some more props below)?

[alesj]

Yeah, I didn't bother, since KS's config takes care of the conversions anyway.
If you think we should, then this can easily be changed.

[gunnarmorling]

Let's ask @gsmet. My understanding is that Quarkus wants to expose properly typed options, so to offer e.g. editor support (validation) down the road.

[gsmet]

Yes, the Quarkus config should be properly typed.

[gsmet]

Yes, it should be typed.

[gunnarmorling]

Should be an int. But also worth double checking with Quarkus guidelines: should it be rather Duration, and be given as such (which would impact the option name, though, which might not be desirable as it's coming from Kafka upstream IIUC).

[gsmet]

Yeah all these properties should be Duration and we should drop the Seconds part. They will be documented so it's OK.

[gunnarmorling]

How about adding a package visible accessor?

[alesj]

What do you mean?

[gunnarmorling]

Ah, seems you get a field from the upstream KafkaStreams object. I thought about having a getter in our own object (topology manager), where we could expose a package-visible getter for testing purposes.

[alesj]

the docs (props table in the guide) should be updated,

I thought that's the beauty of having this config stuff, so it's auto-generated?

[alesj]

ideally the existing integration test would at least cover one simple SSL set-up

Yeah, working on it.

[gunnarmorling]

I thought that's the beauty of having this config stuff, so it's auto-generated?

Ah, I didn't know that :) If so, that's much cooler of course.

[alesj]

I thought that's the beauty of having this config stuff, so it's auto-generated?

Ah, I didn't know that :) If so, that's much cooler of course.

Right, @gsmet ?

[gsmet]

I added some comments.

As for the documentation, it will be automatically generated so no need to do anything except having proper Javadoc.

[gsmet]

In Quarkus config, we use a dot to separate sections and a dash to separate words. It's a general comment about the config key of this PR.

[gsmet]

Yes, it should be typed.

[gsmet]

Yeah all these properties should be Duration and we should drop the Seconds part. They will be documented so it's OK.

[alesj]

I just pushed some more work, but it's not done yet ... so no new review yet needed.
Will let you guys know when I think I'm done.

[alesj]

@gunnarmorling @gsmet I changed to typed props, used dash, added ssl test ... please re-review

[gunnarmorling]

@alesj, sorry for the delay. LGTM overall. One minor suggestion inline. And one question on the test: wouldn't the test Kafka be needed to configured accordingly, so to accept SSL connections? Maybe I'm missing something?

[gunnarmorling]

Perhaps clarify the value to be used for Apicurio?

[alesj]

OK, will do.

[alesj]

@gunnarmorling > wouldn't the test Kafka be needed to configured accordingly, so to accept SSL connections? Maybe I'm missing something?

So you're saying I should fix the Kafka tests as well, not just Kafka Streams tests?

[gunnarmorling]

So you're saying I should fix the Kafka tests as well, not just Kafka Streams tests?

No, I meant Kafka Streams tests. But they launch Apache Kafka, whose launch configuration I'd expect to be adjusted so to make use of SSL. Maybe I'm missing something?

[alesj]

But they launch Apache Kafka, whose launch configuration I'd expect to be adjusted so to make use of SSL.

This should be done, otherwise it wouldn't work ...

[alesj]

@gunnarmorling see changes to KafkaTestResource, its properties

[gunnarmorling]

see KafkaTestResource

Got it, yeah, that's what I was looking for. Not sure how I missed it before :) Thanks!

[gunnarmorling]

LGTM; thanks, @alesj!

[gunnarmorling]

Hey @gsmet, it looks good to me; perhaps you might double-check on Quarkus stylistics and merge? Thx!

[PHameete]

Hi, I've just built a test that is representative for our environment which uses the confluent schema registry and sasl plaintext for authentication.

I was able to configure a working example using the sasl and schema registry runtime properties.

I'm not yet able to check if it also works as a native image, because I have trouble building a native image that works with avro and the confluent schema registry.

[gunnarmorling]

Thanks for reporting back; re the issues with native, you wouldn't have to add the registry itself to the native image, this could remain separately. In terms of the actual converters, it'd be interesting to see what problems you encounter. In particular, I'd recommend to check out the serializers from the Apicurio project (which is another schema registry); they are compatible with other registries like Confluent's, too, and I could see us adding support for them by means of flipping the right switches in this extension or maybe the Quarkus Kafka core extension. CC @alesj.

[alesj]

Apicurio registry:

• https://github.com/Apicurio/apicurio-registry

[PHameete]

For the native image i'll open a different issue at some later time. I don't see us switch away from confluent's SR and (de)serializer but I'm very interested in making it work with native.

I'll let you know what issues I run into and perhaps a minimal example to reproduce at a later time (several weeks from now).

[gsmet]

Hi @alesj ! Sorry for the delay, things have been crazy until now and I'm now looking at the backlog.

I rebased your PR and also added 2 commits.

I added one question inline about some weird filtering you did?

I have one big issue though, I'm not sure we pass the config to Kafka Streams appropriately:

2020-04-28 15:38:12,392 WARN  [io.qua.config] (main) Unrecognized configuration key "quarkus.kafka-streams.security.protocol" was provided; it will be ignored
2020-04-28 15:38:13,066 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'sasl.kerberos-ticket-renew-jitter' was supplied but isn't a known config.
2020-04-28 15:38:13,066 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'sasl.login.refresh.buffer.seconds' was supplied but isn't a known config.
2020-04-28 15:38:13,066 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'ssl.endpoint-identification-algorithm' was supplied but isn't a known config.
2020-04-28 15:38:13,066 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'topics' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'bootstrap-servers' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'sasl.login-refresh-buffer' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'schema-registry-key' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'ssl.truststore.type' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'sasl.kerberos.ticket.renew.jitter' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'apicurio.registry.url' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'ssl.truststore.location' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'ssl.truststore.password' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'schema-registry-url' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'application-id' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'some-property' was supplied but isn't a known config.
2020-04-28 15:38:13,067 WARN  [org.apa.kaf.cli.adm.AdminClientConfig] (main) The configuration 'ssl.endpoint.identification.algorithm' was supplied but isn't a known config.

I thought it might be due to one of my commits but I have the same issue when going back to your commit.

The first Quarkus warning is probably just something that needs to be removed or adjusted in the application.properties but all the Kafka errors look weird to me.

Could you check what's going on? I'll be there to get this thing merged into 1.5.

Thanks!

[gsmet]

I don't understand why we need that here?

[alesj]

There is no other (or better / smarter) way to pass-in an empty string.
(that's what I've been told by @dmlloyd )

And in this case you need to have an empty string, to disable this config/setting.

[gsmet]

OK. Can't say I'm excited about it but can't think of a better solution. Or maybe we could use -1 to disable? It's a bit of dark magic but could be documented.

Just a proposal, WDYT?

[alesj]

It's a string ... so setting a number ... hmmm, dunno :-)

[dmlloyd]

There is no other (or better / smarter) way to pass-in an empty string.
(that's what I've been told by @dmlloyd )

No it's not; I definitely never told you that. If you want a string which can be empty, use Optional<String> with orElse(""). If you want an integer which can be empty, use OptionalInt (int has no native empty representation though, so orElse won't help in this case).

And in this case you need to have an empty string, to disable this config/setting.

Then it should be Optional.

[alesj]

but all the Kafka errors look weird to me

This somehow explains this:

• [kafka streams] sasl not configurable #4961 (comment)

What you see there is what we also pass into AdminClient creation -- same props from application.properties.
And AdminClient supports only limited number of those props.
To get rid of this, we would need to separate between admin and non-admin props.
Which is imo an overkill, since in most cases you have same bootstrap servers, security, etc

[gsmet]

@alesj so in a normal setup, you're saying you won't see all those warnings?

OK, that goes beyond my knowledge. @gunnarmorling @cescoffier WDYT of ^

[dmlloyd]

But the optional part looks good now.

[gsmet]

Unfortunately, this won't make it. There's something not working on CI, not sure where it comes from. We have this message going on and on:

INFO: [SocketServer brokerId=1] Failed authentication with /127.0.0.1 (SSL handshake failed)
2020-05-20 12:13:09,466 ERROR [io.qua.kaf.str.run.KafkaStreamsTopologyManager] (pool-1-thread-1) Failed to get topic names from broker: java.util.concurrent.TimeoutException
	at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:108)
	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:272)
	at io.quarkus.kafka.streams.runtime.KafkaStreamsTopologyManager.waitForTopicsToBeCreated(KafkaStreamsTopologyManager.java:248)
	at io.quarkus.kafka.streams.runtime.KafkaStreamsTopologyManager.access$200(KafkaStreamsTopologyManager.java:52)
	at io.quarkus.kafka.streams.runtime.KafkaStreamsTopologyManager$1.run(KafkaStreamsTopologyManager.java:217)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.lang.Thread.run(Thread.java:834)
	at com.oracle.svm.core.thread.JavaThreads.threadStartRoutine(JavaThreads.java:497)
	at com.oracle.svm.core.posix.thread.PosixJavaThreads.pthreadStartRoutine(PosixJavaThreads.java:193)

2020-05-20 12:13:09,467 WARN  [org.apa.kaf.cli.NetworkClient] (kafka-producer-network-thread | streams-test-pipeline-e2e654d1-5669-4145-9e42-cfec647ffbc0-StreamThread-1-producer) [Producer clientId=streams-test-pipeline-e2e654d1-5669-4145-9e42-cfec647ffbc0-StreamThread-1-producer] Bootstrap broker localhost:19092 (id: -1 rack: null) disconnected
May 20, 2020 12:13:10 PM org.apache.kafka.common.network.Selector pollSelectionKeys
INFO: [SocketServer brokerId=1] Failed authentication with /127.0.0.1 (SSL handshake failed)
May 20, 2020 12:13:10 PM org.apache.kafka.common.network.Selector pollSelectionKeys
INFO: [SocketServer brokerId=1] Failed authentication with /127.0.0.1 (SSL handshake failed)

@rquinio any chance you could have a look at that one and drive that puppy home?

[rquinio]

I've reproduced locally the "SSL handshake failed" issue on graalvm-ce-java11-20.0.0 (but it works fine on openjdk-11.0.5), it seems systematic.

Was the native test passing before the big rebase ?

Btw I think we should put a JUnit timeout on the integration test, since liveness/readiness is not checked externally to shutdown KafkaStreams when something goes wrong, it'll fail faster than waiting for the 65min timeout of the CI.

[rquinio]

We'd really need the ability to configure kafka-streams.* properties at runtime in Quarkus 1.6, because some values can vary between platforms and cannot be known at build time.

Unfortunately I don't know how to investigate the "SSL handshake failed" failure that only occurs in native mode... Other extensions like raw Kafka also have SSL native tests which work fine...

An alternative could be to split the PR (ability to configure at runtime / new SSL config & tests).

[vietk]

Hello

About the SSL handshake failed, I have some findings :
The Kafka cluster being run by the failsafe plugin it's possible to debug the SSL handshake protocol between the integration test run in native mode,

with the command :

mvn -Djavax.net.debug=all test-compile failsafe:integration-test

here's what I am seeing :

javax.net.ssl|ERROR|4C|data-plane-kafka-network-thread-1-ListenerName(CLIENT)-SSL-1|2020-06-17 01:41:20.146 CEST|TransportContext.java:312|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
  javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  	at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:146)
  	at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
  	at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:544)
  	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:441)
  	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:420)
  	at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
  	at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:504)
  	at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:363)
  	at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:286)
  	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:174)
  	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
  	at org.apache.kafka.common.network.Selector.poll(Selector.java:485)
  	at kafka.network.Processor.poll(SocketServer.scala:861)
  	at kafka.network.Processor.run(SocketServer.scala:760)
  	at java.base/java.lang.Thread.run(Thread.java:834)}

)
Jun 17, 2020 1:41:20 AM org.apache.kafka.common.network.Selector pollSelectionKeys
INFO: [SocketServer brokerId=1] Failed authentication with /127.0.0.1 (SSL handshake failed)

It seems the SSL layer complains that a non SSL connection is being made upon the the server instance.

Actually looking at the logs of the native compilation we can see the following input :

2020-05-20T11:21:10.6006836Z 11:21:10,595 WARN  [io.qua.config] Unrecognized configuration key "quarkus.kafka-streams.security.protocol" was provided; it will be ignored

Which make me think that the configuration property from the application.properties has been merely ignored, hence the error at runtime.

I will try to continue investigation when I have time

Regards
Kevin

[vietk]

Hello

Finally I think my feeling was good, there's was an issue with the kafka streams settings "security.protocol".
This one was not recorded during the native compilation, being left to the default option which is PLAIN_TEXT when run in native mode.

So the native integration test was failing : the kafka streams application wanted to connect using unsecured channel, hence the SSL handshake failed on the kafka broker.
Also the integration test needed to have enableAllSecurityServices set to true, to be able to run SSL code in the native image.

I made a commit on my fork on top of @alesj contribution => here
The Quarkus-CI also shows that the native test on messaging has been solved => here

The remaining CI issue (native Tests - Data 5) is present in both CIs completion, this pull request and on my fork, so I did not bother with it, it's not linked to the content of this PR.

@gsmet : what do you think? can you cherry-pick my commit in order to solve the issue and make this PR move forward?

Regards

[geoand]

In any case,we'll need this PR rebased onto master to solve the merge conflict

[vietk]

@alesj can you please rebase your PR please and cherry pick the commit from my fork so that we can move forward ?

@geoand: in case the original contributor is not responding to the PR, can't you force a rebase, as @gsmet did previously in this PR and integrate my commit ?

[geoand]

@geoand: in case the original contributor is not responding to the PR, can't you force a rebase, as @gsmet did previously in this PR and integrate my commit ?

If necessary, sure

[alesj]

@vietk @gsmet @geoand I'm fine with whatever you do with my initial PR
Or how you're gonna merge with @vietk 's additional commit, and then rebase.

[vietk]

@geoand : if I may, can you force a rebase on the PR branch ? The merge conflict is easy to solve.

[geoand]

PR updated

[vietk]

Thanks, @geoand.
Last request, but not the least :
I rebased this PR on my fork with the mandatory commit to fix the native tests, the CI is now green on my fork => https://github.com/vietk/quarkus/actions/runs/143549209
Can you please review and cherry-pick the last commit from my fork and push it to @alesj fork ?

[geoand]

@vietk I cherry-picked your commit and pushed it into this PR.

However I don't have much Kafka experience, so I won't be reviewing the PR. I'll leave that to @gunnarmorling :)

[vietk]

@gunnarmorling all checks passed ! Since this PR has already been reviewed and I carried on small changes to make it pass, can you please give a final review ?

[gsmet]

Let's get this in and make progress from there.

[gsmet]

Thanks everyone and sorry it took so much time to get in.

I think a few things still need to be refined but we can do it iteratively.