Connect and SSL'd Schema Registry, standalone works, distributed does not
536 views
Skip to first unread message
Marios Andreopoulos
Dec 1, 2016, 3:17:06 PM12/1/16
to Confluent Platform
Hello,
I am on CP3.1.1. I've setup the Schema Registry with SSL. As funny as it may sound, Connect Standalone works fine with this setup. Connect Distributed fails to post the connectors' schemas to the registry and thus doesn't work.
When I disable SSL on the Registry and adjust Connect (key.converter.schema.registry.url and value.converter.schema.registry.url keys) both versions work correctly.
On Schema Registry's logs I can see that it returns HTTP 200 to the standalone version and HTTP 500 to the distributed.
I probably missed something but can't find it. My configurations are below. The brokers also use SSL and require SSL client auth.
I probably missed something but can't find it. My configurations are below. The brokers also use SSL and require SSL client auth.
Thanks for looking at this.
Distributed Configuration:
config.storage.topic=connect-configsgroup.id=connect-clusterinternal.key.converter=org.apache.kafka.connect.json.JsonConverterinternal.key.converter.schemas.enable=falseinternal.value.converter=org.apache.kafka.connect.json.JsonConverterinternal.value.converter.schemas.enable=falsekey.converter=io.confluent.connect.avro.AvroConverteroffset.storage.topic=connect-offsetssecurity.protocol=SSLstatus.storage.topic=connect-statusvalue.converter=io.confluent.connect.avro.AvroConverterrest.port=8083ssl.key.password=reductedssl.keystore.location=reductedssl.keystore.password=reductedssl.truststore.location=reductedssl.truststore.password=reductedssl.protocol=TLSssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1ssl.keystore.type=JKSssl.truststore.type=JKSproducer.security.protocol=SSLproducer.ssl.key.password=reductedproducer.ssl.keystore.location=reductedproducer.ssl.keystore.password=reductedproducer.ssl.truststore.location=reductedproducer.ssl.truststore.password=reductedproducer.ssl.protocol=TLSproducer.ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1producer.ssl.keystore.type=JKSproducer.ssl.truststore.type=JKSconsumer.security.protocol=SSLconsumer.ssl.key.password=reductedconsumer.ssl.keystore.location=reductedconsumer.ssl.keystore.password=reductedconsumer.ssl.truststore.location=reductedconsumer.ssl.truststore.password=reductedconsumer.ssl.protocol=TLSconsumer.ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1consumer.ssl.keystore.type=JKSconsumer.ssl.truststore.type=JKSzookeeper.connect=zk1:2181,zk2:2181,zk3:2181/bootstrap.servers=SSL://broker1:9093,SSL://broker2:9093,SSL://broker3:9093key.converter.schema.registry.url=https://registry:8081value.converter.schema.registry.url=https://registry:8081
Standalone Configuration:
bootstrap.servers=broker1:9093security.protocol=SSLkey.converter=io.confluent.connect.avro.AvroConverterkey.converter.schema.registry.url=https://registry:8081value.converter=io.confluent.connect.avro.AvroConvertervalue.converter.schema.registry.url=https://registry:8081internal.key.converter=org.apache.kafka.connect.json.JsonConverterinternal.value.converter=org.apache.kafka.connect.json.JsonConverterinternal.key.converter.schemas.enable=falseinternal.value.converter.schemas.enable=falseoffset.storage.file.filename=coyote_connect.offsetzookeeper=zk:2181/rest.port=38081port=38081kafka.logs.dir=logs/producer.security.protocol=SSLconsumer.security.protocol=SSLssl.keystore.location=reductedssl.keystore.password=changeitssl.key.password=reductedproducer.ssl.keystore.location=reductedproducer.ssl.keystore.password=reductedproducer.ssl.key.password=reductedconsumer.ssl.keystore.location=reductedconsumer.ssl.keystore.password=reductedconsumer.ssl.key.password=reducted
Ewen Cheslack-Postava
Dec 1, 2016, 5:39:58 PM12/1/16
to Confluent Platform
This is currently a limitation in schema registry, we have a bug filed for it here: https://github.com/confluentinc/schema-registry/issues/386 The internal requests between instances have not been converted to support SSL yet which is why they would currently fail if you enable SSL in a multi-node cluster.
-Ewen
--
You received this message because you are subscribed to the Google Groups "Confluent Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to confluent-platform+unsub...@googlegroups.com.
To post to this group, send email to confluent-platform@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/confluent-platform/1cf84162-b5da-40bf-ad5e-d26aab57cfaa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Thanks,
Ewen
Ewen
Marios Andreopoulos
Dec 1, 2016, 6:08:51 PM12/1/16
to Confluent Platform
Thank you! I added a http listener to the registries and everything works now, whilst connect still uses the https listener.
I searched but missed this github issue.
Thanks again,
Marios.
To post to this group, send email to confluent...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/confluent-platform/1cf84162-b5da-40bf-ad5e-d26aab57cfaa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Thanks,
Ewen
Reply all
Reply to author
Forward
0 new messages