0

The broker is failed on start-up and I can see the following errors :

INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)
ERROR ClassNotFoundException exception occurred: io.confluent.kafka.security.config.provider.SecurePassConfigProvider (kafka.server.KafkaConfig)
INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)
ERROR ClassNotFoundException exception occurred: io.confluent.kafka.security.config.provider.SecurePassConfigProvider (kafka.server.KafkaConfig)
INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)
ERROR ClassNotFoundException exception occurred: io.confluent.kafka.security.config.provider.SecurePassConfigProvider (kafka.server.KafkaConfig)
INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)
ERROR ClassNotFoundException exception occurred: io.confluent.kafka.security.config.provider.SecurePassConfigProvider (kafka.server.KafkaConfig)
INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)
INFO KafkaConfig values:
----------------------------

I did a secret setup for one of the property(i.e., ssl.truststore.password) in server.properties file and tried re-starting the server and observed the above error.

Any help would be appreciated. Thanks!!!

---server.properties---
##
ssl.truststore.password = ${securepass:/home/secret/secrets.txt:server.properties/ssl.truststore.password}

config.providers = securepass
config.providers.securepass.class = io.confluent.kafka.security.config.provider.SecurePassConfigProvider

Confluent Community version used - 5.5.2

kuti
  • 161
  • 1
  • 3
  • 13
  • Are you sure that class exists in version 5.5.2? Did you download any extra security JARs for that class? – OneCricketeer Jan 14 '22 at 16:27
  • The Confluent v5.5.2 docuemtnations has mentioned about the class `io.confluent.kafka.security.config.provider.SecurePassConfigProvider` `(ref# https://docs.confluent.io/5.5.2/security/secrets.html#using-prefixes-in-secrets-configurations)` So that class should've been available in the package. This's what my understanding. – kuti Jan 14 '22 at 17:03

1 Answers1

1

The community edition of Confluent Platform 5.5.2 does not come with this class...

$ find ./confluent-5.5.2 -name 'kafka-client-plugins*.jar'

Download the file here and make sure it is in the Kafka broker classpath, e.g. /usr/share/java/kafka if installed directly to the OS, or the share/java/kafka folder of the Confluent tarball.

https://packages.confluent.io/maven/io/confluent/kafka-client-plugins/5.5.2-ce/kafka-client-plugins-5.5.2-ce.jar

Verified with

$ jar -tf kafka-client-plugins-5.5.2-ce.jar| grep SecurePassConfigProvider
io/confluent/kafka/security/config/provider/SecurePassConfigProvider.class

Overall, if someone has file-system access to your brokers, you have bigger problems, and obscuring the file with a direct reference to another is not "secure"

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
  • Thank you very much. But is it the proper way of using those two config parameters? in `server.properties` to encrypt the passwords? – kuti Jan 14 '22 at 19:43
  • Also this jar is coming from `confluent enterprise` : https://packages.confluent.io/maven/io/confluent/kafka-client-plugins/`5.5.2-ce`/kafka-client-plugins-5.5.2-ce.jar Is it safe to include it in community version? as I'm not using enterprise version? – kuti Jan 17 '22 at 14:38
  • `ce` means Community Edition, IIRC. `ccs` is for Confluent/Cloud Server (or enterprise) – OneCricketeer Jan 17 '22 at 14:41
  • 1
    Hmm, no, got that backwards. https://docs.confluent.io/platform/current/installation/available_packages.html#platform-packages I mean, you can try it. Typically, the only limitation with the enterprise packages is that they require a licensing topic to be defined, but I don't see that in this plugins documentation – OneCricketeer Jan 17 '22 at 14:44