From bf4fb28b5bb71dcee470110e86800adc81af8451 Mon Sep 17 00:00:00 2001 From: Roman Zabaluev Date: Thu, 2 Sep 2021 12:22:41 +0300 Subject: [PATCH] JMX SSL and auth (#818) * Secured JMX WIP * Make credentials nullability more obvious Add example keys/certs * Add required jmxSsl option * Update README.md --- README.md | 3 + docker/jmx/clientkeystore | Bin 0 -> 2605 bytes docker/jmx/clienttruststore | Bin 0 -> 1186 bytes docker/jmx/jmxremote.access | 1 + docker/jmx/jmxremote.password | 1 + docker/jmx/serverkeystore | Bin 0 -> 2605 bytes docker/jmx/servertruststore | Bin 0 -> 1186 bytes docker/kafka-ui-jmx-secured.yml | 136 ++++++++++++++++++ docker/kafka-ui-zookeeper-ssl.yml | 1 - kafka-ui-api/Dockerfile | 5 +- .../kafka/ui/config/ClustersProperties.java | 3 + .../com/provectus/kafka/ui/config/Config.java | 6 +- .../kafka/ui/model/JmxConnectionInfo.java | 26 ++++ .../kafka/ui/model/KafkaCluster.java | 3 + .../kafka/ui/service/KafkaService.java | 3 +- .../kafka/ui/util/JmxClusterUtil.java | 21 ++- .../kafka/ui/util/JmxPoolFactory.java | 22 ++- 17 files changed, 215 insertions(+), 16 deletions(-) create mode 100755 docker/jmx/clientkeystore create mode 100755 docker/jmx/clienttruststore create mode 100755 docker/jmx/jmxremote.access create mode 100755 docker/jmx/jmxremote.password create mode 100755 docker/jmx/serverkeystore create mode 100755 docker/jmx/servertruststore create mode 100644 docker/kafka-ui-jmx-secured.yml create mode 100644 kafka-ui-api/src/main/java/com/provectus/kafka/ui/model/JmxConnectionInfo.java diff --git a/README.md b/README.md index b24ad772f3..46a6de8703 100644 --- a/README.md +++ b/README.md @@ -179,3 +179,6 @@ For example, if you want to use an environment variable to set the `name` parame |`LOGGING_LEVEL_ROOT` | Setting log level (all, debug, info, warn, error, fatal, off). Default: debug |`LOGGING_LEVEL_COM_PROVECTUS` |Setting log level (all, debug, info, warn, error, fatal, off). Default: debug |`SERVER_PORT` |Port for the embedded server. Default `8080` +|`KAFKA_CLUSTERS_0_JMXSSL` |Enable SSL for JMX? `true` or `false`. For advanced setup see `kafka-ui-jmx-secured.yml` +|`KAFKA_CLUSTERS_0_JMXUSERNAME` |Username for JMX authentication +|`KAFKA_CLUSTERS_0_JMXPASSWORD` |Password for JMX authentication diff --git a/docker/jmx/clientkeystore b/docker/jmx/clientkeystore new file mode 100755 index 0000000000000000000000000000000000000000..866c5b73d941bd4197334614a60f21ca78e29302 GIT binary patch literal 2605 zcmY+EXE+;*8pneKiJ(Rs>(n}Gme@59F=7)zdr(>l6=Kz>niUnR)Tr94#4154ElR0c z<-}^Os!D5Dq_t_e?tSh(_udch^M9V-|9#(&KR5v*&B(w6CxEHUU>Twbai5)mg`tE1 zo&XZSlr#JeP5}A+Uj@1WB!HaH@U^qCV`lsJ6%@k2SV90E!wJBBxHL25KltpqAdvUx zb#S)6;>uW`t9)X1Ujr*175ttontoITYMoNI5NdScOhCC4>8I3I0^ zTGj|ptAB(pC~`7gBPsrRXv$C>&;`)qFU#j7ErNc=ieBcmL%^U}^$i`QqcTz+$+m$g zykAXmEW|Uwr=BpcndgLGMZ$6{2)KuL_=pJmfAz)mb*#386~0^@zb^gk1>*U!TiP4 z^N>W?V}$v$L`!HaR}zAe!Oln|aNWOFzwW4Lp8W1zufDy&%*@;c=%JBYyasK|0@Xe% zS$m=)`-zZZ{`dqov3+gRcvpLAR9TRIhbDA(Yc7Cb}*mvX#N-_3| zBKKyU2C4|^Ssa_w8nSIV1>P4%mKj2JeGE4fj zK;Fn?!{m=ghsdZzW=}V3oqTC zKBw-&Ily9X{yr>EXwOV4vPFE7!(012iLxelhi})c=BKvdeSy9WlcE9Q^z3Cv=YWeI zP#$@(!r+eWBpk6~^PRQHLq5!ua{v}K5AZBV#II>#-JgICwOhvK`Pp6whUrpXDZt7! zSiJ7~t^6|SjrJAM1h!E8?|)>4{g8BQR7M)Sac+8B$o1-LgP7d$W8Q;v>Em+dp12tG zdU9!5O~q}$Dot$-5~J=f_OV(xNog?<{yix;ckz=vuQLiaNt2rUk#tTo1(*1J28X`1 zIrrf+IO#o}_Mk*kIFH5u#?WWBxoPOA(F`E?fVqzfVC%5AihSGh!Sj2;{ft#bP#JQq3vsqFZ{wgIu*h#*> zakIiiDluuMa`_81zqeiGMb_6E`55+Xp}zzVrLo3aF#;l2@fcaN4nfk=O&zg6DLu1Fk$h$5m5jr z|5>bUsIhB+*0f!~x0tnlkyDdubiG@ti+11I*Sj^~tkrC===>C0-NVwc#m%R^Qf&e> zl-rmY%EjP%xU+8r87<_stvkGzhR#C!vcAMRjU0=&n`2U`@G!s9Wf~$o_=fL$9Ytff z=-;XY^D6RQcmNLI4)6s80ld%h?*FcwSL6k9+u?lNMHJPP;mUAzMHN+b4aGBs z+Wq~9h55{?MrTN$kpXZPn*VJW{?D__|MaXvq!oeQFh|PBB#>IqT@WKzhZX+Iv-b!< zfLkTj!p}wZh5OWRvujz;)yh$h(6aQnS7T!Z`LlcG3_%q+ZY~$eJ2MqujOxPM;sdDT z(@sIuWS){0i7I7$b={_q)sE?uGJ5XH@5Is~_j&n(c)p`@1({|qR@U(7D00K~=|`4& z;=p5M|55$cj{$dk{`JChfe)2b@+=$%z2Upj$?f`-*0fM_F;ww;c`0~pRG6T6oQyb| zE<1Ztt!H%CtTkK^bIHT2AJ0|w`FXW^qVyug#!e8eC*GEF=&`yQk-sRTR~JI>rwb_>bJt&3+A z45nGQV`s8tU5Qywnx-l?wpG7|#^XoCkZU?&s0P?G18ipw6o>noDIkHh(6Ufl!Mh?F zz>wf8nd_6xBm2KhyaYenU?_>F%xiZ#`;~oc3isn9RT+%k?0tMOrgGuE?^Ey1a{wN` zFik8_P78dR^}6`rnjgqJd3M2Oh~RDah1z%NUE)P+Jq<)*rt2B%MR? zX>hN}LL7&qCQV=8N=F)&ohWo6wyZa@Iozh%b)uJRk3-%UyPKhjOswbq>xHXOaOz7< zEC{I+U%*O;*w4{AfYhwh@uzkr^0BOoN~(sPDjJ1Kd5?|RWbp6yVeN}`<5jBHEm_K# zcddJ)681_8g%uZ+lq6xkU1D2elZzO`v3(1=2leGsCq~#qC)+zH#6i?%lx<;HEG)*Y z?%aT+!UDadE;8qXbXSGavg_%ORm(pWosSx=^rp5R4-36%E%Y(Nd*-yi#SS;FF!?x; z-*QkX^BXT8^=hTA^i=kN!&R4-Q)GV!w)hUsybHd1s%_l9{iE%6KW}M-PqDVU%Wu!p zY7Jg?mnL1fN|~$_4xsdt7#eIbv2 z))&*d+*A7`u3^3j5%0-6D(Ux|7$4IQkExNd+k&1OcR2A^B+PnJ899nPtu7@8JWx*v z3sq>K8EuaIsW56a9KPCxbXHq1rB`q}2WJo2-uh-J>WV$!FX;e2L8WtzwygR9eY4#=+vt2Y4iUj2jMobUtrr#hiy=XynrmJ_4!#wNIamNq&)X}p{xlM#D_lO zlhD%~*ia?n6pm}&eYBSWY~*>t?T%3lKUi`LbVcE_`P?v>%J%UH*p0!Zh=Dm`5_B@Y z5Y31e8jyCfGT76bU0e6>ZneE4__)CyTz+#sHhgD@OFC_hpSZTU>|6AX{H60o-(miL)u(;)eoi8&`gjJBM zc37(pTQ(qGM`M&l>5vDPzZ-K}x*efIrJqd7LA}-F)a;u>U|rVLJ#c4!_{|btvx0AE zH{8;A{9>>N@DYxfj;iR;o5Qn-Txg%7vS3+XaGk#e!RqdE(k)ykOIk19dDzXmxlvv$ zR*PEAn6PqDtQkhBjrKw{oJoMOuvsBmjN8^xHgdiyQu%;BDA*yjXYwo}EXA7XcpBJ3 zRvb{!Us1r}ktr+=>x$V3CzTJ*ntO=ij?>wL;EGYU0?aYFaDWg1WktPP3*%TI=^U}_ zB4-%rXiq@k=t~(jO4^}Ki8!y&&qHdDM)&N$-|DkQO6YBxFiB^34nUmM$%_Kx8DSNl zNW%KLcVB;6N!}k+i-p`KYe_WU5j{B-TPQYEVsBJ z$FlvQ$MT28+2w<%?PWje;L6FnI;-4*YuJ!;9!Afn0;Voq&*ZOnoMXV7IBh-7#5aLv zZExs)$WD%BZ6P8=|M%`!%E8+&|4wVgS<^Sdwsp0+aMIUt+EsnS@j|G;XEw`On# zgfNnoQ-8`cmqU&jDnhMc)})3(ng0G_z&H2aO|BxehhlTmV`uxW_sqBn__)$HYyFuI z7~B@H;%iNerqr&c@J_zFt&>Yu)gLS`gm3UAhgU z(EcO42Zmz~{71y>0md=A9NA7sV-Gp@pD%VcAc%ki@4;~3EtnjH?Z5U>`AIMzEA3Z@ z1d+6;K*X%hyN+E`S9$jv!~~$&fN|jWDqUBSl29)AOT+7l^zhm8Qx#4jpv97fbzR;= zd;WWOcm`X)h_4scZp0v;9okUUgt7H9!}WPje4Tf79dG!PB$C|k?=80i`!dRnhm<7{ zb}{GkcVew~`BK!|=uPd--6MMPkeAWfL2VeG$BH|Kd6u03*3y^=w_ejMwda>Jf|3|c z28Rffe1A?Aw=zfYlNg7vha)20@8;!KKWdemF3XNdu)H{_On<{US}LgV<5NVKgsf;f zZOgA`A@l=(>PpZ&<9ox!I=bOU+(|T-wDJ7_Km0y2T2QJAJoqH@?S4l`%vW|U4AVY; z8mV`W$XQ%>%78iTBK+$uBw~*>eO6X0dCgxH^^upX_9e?X&VLe$~7Hg23=~D7MfoCzcZ}NLh z6&Zdpp~859i?;zI>Xm^v^5!cLx}$h&*^R?NRiycMX`YmY=-8Q#$3I{z_vaDz|+zWigo%<6z z2^cxiH3sLGD*OJu&VduiCZ8DT4A&BuQqCF&k@Bb!6eE>>Wx&mqK?PwM#)6qbyL&-1}I5mPxYVQq!bfHsEr; z`%1)cVD)kBM}g}$(s3`%g?OB_xb}_A1bdnbgj>AnpqwnKcVoKQ9k8Z{QFTsxwHt5T zjwt&IDfP57D5q2U@b+=)n~J1T#=zaN?h5^v zsJ0D(Y19s}5rwPIS zw!Jt@bZhe_#keWhDb(1w_1aW!TfwgS%#>yAt(#JfCU#};C3n~s^LsMo*{pI_Fp};_ zxlkbaFivqz?>oPYpK5%@naNli-7Bt<1YeD=!)=T13DrGC^@FYV#oxtHRwi;^WAY!U zUW7^fjY=q=DxWA1AQa#Y2mwU=rRXEY{Qn8RDj%4~-p}7#T=kq9Obw<9(>|*K(>_9| z{og$-kRz&^9$AJUAmC`}{4W9igR_u-b5`VC3Wj5>{)`<(r)6ZXp=p4i(fb!?<8WZW z4bxuyaX|*_e^lxRv#+;LteE$bwtp z#O;}<>m1?_E)d1*P)38D^HoqvR-v;5G$Zk{9_5O4q5i(cu*^rN*~wvG9r~qg}az}awjUPB@PN}e$pGi43!sk9>Up^ zO$AN`36YCD-CRNz3qeASLDXX^9OIWWqArArQ~;rcA%ZZDVpbm0YOyxob?!^u`f(h! z`QB76v@7ptgq;~WH8eZMLNzyuO**w>({RK2dFoalJ0KNlD1%06-Aa?+AqF=kvkeJ( zX5So;H7^i zh=kP~hl=(AGe1i>KgIm6J-@A(wqm;jy=8nA>RzJ~S~0LWV|m^)=XY$sjxnRYUYQzg z@7TQkPVeiX{`*&xg-`+Myakeh_luLkiO$Y>kWHz z9wF)&+z>^^PH5(jr-EhZWZqBIL(OVQCgpL#0C=gu$kp6guzZ-xDo|e~mI{wAR}xXR z9*Yef;?-IfH(V_;dF=YyzF~%Rk%oEZ%l+$ZxgK*c$vg@*?mBbP1=Fj8G~FCmY@okv zZu0h9O)L*PQ~x=!5`{hJvlerppPfA&O6ImJ5U}8)>{DJ`8gaY2rl5F_GG~gt-hWC7 zZ}bSx!NfNNtl39l&yfRB{Hu+CObgD2_zY|}woB5T_cyqr!qld+?S5_ghvegYVi-ME zcnpGlCJ~tlIDP$~OGL`Q<8FRlNV03hY?1yX`)#{ZO z;-GXC4W)hAzlzuHpq=P6ucy*ooqv^KZ@yTzv`L}AN$<4^tiu(|;c6i2bH2$!VS1WQ zteN@Yr3^ee?gLjq&g)uJK|wv~D^ZAg;XePy4~~rf>orn8%v!!I==qlm8s^Xa4M(fYUMPtmW5d17RjFp2;`S4 zEDf@>(~+wurJUg*2e0$~)mAD+rUG99Le9R&B9s0fV?A2NT6_2G|2rQln^3c1uPJSr zN4wo?#Qmed2QckBW6|nD>Sr%LLo}aBWv%HTdwJ>u|C zl?N`~X*=_vo4HwD3;+I5StkwC*@$O!c~gByvO=&yvy0JEJlD-fN?)lZu&vwfF*I~0 z@<|x`1)Y#dTmP~U`Til!)BBbQ#WE+I>{D!tnej-b$Gbj=OAL@S+?ns~GUxDa6oRW1 z0}}wrieW~)CqdweaEuZuc&yseYY9cki<5!_D)zsGx5D-O7$`F%V;4rJNvZCR@pu;X zLupN*&ksvw0l+d4l@`b23G=iV0piOZHI<~Qd3-l{92o9|n0B|e!l}^L_W#@o8sPa@ zQ#5*leeYi^YVxJpH?Hb96><4ml-OZ-rNpJw{;HFE!=(UOs#<&jC;VNhmM&!ucymzDFg) zfKJtX$+123Nv40N^_!bfrXvrPnykmW3*{Q%U| zX&Pv#OjSUJHJ$+i_vmwO`fS7}(G;fA{c6^So&bEGV!%HojW9kiAutIB1uG5%0vZJX z1QZRaAkIu#9EgM;#Xj%I1oV*(5QhX57<#BYqR`<(m`s&{y}};oJLZKj0s{etpn4K9 A!2kdN literal 0 HcmV?d00001 diff --git a/docker/kafka-ui-jmx-secured.yml b/docker/kafka-ui-jmx-secured.yml new file mode 100644 index 0000000000..0e0fac941c --- /dev/null +++ b/docker/kafka-ui-jmx-secured.yml @@ -0,0 +1,136 @@ +--- +version: '2' +services: + + kafka-ui: + container_name: kafka-ui + image: provectuslabs/kafka-ui:latest + ports: + - 8080:8080 + - 5005:5005 + depends_on: + - zookeeper0 + - kafka0 + - schemaregistry0 + - kafka-connect0 + environment: + KAFKA_CLUSTERS_0_NAME: local + KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka0:29092 + KAFKA_CLUSTERS_0_ZOOKEEPER: zookeeper0:2181 + KAFKA_CLUSTERS_0_SCHEMAREGISTRY: http://schemaregistry0:8085 + KAFKA_CLUSTERS_0_KAFKACONNECT_0_NAME: first + KAFKA_CLUSTERS_0_KAFKACONNECT_0_ADDRESS: http://kafka-connect0:8083 + KAFKA_CLUSTERS_0_JMXPORT: 9997 + KAFKA_CLUSTERS_0_JMXSSL: 'true' + KAFKA_CLUSTERS_0_JMXUSERNAME: root + KAFKA_CLUSTERS_0_JMXPASSWORD: password + JAVA_OPTS: >- + -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 + -Djavax.net.ssl.trustStore=/jmx/clienttruststore + -Djavax.net.ssl.trustStorePassword=12345678 + -Djavax.net.ssl.keyStore=/jmx/clientkeystore + -Djavax.net.ssl.keyStorePassword=12345678 + volumes: + - ./jmx/clienttruststore:/jmx/clienttruststore + - ./jmx/clientkeystore:/jmx/clientkeystore + + zookeeper0: + image: confluentinc/cp-zookeeper:5.2.4 + environment: + ZOOKEEPER_CLIENT_PORT: 2181 + ZOOKEEPER_TICK_TIME: 2000 + ports: + - 2181:2181 + + kafka0: + image: confluentinc/cp-kafka:5.3.1 + depends_on: + - zookeeper0 + ports: + - 9092:9092 + - 9997:9997 + environment: + KAFKA_BROKER_ID: 1 + KAFKA_ZOOKEEPER_CONNECT: zookeeper0:2181 + KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka0:29092,PLAINTEXT_HOST://localhost:9092 + KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT + KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT + KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 + JMX_PORT: 9997 + # CHMOD 700 FOR JMXREMOTE.* FILES + KAFKA_JMX_OPTS: >- + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.authenticate=true + -Dcom.sun.management.jmxremote.ssl=true + -Dcom.sun.management.jmxremote.registry.ssl=true + -Dcom.sun.management.jmxremote.ssl.need.client.auth=true + -Djavax.net.ssl.keyStore=/jmx/serverkeystore + -Djavax.net.ssl.keyStorePassword=12345678 + -Djavax.net.ssl.trustStore=/jmx/servertruststore + -Djavax.net.ssl.trustStorePassword=12345678 + -Dcom.sun.management.jmxremote.password.file=/jmx/jmxremote.password + -Dcom.sun.management.jmxremote.access.file=/jmx/jmxremote.access + -Dcom.sun.management.jmxremote.rmi.port=9997 + -Djava.rmi.server.hostname=kafka0 + -Djava.rmi.server.logCalls=true +# -Djavax.net.debug=ssl:handshake + volumes: + - ./jmx/serverkeystore:/jmx/serverkeystore + - ./jmx/servertruststore:/jmx/servertruststore + - ./jmx/jmxremote.password:/jmx/jmxremote.password + - ./jmx/jmxremote.access:/jmx/jmxremote.access + + schemaregistry0: + image: confluentinc/cp-schema-registry:5.2.4 + ports: + - 8085:8085 + depends_on: + - zookeeper0 + - kafka0 + environment: + SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: PLAINTEXT://kafka0:29092 + SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: zookeeper0:2181 + SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: PLAINTEXT + SCHEMA_REGISTRY_HOST_NAME: schemaregistry0 + SCHEMA_REGISTRY_LISTENERS: http://schemaregistry0:8085 + + SCHEMA_REGISTRY_SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: "http" + SCHEMA_REGISTRY_LOG4J_ROOT_LOGLEVEL: INFO + SCHEMA_REGISTRY_KAFKASTORE_TOPIC: _schemas + + kafka-connect0: + image: confluentinc/cp-kafka-connect:5.2.4 + ports: + - 8083:8083 + depends_on: + - kafka0 + - schemaregistry0 + environment: + CONNECT_BOOTSTRAP_SERVERS: kafka0:29092 + CONNECT_GROUP_ID: compose-connect-group + CONNECT_CONFIG_STORAGE_TOPIC: _connect_configs + CONNECT_CONFIG_STORAGE_REPLICATION_FACTOR: 1 + CONNECT_OFFSET_STORAGE_TOPIC: _connect_offset + CONNECT_OFFSET_STORAGE_REPLICATION_FACTOR: 1 + CONNECT_STATUS_STORAGE_TOPIC: _connect_status + CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 1 + CONNECT_KEY_CONVERTER: org.apache.kafka.connect.storage.StringConverter + CONNECT_KEY_CONVERTER_SCHEMA_REGISTRY_URL: http://schemaregistry0:8085 + CONNECT_VALUE_CONVERTER: org.apache.kafka.connect.storage.StringConverter + CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_URL: http://schemaregistry0:8085 + CONNECT_INTERNAL_KEY_CONVERTER: org.apache.kafka.connect.json.JsonConverter + CONNECT_INTERNAL_VALUE_CONVERTER: org.apache.kafka.connect.json.JsonConverter + CONNECT_REST_ADVERTISED_HOST_NAME: kafka-connect0 + CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components" + + kafka-init-topics: + image: confluentinc/cp-kafka:5.2.4 + volumes: + - ./message.json:/data/message.json + depends_on: + - kafka0 + command: "bash -c 'echo Waiting for Kafka to be ready... && \ + cub kafka-ready -b kafka0:29092 1 30 && \ + kafka-topics --create --topic second.users --partitions 3 --replication-factor 1 --if-not-exists --zookeeper zookeeper0:2181 && \ + kafka-topics --create --topic first.messages --partitions 2 --replication-factor 1 --if-not-exists --zookeeper zookeeper0:2181 && \ + kafka-console-producer --broker-list kafka0:29092 -topic second.users < /data/message.json'" diff --git a/docker/kafka-ui-zookeeper-ssl.yml b/docker/kafka-ui-zookeeper-ssl.yml index 0ae5381b64..b47056817c 100644 --- a/docker/kafka-ui-zookeeper-ssl.yml +++ b/docker/kafka-ui-zookeeper-ssl.yml @@ -7,7 +7,6 @@ services: image: provectuslabs/kafka-ui:latest ports: - 8080:8080 - - 5005:5005 volumes: - /tmp/kafka/secrets/kafka.kafka1.keystore.jks:/etc/kafka/secrets/kafka.zookeeper.keystore.jks - /tmp/kafka/secrets/kafka.zookeeper.truststore.jks:/etc/kafka/secrets/kafka.zookeeper.truststore.jks diff --git a/kafka-ui-api/Dockerfile b/kafka-ui-api/Dockerfile index 15cb59717a..aa70b4be95 100644 --- a/kafka-ui-api/Dockerfile +++ b/kafka-ui-api/Dockerfile @@ -3,5 +3,8 @@ VOLUME /tmp ARG JAR_FILE COPY "/target/${JAR_FILE}" "/kafka-ui-api.jar" +ENV JAVA_OPTS= + EXPOSE 8080 -CMD java -jar kafka-ui-api.jar \ No newline at end of file + +CMD java $JAVA_OPTS -jar kafka-ui-api.jar \ No newline at end of file diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/ClustersProperties.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/ClustersProperties.java index ef0fdd66f7..cab60a256e 100644 --- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/ClustersProperties.java +++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/ClustersProperties.java @@ -28,6 +28,9 @@ public class ClustersProperties { String protobufMessageName; List kafkaConnect; int jmxPort; + boolean jmxSsl; + String jmxUsername; + String jmxPassword; Properties properties; boolean readOnly = false; boolean disableLogDirsCollection = false; diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/Config.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/Config.java index 11b987fa6d..a0aea18512 100644 --- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/Config.java +++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/Config.java @@ -1,5 +1,6 @@ package com.provectus.kafka.ui.config; +import com.provectus.kafka.ui.model.JmxConnectionInfo; import com.provectus.kafka.ui.util.JmxPoolFactory; import javax.management.remote.JMXConnector; import org.apache.commons.pool2.KeyedObjectPool; @@ -14,9 +15,8 @@ import org.springframework.web.reactive.function.client.WebClient; public class Config { @Bean - public KeyedObjectPool pool() { - GenericKeyedObjectPool pool = - new GenericKeyedObjectPool<>(new JmxPoolFactory()); + public KeyedObjectPool pool() { + var pool = new GenericKeyedObjectPool<>(new JmxPoolFactory()); pool.setConfig(poolConfig()); return pool; } diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/model/JmxConnectionInfo.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/model/JmxConnectionInfo.java new file mode 100644 index 0000000000..de80b25be3 --- /dev/null +++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/model/JmxConnectionInfo.java @@ -0,0 +1,26 @@ +package com.provectus.kafka.ui.model; + +import lombok.Builder; +import lombok.Data; +import lombok.EqualsAndHashCode; +import lombok.RequiredArgsConstructor; + +@Data +@RequiredArgsConstructor +@Builder +@EqualsAndHashCode(onlyExplicitlyIncluded = true) +public class JmxConnectionInfo { + + @EqualsAndHashCode.Include + private final String url; + private final boolean ssl; + private final String username; + private final String password; + + public JmxConnectionInfo(String url) { + this.url = url; + this.ssl = false; + this.username = null; + this.password = null; + } +} diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/model/KafkaCluster.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/model/KafkaCluster.java index 600cb2d636..dce53c0b9b 100644 --- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/model/KafkaCluster.java +++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/model/KafkaCluster.java @@ -16,6 +16,9 @@ public class KafkaCluster { private final String name; private final String version; private final Integer jmxPort; + private final boolean jmxSsl; + private final String jmxUsername; + private final String jmxPassword; private final String bootstrapServers; private final String zookeeper; private final InternalSchemaRegistry schemaRegistry; diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/service/KafkaService.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/service/KafkaService.java index d888a388a0..42a8b23882 100644 --- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/service/KafkaService.java +++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/service/KafkaService.java @@ -604,7 +604,8 @@ public class KafkaService { return clustersStorage.getClusterByName(clusterName) .filter(c -> c.getJmxPort() != null) .filter(c -> c.getJmxPort() > 0) - .map(c -> jmxClusterUtil.getJmxMetrics(c.getJmxPort(), node.host())) + .map(c -> jmxClusterUtil.getJmxMetrics(node.host(), c.getJmxPort(), c.isJmxSsl(), + c.getJmxUsername(), c.getJmxPassword())) .orElse(Collections.emptyList()); } diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/util/JmxClusterUtil.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/util/JmxClusterUtil.java index c50597fd44..2cf3f46b74 100644 --- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/util/JmxClusterUtil.java +++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/util/JmxClusterUtil.java @@ -1,5 +1,6 @@ package com.provectus.kafka.ui.util; +import com.provectus.kafka.ui.model.JmxConnectionInfo; import com.provectus.kafka.ui.model.Metric; import java.math.BigDecimal; import java.util.ArrayList; @@ -20,6 +21,7 @@ import lombok.RequiredArgsConstructor; import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.apache.commons.pool2.KeyedObjectPool; +import org.jetbrains.annotations.Nullable; import org.springframework.stereotype.Component; @Component @@ -31,14 +33,21 @@ public class JmxClusterUtil { private static final String JMX_SERVICE_TYPE = "jmxrmi"; private static final String KAFKA_SERVER_PARAM = "kafka.server"; private static final String NAME_METRIC_FIELD = "name"; - private final KeyedObjectPool pool; + private final KeyedObjectPool pool; @SneakyThrows - public List getJmxMetrics(int jmxPort, String jmxHost) { - String jmxUrl = JMX_URL + jmxHost + ":" + jmxPort + "/" + JMX_SERVICE_TYPE; + public List getJmxMetrics(String host, int port, boolean jmxSsl, + @Nullable String username, @Nullable String password) { + String jmxUrl = JMX_URL + host + ":" + port + "/" + JMX_SERVICE_TYPE; + final var connectionInfo = JmxConnectionInfo.builder() + .url(jmxUrl) + .ssl(jmxSsl) + .username(username) + .password(password) + .build(); JMXConnector srv; try { - srv = pool.borrowObject(jmxUrl); + srv = pool.borrowObject(connectionInfo); } catch (Exception e) { log.error("Cannot get JMX connector for the pool due to: ", e); return Collections.emptyList(); @@ -59,7 +68,7 @@ public class JmxClusterUtil { metric.setValue(getJmxMetric(jmxMetric.getCanonicalName(), msc)); result.add(metric); } - pool.returnObject(jmxUrl, srv); + pool.returnObject(connectionInfo, srv); } catch (Exception e) { log.error("Cannot get jmxMetricsNames, {}", jmxUrl, e); closeConnectionExceptionally(jmxUrl, srv); @@ -84,7 +93,7 @@ public class JmxClusterUtil { private void closeConnectionExceptionally(String url, JMXConnector srv) { try { - pool.invalidateObject(url, srv); + pool.invalidateObject(new JmxConnectionInfo(url), srv); } catch (Exception e) { log.error("Cannot invalidate object in pool, {}", url); } diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/util/JmxPoolFactory.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/util/JmxPoolFactory.java index 19dfc52951..c5e7f91fe8 100644 --- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/util/JmxPoolFactory.java +++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/util/JmxPoolFactory.java @@ -1,20 +1,34 @@ package com.provectus.kafka.ui.util; +import com.provectus.kafka.ui.model.JmxConnectionInfo; import java.io.IOException; +import java.util.HashMap; +import java.util.Map; import javax.management.remote.JMXConnector; import javax.management.remote.JMXConnectorFactory; import javax.management.remote.JMXServiceURL; +import javax.rmi.ssl.SslRMIClientSocketFactory; import lombok.extern.slf4j.Slf4j; +import org.apache.commons.lang3.StringUtils; import org.apache.commons.pool2.BaseKeyedPooledObjectFactory; import org.apache.commons.pool2.PooledObject; import org.apache.commons.pool2.impl.DefaultPooledObject; @Slf4j -public class JmxPoolFactory extends BaseKeyedPooledObjectFactory { +public class JmxPoolFactory extends BaseKeyedPooledObjectFactory { @Override - public JMXConnector create(String s) throws Exception { - return JMXConnectorFactory.connect(new JMXServiceURL(s)); + public JMXConnector create(JmxConnectionInfo info) throws Exception { + Map env = new HashMap<>(); + if (StringUtils.isNotEmpty(info.getUsername()) && StringUtils.isNotEmpty(info.getPassword())) { + env.put("jmx.remote.credentials", new String[]{info.getUsername(), info.getPassword()}); + } + + if (info.isSsl()) { + env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory()); + } + + return JMXConnectorFactory.connect(new JMXServiceURL(info.getUrl()), env); } @Override @@ -23,7 +37,7 @@ public class JmxPoolFactory extends BaseKeyedPooledObjectFactory p) { + public void destroyObject(JmxConnectionInfo key, PooledObject p) { try { p.getObject().close(); } catch (IOException e) {