THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Code Block | ||
|---|---|---|
| ||
public enum ScramMechanism {
UNKNOWN(0),
HMAC_SHA_256(1),
HMAC_SHA_512(2);
byte type;
private ScramMechanism(byte type) {
this.type = type;
}
}
public class ScramMechanismInfo {
private final ScramMechanism mechanism;
private final int iterations;
private final byte[] salt;
private final byte[] storedKey;
private final byte[] serverKey;
}
public class ScramUserListing {
private final String name;
private final List<ScramMechanismInfo> infos;
}
public class ListScramUsersOptions extends AbstractOptions<ListScramUsersOptions> { }
default ListScramUsersResult listScramUsers() {
return listScramUsers(new ListScramUsersOptions());
}
ListScramUsersResult listScramUsers(ListScramUsersOptions options);
public class ListScramUsersResult {
public KafkaFuture<Map<String, ScramUserListing>> all();
} |
...
| Code Block |
|---|
public class ScramUserDeletion {
private final String user;
}
public class ScramCredential {
private final ScramMechanismInfo info;
private final byte[] salt;
private final Stringbyte[] password;
// There will be one constructor that randomly generates a salt, and one that accepts a pre-defined salt.
}
public class ScramUserAlteration {
private final String user;
private final List<ScramCredential> credentials;
public ScramCredentialAlteration(String user, List<ScramCredential> credentials) {
this.user = user;
this.credentials = credentials;
}
public String user() {
return user;
}
public List<ScramCredential> credentials() {
return credentials;
}
}
public class AlterScramUsersOptions extends AbstractOptions<AlterScramUsersOptions> {}
default AlterScramUsersResult alterScramUsers(List<ScramUserDeletion> deletions,
List<ScramUserAlteration> alterations) {
return alterScramUsers(deletions, alterations, new AlterScramUsersOptions());
}
AlterScramUsersResult alterScramUsers(List<ScramUserDeletion> deletions,
List<ScramUserAlteration> alterations,
AlterScramUsersOptions options);
public class AlterScramCredentialsResult {
public KafkaFuture<Void> all();
public Map<String, KafkaFuture<Void>> results();
} |
...
We will extend the kafka-configs.sh command to so that it is possible to set a SCRAM configuration without using --zookeeper. The command-line syntax will be unchanged, except for the fact that users will now be able to pass --bootstrap-server instead of --zookeeper.
As mentioned earlier, this API does not return secrets. Therefore, the salt, salted password, and so on will not be returned by a kafka-configs.sh --describe operation. The describe operation will return only the presence of the user plus the algorithm and number of iterations used. For example:
| Code Block |
|---|
$ bin/kafka-configs.sh --bootstrap-server localhost:9020 \
--alter \
--entity-type users \
--entity-name alice \
--add-config 'SCRAM-SHA-256=[iterations=8192,password=alice-secret],SCRAM-SHA-512=[password=alice-secret]'
Completed updating config for entity: user-principal 'alice'.
$ bin/kafka-configs.sh --bootstrap-server localhost:9020 --entity-type users --entity-name alice --describe
Configs for user-principal 'alice' are SCRAM-SHA-512=iterations=8192 |
Compatibility, Deprecation, and Migration Plan
...