...
Code Block | ||
---|---|---|
| ||
public enum ScramMechanism {
UNKNOWN(0),
HMAC_SHA_256(1),
HMAC_SHA_512(2);
byte type;
private ScramMechanism(byte type) {
this.type = type;
}
}
public class ScramMechanismInfo {
private final ScramMechanism mechanism;
private final int iterations;
private final byte[] salt;
private final byte[] storedKey;
private final byte[] serverKey;
}
public class ScramUserListing {
private final String name;
private final List<ScramMechanismInfo> infos;
}
public class ListScramUsersOptions extends AbstractOptions<ListScramUsersOptions> { }
default ListScramUsersResult listScramUsers() {
return listScramUsers(new ListScramUsersOptions());
}
ListScramUsersResult listScramUsers(ListScramUsersOptions options);
public class ListScramUsersResult {
public KafkaFuture<Map<String, ScramUserListing>> all();
} |
...
Code Block |
---|
public class ScramUserDeletion { private final String user; } public class ScramCredential { private final ScramMechanismInfo info; private final byte[] salt; private final Stringbyte[] password; // There will be one constructor that randomly generates a salt, and one that accepts a pre-defined salt. } public class ScramUserAlteration { private final String user; private final List<ScramCredential> credentials; public ScramCredentialAlteration(String user, List<ScramCredential> credentials) { this.user = user; this.credentials = credentials; } public String user() { return user; } public List<ScramCredential> credentials() { return credentials; } } public class AlterScramUsersOptions extends AbstractOptions<AlterScramUsersOptions> {} default AlterScramUsersResult alterScramUsers(List<ScramUserDeletion> deletions, List<ScramUserAlteration> alterations) { return alterScramUsers(deletions, alterations, new AlterScramUsersOptions()); } AlterScramUsersResult alterScramUsers(List<ScramUserDeletion> deletions, List<ScramUserAlteration> alterations, AlterScramUsersOptions options); public class AlterScramCredentialsResult { public KafkaFuture<Void> all(); public Map<String, KafkaFuture<Void>> results(); } |
...
We will extend the kafka-configs.sh command to so that it is possible to set a SCRAM configuration without using --zookeeper. The command-line syntax will be unchanged, except for the fact that users will now be able to pass --bootstrap-server instead of --zookeeper.
As mentioned earlier, this API does not return secrets. Therefore, the salt, salted password, and so on will not be returned by a kafka-configs.sh --describe operation. The describe operation will return only the presence of the user plus the algorithm and number of iterations used. For example:
Code Block |
---|
$ bin/kafka-configs.sh --bootstrap-server localhost:9020 \
--alter \
--entity-type users \
--entity-name alice \
--add-config 'SCRAM-SHA-256=[iterations=8192,password=alice-secret],SCRAM-SHA-512=[password=alice-secret]'
Completed updating config for entity: user-principal 'alice'.
$ bin/kafka-configs.sh --bootstrap-server localhost:9020 --entity-type users --entity-name alice --describe
Configs for user-principal 'alice' are SCRAM-SHA-512=iterations=8192 |
Compatibility, Deprecation, and Migration Plan
...