Versions Compared

Old Version 1

changes.mady.by.user Colin McCabe

Saved on

compared with

New Version 2

changes.mady.by.user Colin McCabe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Discussion thread

JIRA

Motivation

The KIP which established dynamic broker configuration, KIP-226, specified that this configuration data would be stored in ZooKeeper. It also established an encryption mechanism for secrets such as passwords. We would like to have the same level of protection for secret data in the post-ZooKeeper world of KRaft.

Overview

This KIP introduces the concept of a metadata encryptor. Each encryptor is identified by a unique 16-byte UUID.

While a node can have any number of encryptors configured, only one encryptor is active at once. Configuration records that contain secret data (such as passwords) are encrypted using the currently active encryptor.



Public Interfaces

create encryptor record

delete encryptor record

encrypted config record

default encryptor

(how to add new encryptor)

Compatibility, Deprecation, and Migration Plan

...