Versions Compared

Old Version 4

changes.mady.by.user Rajini Sivaram

Saved on

compared with

New Version 5

changes.mady.by.user Rajini Sivaram

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current state: "Under Discussion"

Discussion thread: here

JIRA: KAFKA-3751

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

Kafka currently supports two SASL mechanisms out-of-the-box. SASL/GSSAPI enables authentication using Kerberos and SASL/PLAIN enables simple username-password authentication. Support for more mechanisms will provide Kafka users more choice and the option to use the same security infrastructure for different services. Salted Challenge Response Authentication Mechanism (SCRAM) is a family of SASL mechanisms that addresses the security concerns with traditional mechanisms like PLAIN and DIGEST-MD5. The mechanism is defined in RFC 5802 (https://tools.ietf.org/html/rfc5802).

This KIP proposes to add support for two new SCRAM SASL mechanisms to Kafka clients and brokers:

  • SCRAM-SHA-1

...

  • SCRAM-SHA-224
  • SCRAM-SHA-256

...

  • SCRAM-SHA-384
  • SCRAM-SHA-512

Public Interfaces

No public interface changes or new configuration options are required for this KIP.

...

The implementation included in Kafka will store user credentials in Zookeeper as dynamically configurable properties. The credentials include a randomly generated salt, salted hash of the password (StoredKey and ServerKey), and the iteration count for each  SCRAM mechanism that is enabled. These are stored as properties for each user under /config/users/<user>. These credentials are not sufficient to impersonate a client, but in installations where Zookeeper is not secure, an alternative secure SASL server implementation may be used to protect against a brute-force attack that may recover the password if a strong cryptographic hash function and high iteration count are not used. Zookeeper is a suitable store for short-lived credentials like delegation tokens.

...

The static initializer of the SCRAM login module installs the SASL/SCRAM server and client implementations as security providers for the supported SASL mechanisms SCRAM-SHA-1 and SCRAM-SHA-256/SCRAM mechanisms. The module obtains username and password for client connections from the JAAS configuration options “username” and “password”  and these are set as the public and private credentials of the Subject respectively.

...

Code Block
languagejava
titleSample configuration for user credentials
// SCRAM credentials for user alice: Zookeeper persistence path /config/users/alice
{
        "version":1,
        "config": {
          "scram_salt-sha-1" : "10ibs0z7xzlu6w5ns0n188sis5"s=ejlmaTYxemJtMTF6ZnJvaGhiOWkxYTQ2eQ==,t=QPIPb541liI8JKRwO3X/iei6cQk=,k=ArO8uZvH2PQEh2u30/OcxzkTTwE=,i=4096",
          "scram_server_key-sha-256" : "s=10ibs0z7xzlu6w5ns0n188sis5,k=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k="
          "scram_stored_key" : ",t=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo="
          "scram_iteration" : "=,i=4096"
         }
};

 

Tools

kafka-configs.sh will be extended to support management of credentials in Zookeeper as dynamic properties of users. For ease of use, the tools will take a password and an optional iteration count and generate a random salt, ServerKey and StoredKey as specified in in RFC 5802. For example:

bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'scram_password=alice-secret,scram_iteration-4096=4096,scram_mechanism=SCRAM-SHA-1,scram_mechanism=SCRAM-SHA-256--entity-type users --entity-name alice

...