...
bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'scram_sha-256=[password=alice-secret,iterations=4096],
scram_sha-1=[password=alice-secret]
' --entity-type users
--entity-name alice
The actual password "alice-secret
" is not stored in Zookeeper and is not known to Zookeeper or Kafka brokers. The hashed properties stored in Zookeeper can be retrieved using the --describe option of kafka-configs.sh.When the above config command is run, the tool generates a random salt for each requested SCRAM mechanism (SCRAM-SHA-256 and SCRAM-SHA-1 in the example). The tool then generates stored key and server key as described in SCRAM Algorithm Overview using the SCRAM message formatter implementation that is used to salt/hash during SCRAM exchanges.
SaltedPassword := Hi(Normalize(password), salt, i)
ClientKey := HMAC(SaltedPassword, "Client Key")
StoredKey := H(ClientKey)
ServerKey := HMAC(SaltedPassword, "Server Key")
Default iteration count will be 4096. The actual password "alice-secret
" is not stored in Zookeeper and is not known to Zookeeper or Kafka brokers. The hashed properties stored in Zookeeper can be retrieved using the --describe
option of kafka-configs.sh. For example:
bin/kafka-configs.sh --zookeeper localhost:2181 --describe
--entity-type users
--entity-name alice
Configs for user-principal 'alice' are scram-sha1=[s=ejlmaTYxemJtMTF6ZnJvaGhiOWkxYTQ2eQ==,t=QPIPb541liI8JKRwO3X/iei6cQk=,k=ArO8uZvH2PQEh2u30/OcxzkTTwE=,i=4096],scram-sha-256=[s=10ibs0z7xzlu6w5ns0n188sis5,t=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,k=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,i=4096]
Credentials can be deleted using the --delete option. For example:
bin/kafka-configs.sh --zookeeper localhost:2181 --alter --delete-config 'scram_sha-256,
scram_sha-1
' --entity-type users
--entity-name alice
Compatibility, Deprecation, and Migration Plan
...