Versions Compared

Old Version 12

changes.mady.by.user Rajini Sivaram

Saved on

compared with

New Version 13

changes.mady.by.user Rajini Sivaram

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Kafka currently supports two SASL mechanisms out-of-the-box. SASL/GSSAPI enables authentication using Kerberos and SASL/PLAIN enables simple username-password authentication. Support for more mechanisms will provide Kafka users more choice and the option to use the same security infrastructure for different services. Salted Challenge Response Authentication Mechanism (SCRAM) is a family of SASL mechanisms that addresses the security concerns with traditional mechanisms like PLAIN and DIGEST-MD5. The mechanism is defined in RFC 5802 (https://tools.ietf.org/html/rfc5802).

This KIP proposes to add support for SCRAM SASL mechanisms to Kafka clients and brokers:

  • SCRAM-SHA-1SCRAM-SHA-224
  • SCRAM-SHA-256
  • SCRAM-SHA-384
  • SCRAM-SHA-512

...

Code Block
languagejava
titleSample configuration for user credentials
// SCRAM credentials for user alice: Zookeeper persistence path /config/users/alice
{
        "version":1,
        "config": {
          "scram-sha-1512" : "s=ejlmaTYxemJtMTF6ZnJvaGhiOWkxYTQ2eQdjR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,t=QPIPb541liI8JKRwO3X/iei6cQksb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQ==,k=ArO8uZvH2PQEh2u30/OcxzkTTwE=...,i=4096",
          "scram-sha-256" : "s=10ibs0z7xzlu6w5ns0n188sis5,t=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,k=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,i=4096"
        }
};

...

bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'scram_-sha-256=[iterations=4096,password=alice-secret],scram_-sha-1512=[password=alice-secret]--entity-type users --entity-name alice

When the above config command is run, the tool generates a random salt for each requested SCRAM mechanism (SCRAM-SHA-256 and SCRAM-SHA-1 512 in the example). The tool then generates stored key and server key as described in SCRAM Algorithm Overview using the SCRAM message formatter implementation that is used to salt/hash during SCRAM exchanges.

...

Configs for user-principal 'alice' are scram-sha-sha1512=[s=ejlmaTYxemJtMTF6ZnJvaGhiOWkxYTQ2eQdjR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,t=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQ=QPIPb541liI8JKRwO3X/iei6cQk=, k=ArO8uZvH2PQEh2u30/OcxzkTTwE=3EfuHB4LPOcjDH0O5AysSSPiLskQfM5K9+mOzGmkixasmWEGJWZv7svtgkP+acO2Q9ms9WQQ9EndAJCvKHmjjg==,i=4096],scram-sha-256=[s=10ibs0z7xzlu6w5ns0n188sis5,t=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,k=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,i=4096]

...

bin/kafka-configs.sh --zookeeper localhost:2181 --alter --delete-config 'scram_-sha-256,scram_-sha-1512--entity-type users --entity-name alice

...