THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
// SCRAM credentials for user alice: Zookeeper persistence path /config/users/alice
{
"version":1,
"config": {
"scram-sha-512" : "ssalt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,t=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQstored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4S...==,kserver_key=...,iiterations=4096",
"scram-sha-256" : "ssalt=10ibs0z7xzlu6w5ns0n188sis5,tstored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,kserver_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iiterations=4096"
}
}; |
For each supported mechanism, a new property is added with the mechanism name in lower case. The value of the property is a comma-separated list of key-value pairs similar to SCRAM messages and has the following elements:
- ssalt=<Salt>
- tstored_key=<StoredKey>
- kserver_key=<ServerKey>
- iiterations=<Iterations>
Tools
kafka-configs.sh will be extended to support management of credentials in Zookeeper as dynamic properties of users. Four new properties will be supported for entity type users, one for each mechanism with the name of the mechanism in lower case. For ease of use, the tool will take a password and an optional iteration count and generate a random salt, ServerKey and StoredKey as specified in in RFC 5802. For example:
...
Configs for user-principal 'alice' are scram-sha-512=[ssalt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,tstored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQ==, kserver_key=3EfuHB4LPOcjDH0O5AysSSPiLskQfM5K9+mOzGmkixasmWEGJWZv7svtgkP+acO2Q9ms9WQQ9EndAJCvKHmjjg==,iiterations=4096],scram-sha-256=[ssalt=10ibs0z7xzlu6w5ns0n188sis5,tstored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,kserver_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iiterations=4096]
Credentials can be deleted using the --delete option. For example:
...