...
A new broker configuration will be added to specify a secret key that is used to encrypt passwords stored in ZooKeeper. The SecretKeyFactory
and Cipher
algorithms as well as the iteration count used will be also be made configurable. The actual algorithms, salt and iteration count will be stored along with the encrypted password to ensure that the password can be decrypted even if the encryption parameters are altered (though these configs are not being made dynamic at the moment).
- Name: config
password.encoder
.secret
Type:Password
- Name:
config
Type:password.
secretencoder
.keyfactory.algorithmString
Default:PBKDF2WithHmacSHA512
if available, otherwisePBKDF2WithHmacSHA1
(e.g. Java7) - Name:
config
Type:password.
secretencoder
.cipher.algorithmString
Default:AES/CBC/PKCS5Padding
- Name:
Type: Integer Default:password.encoder
.key.length128
- Name:
Default:config
Type: Integerpassword.
secretencoder
.iterations2048
The secret will not be dynamically configurable and hence will never be stored in ZooKeeper. All the dynamic password configs are per-broker configs and hence there is no requirement to maintain the same secret across all brokers. To change password.encoder
.secret
, each broker must be restarted with an updated server.properties that contains the new secret as well as all current dynamically configured passwords for that broker. Updates to passwords from then on will use the new secret.
Broker configuration in ZooKeeper will be protected using ACLs and will no longer be world-readable by default. It is expected that secure deployments of Kafka will also use network segmentation to limit ZooKeeper access.
...
listeners
advertised.listeners
listener.security.protocol.map
inter.broker.listener.name
security.inter.broker.protocol
sasl.mechanism.inter.broker.protocol
.security.protocol.map
Common security config
principal.builder.class
...
- Configuration updates will not be allowed for the listener used in inter-broker communication. To update This KIP will not allow dynamic updates to inter-broker configs without restarting the broker, a new listener can be created with new configs and the inter-broker listener can be changed to the new listener (similar to the currently documented security upgrade process)security protocol or listener name. Support for changing inter-broker security configuration without a restart will be done in a follow-on KIP along with additional validation to ensure that all brokers have enabled the new config.
Future Work
Message Format and Inter Broker Protocol
...
log.message.format.version
inter.broker.protocol.version
inter.broker.listener.name
security.inter.broker.protocol
sasl.mechanism.inter.broker.protocol
Dynamic update changes:
AdminClient
needs to verify that all brokers in the cluster support the new version before making an update. To enable this, the version of the broker will be added to the JSON registered by each broker during startup at/brokers/ids/id
. To avoid all brokers reading version information from ZooKeeper, the controller should propagate this information inUpdateMetadataRequest.
This requires protocol change. Note also that this approach only allows verification of the version of brokers that are alive at the timeAlterConfigs
is executed.
- Additional validation is required before changing inter-broker listener or security configuration. This should ensure that the client-side and server-side configs match and also that all brokers in the cluster support the new configuration.
Compatibility, Deprecation, and Migration Plan
...