...
- Name:
password.encoder
.secret
Type:Password
- Name:
password.encoder
.old.secret
Type:Password (only used when
password.encoder
.secret
is rotated) - Name:
Type:password.encoder
.keyfactory.algorithmString
Default:PBKDF2WithHmacSHA512
if available, otherwisePBKDF2WithHmacSHA1
(e.g. Java7) - Name:
Type:password.encoder
.cipher.algorithmString
Default:AES/CBC/PKCS5Padding
- Name:
Type: Integer Default:password.encoder
.key.length128
- Name:
Default:
Type: Integerpassword.encoder
.iterations2048
The secret will not be dynamically configurable and hence will never be stored in ZooKeeper. All the dynamic password configs are per-broker configs and hence there is no requirement to maintain the same secret across all brokers. To change password.encoder
.secret
, each broker must be restarted with an updated server.properties that contains the new secret in the config password.encoder
.secret
as well as all current dynamically configured passwords for that broker. Updates to passwords from then on will use the new secretthe old secret in the config password.encoder
.old.secret
. The broker will decode all passwords in ZooKeeper using password.encoder
.old.secret
and update the values in ZooKeeper after re-encoding using password.encoder
.secret.
The config
will be used only if the passwords in ZooKeeper are encoded using the old value and will be ignored otherwise.password.encoder
.old.secret
Broker configuration in ZooKeeper will be protected using ACLs and will no longer be world-readable by default. It is expected that secure deployments of Kafka will also use network segmentation to limit ZooKeeper access.
...