THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Status
Current state: "Under DiscussionAccepted"
Discussion thread: here
JIRA: KAFKA-3751
...
Kafka currently supports two SASL mechanisms out-of-the-box. SASL/GSSAPI enables authentication using Kerberos and SASL/PLAIN enables simple username-password authentication. Support for more mechanisms will provide Kafka users more choice and the option to use the same security infrastructure for different services. Salted Challenge Response Authentication Mechanism (SCRAM) is a family of SASL mechanisms that addresses the security concerns with traditional mechanisms like PLAIN and DIGEST-MD5. The mechanism is defined in RFC 5802 (https://tools.ietf.org/html/rfc5802).
This KIP proposes to add support for SCRAM SASL mechanisms to Kafka clients and brokers:
SCRAM-SHA-224SCRAM-SHA-256SCRAM-SHA-384SCRAM-SHA-512
Public Interfaces
No public interface changes or new configuration options are required for this KIP.
Four Two new mechanisms may be provided for the client configuration sasl.mechanism and the broker configurations sasl.enabled.mechanisms and sasl.mechanism.inter.broker.protocol. The new mechanism names are SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384 and SCRAM-SHA-512. Any combination of SCRAM mechanisms can be enabled in the broker along with existing mechanisms if required.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
// SCRAM credentials for user alice: Zookeeper persistence path /config/users/alice
{
"version":1,
"config": {
"scramSCRAM-shaSHA-512" : "salt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,stored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4S...==,server_key=...,iterations=4096",
"scramSCRAM-shaSHA-256" : "salt=10ibs0z7xzlu6w5ns0n188sis5,stored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,server_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iterations=4096"
}
}; |
For each supported mechanism, a new property is added with the mechanism name in lower case. The value of the property is a comma-separated list of key-value pairs similar to SCRAM messages and has the following elements:
...
kafka-configs.sh will be extended to support management of credentials in Zookeeper as dynamic properties of users. Four Two new properties will be supported for entity type users, one for each mechanism with the name of the mechanism in lower case. For ease of use, the tool will take a password and an optional iteration count and generate a random salt, ServerKey and StoredKey as specified in in RFC 5802. For example:
bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'scramSCRAM-shaSHA-256=[iterations=4096,password=alice-secret],scramSCRAM-shaSHA-512=[password=alice-secret]' --entity-type users --entity-name alice
...
Configs for user-principal 'alice' are scramSCRAM-shaSHA-512=[salt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,stored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQ==, server_key=3EfuHB4LPOcjDH0O5AysSSPiLskQfM5K9+mOzGmkixasmWEGJWZv7svtgkP+acO2Q9ms9WQQ9EndAJCvKHmjjg==,iterations=4096],scramSCRAM-shaSHA-256=[salt=10ibs0z7xzlu6w5ns0n188sis5,stored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,server_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iterations=4096]
...
bin/kafka-configs.sh --zookeeper localhost:2181 --alter --delete-config 'scramSCRAM-shaSHA-256,scramSCRAM-shaSHA-512' --entity-type users --entity-name alice
...
Some Kafka users may want to replace Zookeeper-based credential store with an external secure store. It may be useful to make the credential provider in ScramSaslServer pluggable to enable this easily. Since it is possible to plug in new login modules and SaslServer implementations using standard Java security extension mechanisms, this KIP does not propose to make the credential provider a plugabble public interface. A generic solution to configure callback handlers for any mechanism is being addressed in KIP-86.
Support more SCRAM mechanisms
All the hash functions defined in http://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml are available in Java and we could support SASL/SCRAM for all of these in Java. But some of the mechanisms like SHA-1 are known to be insecure. To start with, it was decided to support only SHA-256 and SHA-512 to reduce the effort for clients in other languages. Support for other mechanisms like SHA-224 and SHA-384 can be added easily in future if there is a requirement.