...

The current approach requires a deployment when the secret needs to be rotated. If we want to make it automated and more frequent we can offload the responsibility of secret generation to controller.

Details

1. Wire Protocol Extensions

2. Server-side Admin Request handlers

SCRAM Extensions:
SCRAM messages have an optional extensions field which is a comma-separated list of key=value pairs.
After KIP-84 implementation , an extension will be added to the first client SCRAM message to indicate
that authentication is being requested for a delegation token. This will enable Kafka broker to obtain
credentials and principal using a different code path for delegation tokens.

3. DelegationToken Client

4. Command line tool

 We will provide a CLI to acquire delegation tokens, renew tokens and to invalidate/expire tokens. 

5. Changes to Java Clients (producer/consumer)

KIP-85 allows dynamic JAAS configuration for Kafka clients. With this we can easily configure the
delegation token for SCRAM-SHA-256 authentication.

Example Usage

Alternatives

Originally we considered to not have any shared Secret at config level. This required us to chose one of the 3 options:

...