...
- Name:
password.encoder
.secret
Type:Password
- Name:
password.encoder
.old.secret
Type:Password (only used when
password.encoder
.secret
is rotated) - Name:
Type:password.encoder
.keyfactory.algorithmString
Default:PBKDF2WithHmacSHA512
if available, otherwisePBKDF2WithHmacSHA1
(e.g. Java7) - Name:
Type:password.encoder
.cipher.algorithmString
Default:AES/CBC/PKCS5Padding
- Name:
Type: Integer Default:password.encoder
.key.length128
- Name:
Default:
Type: Integerpassword.encoder
.iterations2048
4096
The secret will not be dynamically configurable and hence will never be stored in ZooKeeper. All the dynamic password configs are per-broker configs and hence there is no requirement to maintain the same secret across all brokers. To change password.encoder
.secret
, each broker must be restarted with an updated server.properties that contains the new secret in the config password.encoder
.secret
as well as the old secret in the config password.encoder
.old.secret
. The broker will decode all passwords in ZooKeeper using password.encoder
.old.secret
and update the values in ZooKeeper after re-encoding using password.encoder
.secret.
The config
will be used only if the passwords in ZooKeeper are encoded using the old value and will be ignored otherwise.password.encoder
.old.secret
...