You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Status

Current state: "Under Discussion"

Discussion thread

JIRA

Motivation

The KIP which established dynamic broker configuration, KIP-226, specified that this configuration data would be stored in ZooKeeper. It also established an encryption mechanism for secrets such as passwords. We would like to have the same level of protection for secret data in the post-ZooKeeper world of KRaft.

Overview

This KIP introduces the concept of a metadata encryptor. Each encryptor is identified by a unique 16-byte UUID.

While a node can have any number of encryptors configured, only one encryptor is active at once. Configuration records that contain secret data (such as passwords) are encrypted using the currently active encryptor.



Public Interfaces

create encryptor record

delete encryptor record

encrypted config record

default encryptor

(how to add new encryptor)

Compatibility, Deprecation, and Migration Plan

Rejected Alternatives

  • No labels