Current state: DISCUSS
Discussion thread:
JIRA:
POC: WIP PR
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Currently there are a couple of options to pass passwords, like, SSL passwords, to Kafka, i.e., via properties file or via command line argument. Both of these are not recommended security practices.
Introduce a new config, executable.password.enable
, for controlling password retrieval. By default, values of password configs, like, ssl.key.password
, ssl.keystore.password
, etc., will be taken as plaintext passwords. However, when executable.password.enable
is set, values of password configs will be executed to retrieve actual passwords.
When executable.password.enable
is set, password values can have executable path followed by arguments, delimited by ' '. For instance, "echo test-password"
, will take test-password
as a password.
The proposal includes a new configuration, executable.password.enable
, which will be set to False
by default.
When executable.password.enable
is set, values of password configs will be executed to retrieve actual passwords for those configs. If the executable specified dies, or is not an executable, or does not exist, kafka server or kafka client will exit with a ConfigException
.
The proposed change is backwards compatible.
Following system test will be added.
executable.password.enable
set.executable.password.enable set to false
.
executable.password.enable set to true
.
Hadoop implemented something called the CredentialProvider specifically for the purpose of encrypting passwords. See HADOOP-10607. This functionality is now supported by other projects, including Hive, HBase, etc.
The approach creates a new generator config for each of the password related configs, like, ssl.key.password.generator
for ssl.key.password
config. When a password config is not set, check for password.generator config for that config and execute it's value to get the password.
This allows to have a subset of password configs to have executables as password, while others have plaintext as password. However, this approach is rejected for following reasons.