On Thu, Sep 26, 2019 at 2:16 PM Jun Rao <j...@confluent.io> wrote: > [...] > 100. It would be useful to think through how to support SASL scram in the > new world. If the only broker listener is SASL scram, we need to bootstrap > the scram credential in each broker before we can start the broker. > Currently, this can be done by adding the scram credential in ZK first and > then start the brokers. It's not clear how this works when the metadata > service is part of the brokers. > [...] >
Without wishing to derail the discussion here, I wrote KIP-506 a while ago which raises some other issues with setting SCRAM credentials via the Admin interface, though I admit I overlooked the bootstrapping problem. This makes me wonder whether trying to set SCRAM credentials via the Admin interface is the wrong approach. Perhaps a tool which could be run within the controller quorum (similar to the existing script) is the only way to provide equivalent security. Cheers, Tom