Hi Cheng, Good point. I updated the KIP to include the same information that is currently returned.
best, Colin On Sun, May 10, 2020, at 22:40, Cheng Tan wrote: > Hi Colin, > > > If I understood correctly, in your design, listScramUsers will return > the mechanism and iteration. Let’s use the field naming of RFC 5802 for > this discussion: > > SaltedPassword := Hi(Normalize(password), salt, i) > ClientKey := HMAC(SaltedPassword, "Client Key") > StoredKey := H(ClientKey) > AuthMessage := client-first-message-bare + "," + > server-first-message + "," + > client-final-message-without-proof > ClientSignature := HMAC(StoredKey, AuthMessage) > ClientProof := ClientKey XOR ClientSignature > ServerKey := HMAC(SaltedPassword, "Server Key") > ServerSignature := HMAC(ServerKey, AuthMessage) > > I think it’s also safe and useful for listScramUsers to return salt and > ServerKey. The current practice of —describe with —zookeeper is > returning these two fields (KIP-84) > > bin/kafka-configs.sh --zookeeper localhost:2181 --describe > --entity-type users --entity-name alice > Configs for user-principal 'alice' are > SCRAM-SHA-512=[salt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,stored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQ==, > > server_key=3EfuHB4LPOcjDH0O5AysSSPiLskQfM5K9+mOzGmkixasmWEGJWZv7svtgkP+acO2Q9ms9WQQ9EndAJCvKHmjjg==,iterations=4096],SCRAM-SHA-256=[salt=10ibs0z7xzlu6w5ns0n188sis5,stored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,server_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iterations=4096] > > > Please let me know what you think. > > Best, - Cheng Tan > > > On Apr 30, 2020, at 11:16 PM, Colin McCabe <cmcc...@apache.org> wrote: > > > > > >