[jira] [Updated] (KAFKA-17636) The StorageTool does not write SCRAM credentials when formatting disk

Fri, 27 Sep 2024 07:32:58 -0700 


     [ 
https://issues.apache.org/jira/browse/KAFKA-17636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Federico Valeri updated KAFKA-17636:
------------------------------------
    Summary: The StorageTool does not write SCRAM credentials when formatting 
disk  (was: StorageTool does not write SCRAM credentials when formatting disk)

> The StorageTool does not write SCRAM credentials when formatting disk
> ---------------------------------------------------------------------
>
>                 Key: KAFKA-17636
>                 URL: https://issues.apache.org/jira/browse/KAFKA-17636
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 3.9.0
>            Reporter: Federico Valeri
>            Priority: Blocker
>
> When initializing a KRaft cluster with SCRAM inter-broker authentication, you 
> have to create user credentials using the StorageTool before starting the 
> brokers:
> {code:java}
> bin/kafka-storage.sh format -c /opt/kafka/server3/config/server.properties" 
> -t a2FdMvicQUmCYojQZnNsIw \
>     -S "SCRAM-SHA-512=[name=admin,password=changeit]"
> {code}
> This command should produce a similar metadata record in the metadata log 
> (this is taken from 3.8.0):
> {code:java}
> | offset: 3 CreateTime: 1727435366178 keySize: -1 valueSize: 171 sequence: -1 
> headerKeys: [] payload: 
> {"type":"USER_SCRAM_CREDENTIAL_RECORD","version":0,"data":{"name":"admin","mechanism":2,"salt":"bmNvZHNpNm1yaWdzbTcycndlcWJtdnltag==","storedKey":"00pZjSfcztrhNNgbP7VDwb22L+s8ySG+NfkF5+5AiytOdD/9gm2L7xxLkPO54lpF/sAD0mwcIm3rGWKqiIWdkg==","serverKey":"kQL0eg4cauRtKIhUf5zXK/3lLJe7TMRwcybUja7J49t3NJ5aM/o7lVm7RNbsxzhKxYqEAmRX6wjMkD8T7H6rxw==","iterations":4096}}
> {code}
> Then, at start time, the brokers would load these user credentials and 
> authenticate against each other, or clients presenting the same credentials.
> It looks like this metadata record is not written anymore by the tool, so the 
> authentication fails with invalid credentials because the user credentials 
> cache is empty.
> AFAICS, the issue was introduced here: 
> [https://github.com/apache/kafka/commit/02f541d4ea51ee9034f92d249dde96bc70860e5e].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to