kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manikumar <manikumar.re...@gmail.com>
Subject Re: [DISCUSS] KIP-395: Encypt-then-MAC Delegation token metadata
Date Tue, 11 Dec 2018 07:04:51 GMT

Thanks for the KIP.

Currently, master/secret key is stored as plain text in server.properties
config file.
Using master secret key as shared secret is again a security risk. We have
raised KAFKA-7694
to implement a ZooKeeper based master/secret key management to automate
secret key rotation.

As you mentioned in the alternatives sections, it is good to have pluggable
mechanism for
token storage and master key generation. We can implement pluggable
interfaces for token storage
and master key generation as part of KAFKA-7694. This will provide us out
of the box implementation
using ZooKeeper and pluggable interfaces for custom implementations.

What do you think?


On Sat, Dec 1, 2018 at 9:37 PM Attila Sasvári <asasvari@apache.org> wrote:

> Hi All,
> I have a proposal to allow Kafka brokers to encrypt sensitive metadata
> information about delegation tokens.
> As of now, delegation token metadata is stored in an unencrypted format in
> Zookeeper. Having the possibility to encrypt-then-MAC token information
> would be beneficial in Kafka installations where Zookeeper is not on a
> private network.
> Please take a look at
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-395%3A+Encypt-then-MAC+Delegation+token+metadata
> and let me know what you think.
> - Attila

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message