[
https://issues.apache.org/jira/browse/KAFKA-17636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Arthur reassigned KAFKA-17636:
------------------------------------
Assignee: David Arthur
> The StorageTool does not create SCRAM credentials when formatting disk
> ----------------------------------------------------------------------
>
> Key: KAFKA-17636
> URL: https://issues.apache.org/jira/browse/KAFKA-17636
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 3.9.0
> Reporter: Federico Valeri
> Assignee: David Arthur
> Priority: Blocker
>
> When initializing a KRaft cluster with SCRAM inter-broker authentication, you
> have to create user credentials using the StorageTool before starting the
> brokers:
> {code:java}
> bin/kafka-storage.sh format -c /opt/kafka/server3/config/server.properties"
> -t a2FdMvicQUmCYojQZnNsIw \
> -S "SCRAM-SHA-512=[name=admin,password=changeit]"
> {code}
> This command should produce the following record in the metadata log:
> {code:java}
> | offset: 3 CreateTime: 1727435366178 keySize: -1 valueSize: 171 sequence: -1
> headerKeys: [] payload:
> {"type":"USER_SCRAM_CREDENTIAL_RECORD","version":0,"data":{"name":"admin","mechanism":2,"salt":"bmNvZHNpNm1yaWdzbTcycndlcWJtdnltag==","storedKey":"00pZjSfcztrhNNgbP7VDwb22L+s8ySG+NfkF5+5AiytOdD/9gm2L7xxLkPO54lpF/sAD0mwcIm3rGWKqiIWdkg==","serverKey":"kQL0eg4cauRtKIhUf5zXK/3lLJe7TMRwcybUja7J49t3NJ5aM/o7lVm7RNbsxzhKxYqEAmRX6wjMkD8T7H6rxw==","iterations":4096}}
> {code}
> Then, at start time, the brokers would load these user credentials from
> metadata, and authenticate against each other, or clients presenting the same
> credentials.
> It looks like this metadata record is not written anymore by the tool, so the
> authentication fails with invalid credentials because the user credentials
> cache is empty.
> AFAICS, the issue was introduced here:
> [https://github.com/apache/kafka/commit/02f541d4ea51ee9034f92d249dde96bc70860e5e].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
