Federico Valeri created KAFKA-17636:
---------------------------------------
Summary: StorageTool does not write SCRAM credentials when
formatting disk
Key: KAFKA-17636
URL: https://issues.apache.org/jira/browse/KAFKA-17636
Project: Kafka
Issue Type: Bug
Affects Versions: 3.9.0
Reporter: Federico Valeri
When initializing a KRaft cluster with SCRAM inter-broker authentication, you
have to create user credentials using the StorageTool before starting the
brokers:
{code:java}
bin/kafka-storage.sh format -c /opt/kafka/server3/config/server.properties" -t
a2FdMvicQUmCYojQZnNsIw \
-S "SCRAM-SHA-512=[name=admin,password=changeit]"
{code}
This command should produce a similar metadata record in the metadata log (this
is taken from 3.8.0):
{code:java}
| offset: 3 CreateTime: 1727435366178 keySize: -1 valueSize: 171 sequence: -1
headerKeys: [] payload:
{"type":"USER_SCRAM_CREDENTIAL_RECORD","version":0,"data":{"name":"admin","mechanism":2,"salt":"bmNvZHNpNm1yaWdzbTcycndlcWJtdnltag==","storedKey":"00pZjSfcztrhNNgbP7VDwb22L+s8ySG+NfkF5+5AiytOdD/9gm2L7xxLkPO54lpF/sAD0mwcIm3rGWKqiIWdkg==","serverKey":"kQL0eg4cauRtKIhUf5zXK/3lLJe7TMRwcybUja7J49t3NJ5aM/o7lVm7RNbsxzhKxYqEAmRX6wjMkD8T7H6rxw==","iterations":4096}}
{code}
Then, at start time, the brokers would load these user credentials and
authenticate against each other, or clients presenting the same credentials.
It looks like this metadata record is not written anymore by the tool, so the
authentication fails with invalid credentials because the user credentials
cache is empty.
AFAICS, the issue was introduced here:
[https://github.com/apache/kafka/commit/02f541d4ea51ee9034f92d249dde96bc70860e5e].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
