On Tue, May 12, 2020, at 06:43, Tom Bentley wrote: > Hi Colin, > > It's not clear whether users of the Java API would need to supply the salt > and salted password directly, or whether the constructor of ScramCredential > would take the password and perform the hashing itself. >
Hi Tom, The AdminClient should do the hashing, right? I don't see any advantage to doing it externally. I do think we should support setting the salt explicitly, but really only for testing purposes. Normally, it should be randomized. > I also wonder a little about consistency with the other APIs which have > separate create/alter/delete methods. I imagine you considered exposing > separate methods in the Java API, implementing them using the same RPC, > but can you share your rationale? I wanted this to match up with the command-line API, which doesn't distinguish between create and alter. best, Colin > > Kind regards, > > Tom > > On Mon, May 11, 2020 at 6:48 AM Cheng Tan <c...@confluent.io> wrote: > > > Hi Colin, > > > > > > If I understood correctly, in your design, listScramUsers will return the > > mechanism and iteration. Let’s use the field naming of RFC 5802 for this > > discussion: > > > > SaltedPassword := Hi(Normalize(password), salt, i) > > ClientKey := HMAC(SaltedPassword, "Client Key") > > StoredKey := H(ClientKey) > > AuthMessage := client-first-message-bare + "," + > > server-first-message + "," + > > client-final-message-without-proof > > ClientSignature := HMAC(StoredKey, AuthMessage) > > ClientProof := ClientKey XOR ClientSignature > > ServerKey := HMAC(SaltedPassword, "Server Key") > > ServerSignature := HMAC(ServerKey, AuthMessage) > > > > I think it’s also safe and useful for listScramUsers to return salt and > > ServerKey. The current practice of —describe with —zookeeper is returning > > these two fields (KIP-84) > > > > bin/kafka-configs.sh --zookeeper localhost:2181 --describe --entity-type > > users --entity-name alice > > Configs for user-principal 'alice' are > > SCRAM-SHA-512=[salt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,stored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQ==, > > server_key=3EfuHB4LPOcjDH0O5AysSSPiLskQfM5K9+mOzGmkixasmWEGJWZv7svtgkP+acO2Q9ms9WQQ9EndAJCvKHmjjg==,iterations=4096],SCRAM-SHA-256=[salt=10ibs0z7xzlu6w5ns0n188sis5,stored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,server_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iterations=4096] > > > > > > Please let me know what you think. > > > > Best, - Cheng Tan > > > > > On Apr 30, 2020, at 11:16 PM, Colin McCabe <cmcc...@apache.org> wrote: > > > > > > > > > > >
