Re: [DISCUSS] KIP-395: Encypt-then-MAC Delegation token metadata

2019-01-07 Thread Attila Sasvári
Manikumar, Satish. Thanks for the review! As I understand, you are not in favor of this KIP, and I do agree that having a pluggable mechanism for sensitive data / metadata is preferable/more future-proof. On Wed, Dec 12, 2018 at 8:12 AM Satish Duggana wrote: > Agree with Manikumar on having plug

Re: [DISCUSS] KIP-395: Encypt-then-MAC Delegation token metadata

2018-12-11 Thread Satish Duggana
Agree with Manikumar on having pluggable mechanism for entities required/created for delegation token mechanism. I will cover that as part of KAFKA-7694. Thanks, Satish. On Tue, Dec 11, 2018 at 12:35 PM Manikumar wrote: > > Hi, > > Thanks for the KIP. > > Currently, master/secret key is stored as

Re: [DISCUSS] KIP-395: Encypt-then-MAC Delegation token metadata

2018-12-10 Thread Manikumar
Hi, Thanks for the KIP. Currently, master/secret key is stored as plain text in server.properties config file. Using master secret key as shared secret is again a security risk. We have raised KAFKA-7694 to implement a ZooKeeper based master/secret key management to automate secret key rotation.