KIP-1061 — Allow exporting SCRAM credentials
Discussion SecurityAdmin
KIP-1061 proposes adding a `--describe` export mode to `kafka-configs.sh` that outputs SCRAM credential fields (`salt`, `stored_key`, `server_key`) needed to replicate credentials to another cluster. KIP-554 stored SCRAM credentials in KRaft metadata but intentionally withheld these fields from the describe output; without them, migrating a cluster requires all users to reset their passwords in the new cluster.
Protocol Impact
Details
| Author | Gaurav Narula |
| Status | Discussion |
| JIRA | KAFKA-17063 |
| Wiki | View on Apache Wiki |
| Created | 2024-06-24 |
| Last Modified | 2024-07-02 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.