KIP-395 — Encypt-then-MAC Delegation token metadata
Discussion Security
Proposes switching delegation token metadata serialization to use Encrypt-then-MAC (AES-CBC + HMAC) rather than storing plaintext token metadata in ZooKeeper. Delegation token metadata stored in ZooKeeper is readable by anyone with ZK access; an authenticated encryption scheme ensures confidentiality and integrity of token information at rest.
Details
| Author | Attila Sasvári |
| Status | Discussion |
| JIRA | KAFKA-7691 |
| Wiki | View on Apache Wiki |
| Created | 2018-11-29 |
| Last Modified | 2018-12-03 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.