KIP-84 — Support SASL SCRAM mechanisms
Accepted Security
Adds SASL/SCRAM-SHA-256 and SASL/SCRAM-SHA-512 mechanisms to Kafka brokers and clients, storing hashed credentials in ZooKeeper and allowing dynamic credential rotation without broker restart. Kafka's existing SASL options (GSSAPI and PLAIN) required either a Kerberos infrastructure or storing plaintext passwords in JAAS config, leaving a gap for password-based auth without Kerberos.
Protocol Impact
Details
| Author | Rajini Sivaram |
| Status | Accepted |
| JIRA | KAFKA-3751 |
| Wiki | View on Apache Wiki |
| Created | 2016-10-04 |
| Last Modified | 2017-01-05 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.