create scram users thru kafka-storage command

confluentinc · Oct 31, 2023 · dbb4370 · dbb4370
1 parent 3baebe7
commit dbb4370
Showing 1 changed file with 52 additions and 0 deletions.
diff --git a/roles/kafka_broker/tasks/main.yml b/roles/kafka_broker/tasks/main.yml
@@ -391,6 +391,7 @@
   run_once: true
   when:
     - "'SCRAM-SHA-512' in kafka_broker_sasl_enabled_mechanisms"
+    - not kraft_enabled
   no_log: "{{mask_secrets|bool}}"
 
 # Only supported when zookeeper is enabled
@@ -405,8 +406,59 @@
   run_once: true
   when:
     - "'SCRAM-SHA-256' in kafka_broker_sasl_enabled_mechanisms"
+    - not kraft_enabled
   no_log: "{{ mask_sensitive_logs|bool }}"
 
+# Only supported when kafka-controller (KRaft) is enabled
+- name: Create SCRAM Users
+  run_once: true
+  delegate_to: "{{ groups.kafka_controller[0] }}"
+  when:
+    - "'SCRAM-SHA-512' in kafka_broker_sasl_enabled_mechanisms"
+    - kraft_enabled
+  block:
+    - name: Extract ClusterId from meta.properties on KRaft Controller
+      slurp:
+        src: "{{ kafka_controller_final_properties['log.dirs'] }}/meta.properties"
+      register: uuid_broker
+
+    - name: Call controller
+      shell: |
+        {{ binary_base_path }}/bin/kafka-storage format \
+          --config {{ kafka_controller.config_file }} \
+          --cluster-id {{ clusterid }} \
+          --ignore-formatted \
+          --add-scram 'SCRAM-SHA-512=[name="{{ item.value['principal'] }}",password="{{ item.value['password'] }}"]'
+      vars:
+        clusterid: "{{ (uuid_broker['content'] | b64decode).partition('cluster.id=')[2].partition('\n')[0] }}"
+      loop: "{{ sasl_scram_users_final|dict2items }}"
+      no_log: "{{mask_secrets|bool}}"
+
+# Only supported when kafka-controller (KRaft) is enabled
+- name: Create SCRAM 256 Users
+  run_once: true
+  delegate_to: "{{ groups.kafka_controller[0] }}"
+  when:
+    - "'SCRAM-SHA-256' in kafka_broker_sasl_enabled_mechanisms"
+    - kraft_enabled
+  block:
+    - name: Extract ClusterId from meta.properties on KRaft Controller
+      slurp:
+        src: "{{ kafka_controller_final_properties['log.dirs'] }}/meta.properties"
+      register: uuid_broker
+
+    - name: Call controller
+      shell: |
+        {{ binary_base_path }}/bin/kafka-storage format \
+          --config {{ kafka_controller.config_file }} \
+          --cluster-id {{ clusterid }} \
+          --ignore-formatted \
+          --add-scram 'SCRAM-SHA-256=[name="{{ item.value['principal'] }}",password="{{ item.value['password'] }}"]'
+      vars:
+        clusterid: "{{ (uuid_broker['content'] | b64decode).partition('cluster.id=')[2].partition('\n')[0] }}"
+      loop: "{{ sasl_scram_users_final|dict2items }}"
+      no_log: "{{mask_secrets|bool}}"
+
 - name: Deploy JMX Exporter Config File
   template:
     src: "{{kafka_broker_jmxexporter_config_source_path}}"